79b3f9630ba66b90e63ca87c9e55db1030fe5fae9c11f24b262415df8bbf4cb0

Analysis

max time kernel
150s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
24/02/2024, 19:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79b3f9630ba66b90e63ca87c9e55db1030fe5fae9c11f24b262415df8bbf4cb0.exe
Size

72KB
MD5

55eb01d65d1be47bb0fcb009b9eace53
SHA1

7b8efe95ade2192156fec0f1f70c022c0a58a400
SHA256

79b3f9630ba66b90e63ca87c9e55db1030fe5fae9c11f24b262415df8bbf4cb0
SHA512

44a894d7e1fd50a617e858f122a33e81595c5e1261405d73c5bc482a085e00cc3007aad8b782492b3ced15e418c7d86aaeb058698ac9a33c176e1e1ccaff6d23
SSDEEP

1536:8oqe+Zk7VJbwlYXjPrsqrZMYR5p8wk2kKzs2Irj5hN:8je+azbRPrlr9RXFk2kKzQj5r

Score

7^/10

spyware stealer

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

pid	Process
3044	Logo1_.exe
2936	79b3f9630ba66b90e63ca87c9e55db1030fe5fae9c11f24b262415df8bbf4cb0.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\cs\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nb\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RIPPLE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\an\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sl-si\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\en-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\es-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\sl-si\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\wabmig.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\da-dk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PSReadline\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\de-de\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Services\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\de-de\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\dc-annotations\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\pt-br\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\de-de\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ne\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\uz\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\themes\dark\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Skins\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\browser\VisualElements\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\MSBuild\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	79b3f9630ba66b90e63ca87c9e55db1030fe5fae9c11f24b262415df8bbf4cb0.exe
File created	C:\Windows\Logo1_.exe	79b3f9630ba66b90e63ca87c9e55db1030fe5fae9c11f24b262415df8bbf4cb0.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2104	79b3f9630ba66b90e63ca87c9e55db1030fe5fae9c11f24b262415df8bbf4cb0.exe
2104	79b3f9630ba66b90e63ca87c9e55db1030fe5fae9c11f24b262415df8bbf4cb0.exe
2104	79b3f9630ba66b90e63ca87c9e55db1030fe5fae9c11f24b262415df8bbf4cb0.exe
2104	79b3f9630ba66b90e63ca87c9e55db1030fe5fae9c11f24b262415df8bbf4cb0.exe
2104	79b3f9630ba66b90e63ca87c9e55db1030fe5fae9c11f24b262415df8bbf4cb0.exe
2104	79b3f9630ba66b90e63ca87c9e55db1030fe5fae9c11f24b262415df8bbf4cb0.exe
2104	79b3f9630ba66b90e63ca87c9e55db1030fe5fae9c11f24b262415df8bbf4cb0.exe
2104	79b3f9630ba66b90e63ca87c9e55db1030fe5fae9c11f24b262415df8bbf4cb0.exe
2104	79b3f9630ba66b90e63ca87c9e55db1030fe5fae9c11f24b262415df8bbf4cb0.exe
2104	79b3f9630ba66b90e63ca87c9e55db1030fe5fae9c11f24b262415df8bbf4cb0.exe
2104	79b3f9630ba66b90e63ca87c9e55db1030fe5fae9c11f24b262415df8bbf4cb0.exe
2104	79b3f9630ba66b90e63ca87c9e55db1030fe5fae9c11f24b262415df8bbf4cb0.exe
2104	79b3f9630ba66b90e63ca87c9e55db1030fe5fae9c11f24b262415df8bbf4cb0.exe
2104	79b3f9630ba66b90e63ca87c9e55db1030fe5fae9c11f24b262415df8bbf4cb0.exe
2104	79b3f9630ba66b90e63ca87c9e55db1030fe5fae9c11f24b262415df8bbf4cb0.exe
2104	79b3f9630ba66b90e63ca87c9e55db1030fe5fae9c11f24b262415df8bbf4cb0.exe
2104	79b3f9630ba66b90e63ca87c9e55db1030fe5fae9c11f24b262415df8bbf4cb0.exe
2104	79b3f9630ba66b90e63ca87c9e55db1030fe5fae9c11f24b262415df8bbf4cb0.exe
2104	79b3f9630ba66b90e63ca87c9e55db1030fe5fae9c11f24b262415df8bbf4cb0.exe
2104	79b3f9630ba66b90e63ca87c9e55db1030fe5fae9c11f24b262415df8bbf4cb0.exe
2104	79b3f9630ba66b90e63ca87c9e55db1030fe5fae9c11f24b262415df8bbf4cb0.exe
2104	79b3f9630ba66b90e63ca87c9e55db1030fe5fae9c11f24b262415df8bbf4cb0.exe
2104	79b3f9630ba66b90e63ca87c9e55db1030fe5fae9c11f24b262415df8bbf4cb0.exe
2104	79b3f9630ba66b90e63ca87c9e55db1030fe5fae9c11f24b262415df8bbf4cb0.exe
2104	79b3f9630ba66b90e63ca87c9e55db1030fe5fae9c11f24b262415df8bbf4cb0.exe
2104	79b3f9630ba66b90e63ca87c9e55db1030fe5fae9c11f24b262415df8bbf4cb0.exe
3044	Logo1_.exe
3044	Logo1_.exe
3044	Logo1_.exe
3044	Logo1_.exe
3044	Logo1_.exe
3044	Logo1_.exe
3044	Logo1_.exe
3044	Logo1_.exe
3044	Logo1_.exe
3044	Logo1_.exe
3044	Logo1_.exe
3044	Logo1_.exe
3044	Logo1_.exe
3044	Logo1_.exe
3044	Logo1_.exe
3044	Logo1_.exe
3044	Logo1_.exe
3044	Logo1_.exe
3044	Logo1_.exe
3044	Logo1_.exe
3044	Logo1_.exe
3044	Logo1_.exe
3044	Logo1_.exe
3044	Logo1_.exe
3044	Logo1_.exe
3044	Logo1_.exe
3044	Logo1_.exe
3044	Logo1_.exe
3044	Logo1_.exe
3044	Logo1_.exe
3044	Logo1_.exe
3044	Logo1_.exe
3044	Logo1_.exe
3044	Logo1_.exe
3044	Logo1_.exe
3044	Logo1_.exe
3044	Logo1_.exe
3044	Logo1_.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2104 wrote to memory of 4208	2104	79b3f9630ba66b90e63ca87c9e55db1030fe5fae9c11f24b262415df8bbf4cb0.exe	88
PID 2104 wrote to memory of 4208	2104	79b3f9630ba66b90e63ca87c9e55db1030fe5fae9c11f24b262415df8bbf4cb0.exe	88
PID 2104 wrote to memory of 4208	2104	79b3f9630ba66b90e63ca87c9e55db1030fe5fae9c11f24b262415df8bbf4cb0.exe	88
PID 4208 wrote to memory of 1492	4208	net.exe	89
PID 4208 wrote to memory of 1492	4208	net.exe	89
PID 4208 wrote to memory of 1492	4208	net.exe	89
PID 2104 wrote to memory of 2320	2104	79b3f9630ba66b90e63ca87c9e55db1030fe5fae9c11f24b262415df8bbf4cb0.exe	93
PID 2104 wrote to memory of 2320	2104	79b3f9630ba66b90e63ca87c9e55db1030fe5fae9c11f24b262415df8bbf4cb0.exe	93
PID 2104 wrote to memory of 2320	2104	79b3f9630ba66b90e63ca87c9e55db1030fe5fae9c11f24b262415df8bbf4cb0.exe	93
PID 2104 wrote to memory of 3044	2104	79b3f9630ba66b90e63ca87c9e55db1030fe5fae9c11f24b262415df8bbf4cb0.exe	94
PID 2104 wrote to memory of 3044	2104	79b3f9630ba66b90e63ca87c9e55db1030fe5fae9c11f24b262415df8bbf4cb0.exe	94
PID 2104 wrote to memory of 3044	2104	79b3f9630ba66b90e63ca87c9e55db1030fe5fae9c11f24b262415df8bbf4cb0.exe	94
PID 3044 wrote to memory of 4196	3044	Logo1_.exe	95
PID 3044 wrote to memory of 4196	3044	Logo1_.exe	95
PID 3044 wrote to memory of 4196	3044	Logo1_.exe	95
PID 4196 wrote to memory of 2984	4196	net.exe	97
PID 4196 wrote to memory of 2984	4196	net.exe	97
PID 4196 wrote to memory of 2984	4196	net.exe	97
PID 2320 wrote to memory of 2936	2320	cmd.exe	99
PID 2320 wrote to memory of 2936	2320	cmd.exe	99
PID 2320 wrote to memory of 2936	2320	cmd.exe	99
PID 3044 wrote to memory of 5064	3044	Logo1_.exe	100
PID 3044 wrote to memory of 5064	3044	Logo1_.exe	100
PID 3044 wrote to memory of 5064	3044	Logo1_.exe	100
PID 5064 wrote to memory of 2488	5064	net.exe	103
PID 5064 wrote to memory of 2488	5064	net.exe	103
PID 5064 wrote to memory of 2488	5064	net.exe	103
PID 3044 wrote to memory of 3428	3044	Logo1_.exe	19
PID 3044 wrote to memory of 3428	3044	Logo1_.exe	19

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3428
- C:\Users\Admin\AppData\Local\Temp\79b3f9630ba66b90e63ca87c9e55db1030fe5fae9c11f24b262415df8bbf4cb0.exe
  "C:\Users\Admin\AppData\Local\Temp\79b3f9630ba66b90e63ca87c9e55db1030fe5fae9c11f24b262415df8bbf4cb0.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2104
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4208
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:1492
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6254.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2320
  - - C:\Users\Admin\AppData\Local\Temp\79b3f9630ba66b90e63ca87c9e55db1030fe5fae9c11f24b262415df8bbf4cb0.exe
      "C:\Users\Admin\AppData\Local\Temp\79b3f9630ba66b90e63ca87c9e55db1030fe5fae9c11f24b262415df8bbf4cb0.exe"
      4⤵
      Executes dropped EXE
      PID:2936
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3044
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4196
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2984
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5064
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
264KB

MD5
5607ab9d477658733de1dc92f1c5df0e

SHA1
3ecf0a7e0fbe49389bee0a28135478ec386b17c0

SHA256
a03531b2769537e5363cf793bdc80f097dbe3a2766c180350a569019beeda830

SHA512
1b0a7a2bce1225230943fe1957db146d5c3e82a508e33940c0a654b89701506a36bf713f7257d654158b9b4faab26a8aad35ab22ea84c8961cfb1db349d53875

Download Submit
C:\Program Files\MergeRequest.exe

Filesize
445KB

MD5
922b4fd164580683265d70f6164e4d37

SHA1
801574734a3e65288559f900b44deefb2302aa89

SHA256
53c776ed715e68e296d065ac3b6a8b2ea3a443e1e4eb3b821861c254994b5cc1

SHA512
0d0b67a0def760add166423d4c931ec94d06ff8c4aa2823eb576b1a252529f0a1ae17a3919d427e6779b38d917bfa7df11c881b31750bf75577ece0193104f7c

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

Filesize
494KB

MD5
d514ce87b356cef8d2ba02c1680cf782

SHA1
0d87db8e33c254f024f2fdb9fb88277ecf11b1f3

SHA256
735d079cee41fddd6aafcfd4bba8caab23b37646a97bc45266b8cdb6ebbd6d26

SHA512
fc60dae14a29467d17997bdfb0cd7289a1c7b5abb3fd75de90ae1dcd9d1d5c7aa710f0a8113fb24561617debe8d548996df3782d999d98a0638a893fb8502c40

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a6254.bat

Filesize
722B

MD5
6f3c2d238dec45ff31ef8d868615a68b

SHA1
2476949a4a5e28cfa2810b3ed96d714c0823bb43

SHA256
c7dea979ffc496fc608962d273a12b45cf3f1c92baf8aabef1118a890153e2d6

SHA512
22c521a65179902e7795ce2b21d106cbb3aaf38646cfe09a70bc32ef54cdec2a58be5ec88ef7b6ed14826327b2ca3d2e13997d9b1f08278100eec77897fbe154

Download Submit
C:\Users\Admin\AppData\Local\Temp\79b3f9630ba66b90e63ca87c9e55db1030fe5fae9c11f24b262415df8bbf4cb0.exe.exe

Filesize
33KB

MD5
97ec61761e1fdfb2f1d4ea4d221a43d1

SHA1
d6e1682a8dd967bdffe8c145731fb9ea1d0a3509

SHA256
1f3069b596484ffa16181226b07c67ee1cb0f41d191ddde7c02f6bb75336cc52

SHA512
7d34cc27dce09e2711d76f39c5f44525937ac15723aaedc303c154223f3ec42e6043374582614cc3067795781a2daf6ea8935f3f3b0a8747fa783cedf36090a9

Download Submit
C:\Windows\Logo1_.exe

Filesize
39KB

MD5
a93f5efc0b2c641bd652a684e460e1c6

SHA1
3e14fa1a93963965769d42a31b494afc7aa894c0

SHA256
ce50adfbb271796afc33d20c4433bee5e16446b56596c7a7cb100e8748b17310

SHA512
cbcab17e89a46cf8c2136dff9b4684776a92d7a429b6772198e7f6e48047e054c41d5935302719d615a6a7219edaf1f5fd60f096d9a56caf8eb12f5bc5565265

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1790404759-2178872477-2616469472-1000\_desktop.ini

Filesize
9B

MD5
cfe6f484be357c72eb43c1bf358667cc

SHA1
e3d7e0445522b691704b4118172728b6a29eb809

SHA256
da822ce24d9fbaf4a51165971caf1c53642c637bb0140121b9041e3b23b05946

SHA512
29d9ed22715e24413a7b4110e4a45e99110c8b7c0e4f6b0033d5b41f9564687e70aabb182ff809223355daccc6bebf4a90df3dfd6bbbc54649227bf38097b236

Download Submit
memory/2104-8-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2104-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3044-17-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3044-1257-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3044-5135-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3044-10-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3044-8620-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download