83889fe248efc28953e990c521f1318902a936556e2b8952b4c6e7e9dc08b704

Analysis

max time kernel
151s
max time network
170s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
05/01/2024, 18:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

83889fe248efc28953e990c521f1318902a936556e2b8952b4c6e7e9dc08b704.exe
Size

66KB
MD5

bf8ec633c850b0ee8c95f32af9c2a377
SHA1

9de8159c4eb498a137b76cfc7e6e68666868c861
SHA256

83889fe248efc28953e990c521f1318902a936556e2b8952b4c6e7e9dc08b704
SHA512

1a1f1b5b50b59889c0ebd23c1f45d94ba89d4b909fa452435a1e46f6ffd1ef2c360644c6fc813098e9109f309264d3de52ca38ccaebe1f50da19570b50fd89fe
SSDEEP

1536:hxDacx1aeg1vjrI9U/xvyyZ/MF0Vz5gpEaDoc:hMf9kU0k/W0VzBaDP

Score

7^/10

spyware stealer

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

pid	Process
1828	Logo1_.exe
4904	83889fe248efc28953e990c521f1318902a936556e2b8952b4c6e7e9dc08b704.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\root\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\lua\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nb-no\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\de-de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\eu-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\en-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ja\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Defender\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\images\themes\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\he-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ca-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-cn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\en-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\eu-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOICONS.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\tr-tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-gb\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\eu-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\en-gb\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ARCTIC\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	83889fe248efc28953e990c521f1318902a936556e2b8952b4c6e7e9dc08b704.exe
File created	C:\Windows\Logo1_.exe	83889fe248efc28953e990c521f1318902a936556e2b8952b4c6e7e9dc08b704.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4856	83889fe248efc28953e990c521f1318902a936556e2b8952b4c6e7e9dc08b704.exe
4856	83889fe248efc28953e990c521f1318902a936556e2b8952b4c6e7e9dc08b704.exe
4856	83889fe248efc28953e990c521f1318902a936556e2b8952b4c6e7e9dc08b704.exe
4856	83889fe248efc28953e990c521f1318902a936556e2b8952b4c6e7e9dc08b704.exe
4856	83889fe248efc28953e990c521f1318902a936556e2b8952b4c6e7e9dc08b704.exe
4856	83889fe248efc28953e990c521f1318902a936556e2b8952b4c6e7e9dc08b704.exe
4856	83889fe248efc28953e990c521f1318902a936556e2b8952b4c6e7e9dc08b704.exe
4856	83889fe248efc28953e990c521f1318902a936556e2b8952b4c6e7e9dc08b704.exe
4856	83889fe248efc28953e990c521f1318902a936556e2b8952b4c6e7e9dc08b704.exe
4856	83889fe248efc28953e990c521f1318902a936556e2b8952b4c6e7e9dc08b704.exe
4856	83889fe248efc28953e990c521f1318902a936556e2b8952b4c6e7e9dc08b704.exe
4856	83889fe248efc28953e990c521f1318902a936556e2b8952b4c6e7e9dc08b704.exe
4856	83889fe248efc28953e990c521f1318902a936556e2b8952b4c6e7e9dc08b704.exe
4856	83889fe248efc28953e990c521f1318902a936556e2b8952b4c6e7e9dc08b704.exe
4856	83889fe248efc28953e990c521f1318902a936556e2b8952b4c6e7e9dc08b704.exe
4856	83889fe248efc28953e990c521f1318902a936556e2b8952b4c6e7e9dc08b704.exe
4856	83889fe248efc28953e990c521f1318902a936556e2b8952b4c6e7e9dc08b704.exe
4856	83889fe248efc28953e990c521f1318902a936556e2b8952b4c6e7e9dc08b704.exe
4856	83889fe248efc28953e990c521f1318902a936556e2b8952b4c6e7e9dc08b704.exe
4856	83889fe248efc28953e990c521f1318902a936556e2b8952b4c6e7e9dc08b704.exe
4856	83889fe248efc28953e990c521f1318902a936556e2b8952b4c6e7e9dc08b704.exe
4856	83889fe248efc28953e990c521f1318902a936556e2b8952b4c6e7e9dc08b704.exe
4856	83889fe248efc28953e990c521f1318902a936556e2b8952b4c6e7e9dc08b704.exe
4856	83889fe248efc28953e990c521f1318902a936556e2b8952b4c6e7e9dc08b704.exe
4856	83889fe248efc28953e990c521f1318902a936556e2b8952b4c6e7e9dc08b704.exe
4856	83889fe248efc28953e990c521f1318902a936556e2b8952b4c6e7e9dc08b704.exe
1828	Logo1_.exe
1828	Logo1_.exe
1828	Logo1_.exe
1828	Logo1_.exe
1828	Logo1_.exe
1828	Logo1_.exe
1828	Logo1_.exe
1828	Logo1_.exe
1828	Logo1_.exe
1828	Logo1_.exe
1828	Logo1_.exe
1828	Logo1_.exe
1828	Logo1_.exe
1828	Logo1_.exe
1828	Logo1_.exe
1828	Logo1_.exe
1828	Logo1_.exe
1828	Logo1_.exe
1828	Logo1_.exe
1828	Logo1_.exe
1828	Logo1_.exe
1828	Logo1_.exe
1828	Logo1_.exe
1828	Logo1_.exe
1828	Logo1_.exe
1828	Logo1_.exe
1828	Logo1_.exe
1828	Logo1_.exe
1828	Logo1_.exe
1828	Logo1_.exe
1828	Logo1_.exe
1828	Logo1_.exe
1828	Logo1_.exe
1828	Logo1_.exe
1828	Logo1_.exe
1828	Logo1_.exe
1828	Logo1_.exe
1828	Logo1_.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4856 wrote to memory of 1868	4856	83889fe248efc28953e990c521f1318902a936556e2b8952b4c6e7e9dc08b704.exe	89
PID 4856 wrote to memory of 1868	4856	83889fe248efc28953e990c521f1318902a936556e2b8952b4c6e7e9dc08b704.exe	89
PID 4856 wrote to memory of 1868	4856	83889fe248efc28953e990c521f1318902a936556e2b8952b4c6e7e9dc08b704.exe	89
PID 1868 wrote to memory of 964	1868	net.exe	92
PID 1868 wrote to memory of 964	1868	net.exe	92
PID 1868 wrote to memory of 964	1868	net.exe	92
PID 4856 wrote to memory of 3860	4856	83889fe248efc28953e990c521f1318902a936556e2b8952b4c6e7e9dc08b704.exe	93
PID 4856 wrote to memory of 3860	4856	83889fe248efc28953e990c521f1318902a936556e2b8952b4c6e7e9dc08b704.exe	93
PID 4856 wrote to memory of 3860	4856	83889fe248efc28953e990c521f1318902a936556e2b8952b4c6e7e9dc08b704.exe	93
PID 4856 wrote to memory of 1828	4856	83889fe248efc28953e990c521f1318902a936556e2b8952b4c6e7e9dc08b704.exe	94
PID 4856 wrote to memory of 1828	4856	83889fe248efc28953e990c521f1318902a936556e2b8952b4c6e7e9dc08b704.exe	94
PID 4856 wrote to memory of 1828	4856	83889fe248efc28953e990c521f1318902a936556e2b8952b4c6e7e9dc08b704.exe	94
PID 1828 wrote to memory of 4044	1828	Logo1_.exe	96
PID 1828 wrote to memory of 4044	1828	Logo1_.exe	96
PID 1828 wrote to memory of 4044	1828	Logo1_.exe	96
PID 4044 wrote to memory of 4820	4044	net.exe	98
PID 4044 wrote to memory of 4820	4044	net.exe	98
PID 4044 wrote to memory of 4820	4044	net.exe	98
PID 3860 wrote to memory of 4904	3860	cmd.exe	100
PID 3860 wrote to memory of 4904	3860	cmd.exe	100
PID 3860 wrote to memory of 4904	3860	cmd.exe	100
PID 1828 wrote to memory of 4836	1828	Logo1_.exe	101
PID 1828 wrote to memory of 4836	1828	Logo1_.exe	101
PID 1828 wrote to memory of 4836	1828	Logo1_.exe	101
PID 4836 wrote to memory of 488	4836	net.exe	103
PID 4836 wrote to memory of 488	4836	net.exe	103
PID 4836 wrote to memory of 488	4836	net.exe	103
PID 1828 wrote to memory of 3516	1828	Logo1_.exe	81
PID 1828 wrote to memory of 3516	1828	Logo1_.exe	81

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3516
- C:\Users\Admin\AppData\Local\Temp\83889fe248efc28953e990c521f1318902a936556e2b8952b4c6e7e9dc08b704.exe
  "C:\Users\Admin\AppData\Local\Temp\83889fe248efc28953e990c521f1318902a936556e2b8952b4c6e7e9dc08b704.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4856
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1868
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:964
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB381.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3860
  - - C:\Users\Admin\AppData\Local\Temp\83889fe248efc28953e990c521f1318902a936556e2b8952b4c6e7e9dc08b704.exe
      "C:\Users\Admin\AppData\Local\Temp\83889fe248efc28953e990c521f1318902a936556e2b8952b4c6e7e9dc08b704.exe"
      4⤵
      Executes dropped EXE
      PID:4904
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1828
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4044
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:4820
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4836
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
258KB

MD5
d3adc69a0af918de8ca779119dc3824e

SHA1
1acd37dbe349ee094f20adedeead47187d449876

SHA256
331366057a460595eea4cd12de73bd9e2fcc6127487fc6a070b1d1c056700f9f

SHA512
346c88bf50e019ff7ebe812584dedba2b1dd13ac02e58f75c0e6c3834daf9c87000bf4f1bba0d2075edfaa24413cc11decf9dcddb05dcc7d9c72294186f1e733

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
577KB

MD5
64fcb1314553bbd5d37cbd53859f6a9b

SHA1
b4a2cbec34e9c82e14a755e8d81d2716e3336211

SHA256
94a1ae0381b67a16312dbe48bc84f2445c4234c230c7444accd74157e4b6f41c

SHA512
665d48ec7b8a9ca393885b23f4d73b1b1a1d6b5bb3fec7b2e19250cd39bc34d35bdb878fb39bb46373e763c859bf8bba0d23d4d53a188d292ff1c94cf92da21a

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

Filesize
488KB

MD5
f3a219efeb83fbd4829722cfc47975ac

SHA1
6ac52fe7af8ee95ed136f432c1563d8bc44c5cf8

SHA256
9d831a1989490b2cba9754cb5e5e5fe83604e546e51eb7d1d2c13cb176f1db82

SHA512
c597ae5abbfc5616ff2e89432e9f4c90d0491f5433af522834844cf9bbc832d2d4aff1e1abf22bd232ec7ef285c539a68837f56e7c33efd82b0a8ad9282b3ef7

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aB381.bat

Filesize
722B

MD5
e1cc5a5ba611354bbc2ccafdf37ac0e0

SHA1
bcfcf3e5da7fc49b9bbf80ad9193a3d12e3e7b43

SHA256
088533a194c4b19fab47ddb99094938b0385bcbeeebfa927011500714d2786eb

SHA512
577c2109453b31739bf584937be9ec091cf089f9642ac02d421b6380af969ff6c03148fdb5026a18f92a4f7c97f45e01d2c599bbd757412e91ae1487c984fc9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\83889fe248efc28953e990c521f1318902a936556e2b8952b4c6e7e9dc08b704.exe.exe

Filesize
33KB

MD5
cfcf15f5729649399cfb9b2590c9e80a

SHA1
f595a3f2812a29492326e5a0478f3924bcbae545

SHA256
b6fde5431374f5cc8a2b6b6953d7c466ce8828faf68c43661a2c0cf87481868f

SHA512
bbd925abf352af8962ab5e7d4b76bc4146e806cb0f8fde8a7cc2c13318450b46dd5529f6855065241de56efd72e33f4f9961ef5aa4ba8fd3c1ca312444ac8e19

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
e8ee4723f696b9e3ecde75768c7018be

SHA1
68bcc682ab485eeead9552174bd6d69bf82f96e7

SHA256
905167896d2eecbb77f54d30f6f4e76fc75a804a7d6748f813724afebe930e44

SHA512
6329f42ff79d9fe1a32cf8a7d6bd3e1acdca94e1e0041afc8e9da3a78931f35343def9c9f333091d3cc6db7dd6bbe2e3626a8a74a37535bb048af4b6b56a5e7e

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1815711207-1844170477-3539718864-1000\_desktop.ini

Filesize
8B

MD5
209b72362215bdaaf45b2d2388ee962c

SHA1
872a46c03b4ff1322f5dd750c7ac0a07e5113ca0

SHA256
56dc9a9a2aef97a2582545195a5ae52880339dff396cf5a749551379418aed62

SHA512
45e9bfd535948c288f7342c28cc31fa63331dddc3b2f38afeb6cc1547f1301c46c97f9925905ee4d0ca46bb2d5f40181b913cfeaf9763ae6a38debdd24db7cc9

Download Submit
memory/1828-10-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1828-32-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1828-17-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1828-2620-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1828-6849-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1828-8577-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4856-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4856-9-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download