54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f

Analysis

max time kernel
168s
max time network
129s
platform
windows7_x64
resource
win7-20231025-en
resource tags

arch:x64arch:x86image:win7-20231025-enlocale:en-usos:windows7-x64system
submitted
07/11/2023, 16:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
Size

33KB
MD5

bc64f78c79e2607ab75f3355d94a12a1
SHA1

fe88541a6d571a79a11cdead45c53fc858d3b41f
SHA256

54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f
SHA512

ed1ad8a75e70429a083d1c6b380ceec9f95ed25e3ac7aa711762e2bb10e6fd5273f4f7112214c6d96c90812d95bfa6cc1dfb7a3f68bceca5142c772c08b024ab
SSDEEP

768:VGO5RroZJ767395uINv6v+stOLzyGOzEWF3vXVkSGN2EO:VGe+Zk77RNyvb0LzszE83C8

Score

7^/10

spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File opened (read-only)	\??\N:	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File opened (read-only)	\??\J:	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File opened (read-only)	\??\Z:	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File opened (read-only)	\??\X:	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File opened (read-only)	\??\S:	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File opened (read-only)	\??\Q:	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File opened (read-only)	\??\I:	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File opened (read-only)	\??\W:	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File opened (read-only)	\??\T:	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File opened (read-only)	\??\P:	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File opened (read-only)	\??\K:	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File opened (read-only)	\??\E:	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File opened (read-only)	\??\G:	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File opened (read-only)	\??\Y:	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File opened (read-only)	\??\V:	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File opened (read-only)	\??\U:	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File opened (read-only)	\??\R:	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File opened (read-only)	\??\M:	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File opened (read-only)	\??\L:	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File opened (read-only)	\??\H:	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css\_desktop.ini	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\setup_wm.exe	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\_desktop.ini	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\_desktop.ini	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File opened for modification	C:\Program Files\Windows Journal\it-IT\_desktop.ini	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\_desktop.ini	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\_desktop.ini	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\_desktop.ini	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\_desktop.ini	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\_desktop.ini	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\_desktop.ini	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\_desktop.ini	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\ImagingDevices.exe	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\_desktop.ini	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Antarctica\_desktop.ini	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\_desktop.ini	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\css\_desktop.ini	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\js\_desktop.ini	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File created	C:\Program Files\Internet Explorer\en-US\_desktop.ini	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\_desktop.ini	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\an\_desktop.ini	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File created	C:\Program Files\Windows Media Player\Icons\_desktop.ini	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\js\_desktop.ini	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\_desktop.ini	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\_desktop.ini	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File created	C:\Program Files (x86)\Windows Mail\it-IT\_desktop.ini	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File created	C:\Program Files\Java\jre7\lib\zi\Africa\_desktop.ini	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\_desktop.ini	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\_desktop.ini	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\_desktop.ini	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\_desktop.ini	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\_desktop.ini	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\_desktop.ini	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\1033\_desktop.ini	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\_desktop.ini	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\_desktop.ini	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\MPP\_desktop.ini	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\_desktop.ini	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\de-DE\_desktop.ini	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SPRING\_desktop.ini	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File created	C:\Program Files\Microsoft Games\Hearts\de-DE\_desktop.ini	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mn\_desktop.ini	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\js\_desktop.ini	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BREEZE\_desktop.ini	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\_desktop.ini	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javaws.exe	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\_desktop.ini	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File created	C:\Program Files\Windows Photo Viewer\en-US\_desktop.ini	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\css\_desktop.ini	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\_desktop.ini	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\_desktop.ini	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\_desktop.ini	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File created	C:\Program Files\_desktop.ini	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\_desktop.ini	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\css\_desktop.ini	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\css\_desktop.ini	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\_desktop.ini	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\_desktop.ini	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File created	C:\Program Files\Microsoft Games\Hearts\ja-JP\_desktop.ini	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File created	C:\Program Files\Microsoft Games\More Games\fr-FR\_desktop.ini	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\css\_desktop.ini	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\it-IT\_desktop.ini	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
File created	C:\Windows\Dll.dll	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2136	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
2136	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
2136	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
2136	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
2136	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
2136	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
2136	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
2136	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
2136	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
2136	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
2136	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
2136	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
2136	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
2136	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
2136	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
2136	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
2136	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
2136	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
2136	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
2136	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
2136	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
2136	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
2136	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
2136	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
2136	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
2136	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
2136	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
2136	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
2136	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
2136	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 2080	2136	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe	28
PID 2136 wrote to memory of 2080	2136	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe	28
PID 2136 wrote to memory of 2080	2136	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe	28
PID 2136 wrote to memory of 2080	2136	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe	28
PID 2080 wrote to memory of 2948	2080	net.exe	31
PID 2080 wrote to memory of 2948	2080	net.exe	31
PID 2080 wrote to memory of 2948	2080	net.exe	31
PID 2080 wrote to memory of 2948	2080	net.exe	31
PID 2136 wrote to memory of 2816	2136	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe	32
PID 2136 wrote to memory of 2816	2136	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe	32
PID 2136 wrote to memory of 2816	2136	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe	32
PID 2136 wrote to memory of 2816	2136	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe	32
PID 2816 wrote to memory of 2820	2816	net.exe	34
PID 2816 wrote to memory of 2820	2816	net.exe	34
PID 2816 wrote to memory of 2820	2816	net.exe	34
PID 2816 wrote to memory of 2820	2816	net.exe	34
PID 2136 wrote to memory of 1204	2136	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe	12
PID 2136 wrote to memory of 1204	2136	54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe	12

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1204
- C:\Users\Admin\AppData\Local\Temp\54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe
  "C:\Users\Admin\AppData\Local\Temp\54d961abf4fa286573e97f8ea4ed715af9603144859cb14d2e371f92e62ffb1f.exe"
  2⤵
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2136
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2080
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:2948
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
258KB

MD5
ede9b3296bc2701178852eb47c0c4553

SHA1
2d3bcbacf09a51e7ca4eb9a1a1a428f104ecf52f

SHA256
3df26c0a1e3ad198b87131c46065861ab28dc5ba88475d2f9874c76becc825cf

SHA512
84bcf297f5163c0e4095d28c63df53944652ef2ec5234e521a77a92f953b8104a42fc3b8f0ee167c1ca25369c39c4f9b9e5c53908ecd265d7244fe3c4e93e36c

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
601KB

MD5
d91dfa8e4aa6a584ff8c660b727a8f49

SHA1
9b43631b8f31bd2d563f8cf57081153de1c07791

SHA256
2b9b239d9825465b5f79c197c553242adf38b9bdb66d6677f59900df811dab7d

SHA512
370145c1d1497d4e26e8b691a4b55d55c8806f4309aabdcc127fbce69eeade8b68dba5a996268e096cf65792fbab26b978550a0a9ddb2a4bb8e631934b46dc90

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
478KB

MD5
7d02ce65078275c7695fbb416561b2d7

SHA1
0c1b2e310373d9e420d0e9197e7d28ae2c8bb348

SHA256
8361cffdedd63438e6c13d51bb8d8e6ad0a47665a7380e3311ce6945a501b0ae

SHA512
be375ca2b76a339849f3b26bd40767658cdd343e4286b43de69bfd2ce3f9e1b7ba1d8d1c86b65b3926ddc43e6740e3f222bbd8fcf83c2cdfa93409f2ec44c26b

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1861898231-3446828954-4278112889-1000\_desktop.ini

Filesize
9B

MD5
35dff1b2d2822022424940d4487e8d0d

SHA1
cf3c5e0326ffacd39689a35b566c8d3c626cc96b

SHA256
0432a628b4273444218f05d7d906b391ab84e1d51bc1b084c37456324e0f84ae

SHA512
91c1e3f5497c8c249e695b9e6f844f141b8747d5d1c5d23d09a2e39aae974cfcfe26b6a4580904b87aa495d452df942937fd721ff8189016a59f61c0835e1665

Download Submit
memory/1204-3-0x0000000002B20000-0x0000000002B21000-memory.dmp

Filesize
4KB

Download
memory/2136-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2136-7-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2136-22-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2136-726-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2136-1866-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2136-3297-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2136-4064-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download