4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e

Analysis

max time kernel
150s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/04/2024, 13:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe
Size

717KB
MD5

947fb0a70bedead559e53be801302d4b
SHA1

f3768e716d67384870ed06c1cca9911166f2f2d6
SHA256

4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e
SHA512

7da4830f680a307ec75785c6f6cf82b09f5cdca52e631dc86252db2bd0c8668880bb628d4b2434ef13944af90f46e34ab94853b9d6db856b33763a3fca6b1832
SSDEEP

12288:A+agfC6Aj+TN5uixZN+8rKhUdTC/wE1ZD0Ca5ZIXV:ABMLOS2opPIXV

Score

7^/10

spyware stealer

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

pid	Process
1496	Logo1_.exe
692	4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\Office.en-us\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft.NET\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\text_renderer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ca-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ja-jp\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\browser\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\de-de\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\cs\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\IRIS\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themeless\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\extensions\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\_platform_specific\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\it-it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\themes\dark\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\da-dk\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\host\fxr\8.0.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA6\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pt_BR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge_pwa_launcher.exe	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUEPRNT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sl-si\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sv-se\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\Sigma\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\ja\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\nb-no\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\pt-BR\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe
File created	C:\Windows\Logo1_.exe	4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4100	4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe
4100	4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe
4100	4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe
4100	4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe
4100	4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe
4100	4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe
4100	4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe
4100	4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe
4100	4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe
4100	4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe
4100	4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe
4100	4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe
4100	4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe
4100	4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe
4100	4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe
4100	4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe
4100	4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe
4100	4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe
4100	4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe
4100	4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe
4100	4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe
4100	4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe
4100	4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe
4100	4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe
4100	4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe
4100	4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe
1496	Logo1_.exe
1496	Logo1_.exe
1496	Logo1_.exe
1496	Logo1_.exe
1496	Logo1_.exe
1496	Logo1_.exe
1496	Logo1_.exe
1496	Logo1_.exe
1496	Logo1_.exe
1496	Logo1_.exe
1496	Logo1_.exe
1496	Logo1_.exe
1496	Logo1_.exe
1496	Logo1_.exe
1496	Logo1_.exe
1496	Logo1_.exe
1496	Logo1_.exe
1496	Logo1_.exe
1496	Logo1_.exe
1496	Logo1_.exe
1496	Logo1_.exe
1496	Logo1_.exe
1496	Logo1_.exe
1496	Logo1_.exe
1496	Logo1_.exe
1496	Logo1_.exe
1496	Logo1_.exe
1496	Logo1_.exe
1496	Logo1_.exe
1496	Logo1_.exe
1496	Logo1_.exe
1496	Logo1_.exe
1496	Logo1_.exe
1496	Logo1_.exe
1496	Logo1_.exe
1496	Logo1_.exe
1496	Logo1_.exe
1496	Logo1_.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 4100 wrote to memory of 1576	4100	4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe	87
PID 4100 wrote to memory of 1576	4100	4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe	87
PID 4100 wrote to memory of 1576	4100	4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe	87
PID 1576 wrote to memory of 1468	1576	net.exe	89
PID 1576 wrote to memory of 1468	1576	net.exe	89
PID 1576 wrote to memory of 1468	1576	net.exe	89
PID 4100 wrote to memory of 4260	4100	4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe	93
PID 4100 wrote to memory of 4260	4100	4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe	93
PID 4100 wrote to memory of 4260	4100	4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe	93
PID 4100 wrote to memory of 1496	4100	4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe	94
PID 4100 wrote to memory of 1496	4100	4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe	94
PID 4100 wrote to memory of 1496	4100	4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe	94
PID 1496 wrote to memory of 2704	1496	Logo1_.exe	95
PID 1496 wrote to memory of 2704	1496	Logo1_.exe	95
PID 1496 wrote to memory of 2704	1496	Logo1_.exe	95
PID 2704 wrote to memory of 4868	2704	net.exe	98
PID 2704 wrote to memory of 4868	2704	net.exe	98
PID 2704 wrote to memory of 4868	2704	net.exe	98
PID 4260 wrote to memory of 692	4260	cmd.exe	99
PID 4260 wrote to memory of 692	4260	cmd.exe	99
PID 1496 wrote to memory of 4668	1496	Logo1_.exe	100
PID 1496 wrote to memory of 4668	1496	Logo1_.exe	100
PID 1496 wrote to memory of 4668	1496	Logo1_.exe	100
PID 4668 wrote to memory of 2372	4668	net.exe	102
PID 4668 wrote to memory of 2372	4668	net.exe	102
PID 4668 wrote to memory of 2372	4668	net.exe	102
PID 1496 wrote to memory of 3432	1496	Logo1_.exe	57
PID 1496 wrote to memory of 3432	1496	Logo1_.exe	57

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3432
- C:\Users\Admin\AppData\Local\Temp\4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe
  "C:\Users\Admin\AppData\Local\Temp\4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4100
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1576
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:1468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4381.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4260
  - - C:\Users\Admin\AppData\Local\Temp\4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe
      "C:\Users\Admin\AppData\Local\Temp\4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe"
      4⤵
      Executes dropped EXE
      PID:692
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1496
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2704
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:4868
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4668
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
258KB

MD5
ec71a61715110767626fe1094063291b

SHA1
1fd433c484e987ad74fb6dd5026e94eba029f62f

SHA256
e737572195b0c4d8df6f1211e324b97191d66ba2b409cfaa2dd07fd5b96a87f4

SHA512
61df3880ff6b71b5b2c522678a1ee69011a9387158e3956f6dd8db8e2c76113772fcf2b9979e27ee84d659925d3d44382d9d5da171dcdfb8a3b21c8034297d6f

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
577KB

MD5
5ac4056f9d0b3bd588671434ead1c17f

SHA1
9d3e0e6c41fe202d78ac7adc0c26c0a5d27b5d9c

SHA256
ed3ad6c04b7778bf946fe1a0cea7b00a82542c7cb9687e562741248ea7657411

SHA512
12955c0c491b2f4b5343ba8d64ac9c08eaa77cb5b84929b36fd9efde7e241dd1553d3175fb39d1f4f9a9cb9e1242f501df3943788977fb06b0d30871ba5330d2

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

Filesize
488KB

MD5
629c52705e4b56528fd0a9bd0ef3b26b

SHA1
8195ef6b90f8893c88887c763bf399cde1787b26

SHA256
4d1c2cdbf0684ef3ea3fc7123812b007687ded0a679275e5ea50f1d936a6fe3d

SHA512
0ea13e8f6c5d3b8e28a002c672f20d626e1ae1f8fb0162690961b2b94b49c6590f20ae50dd018f41b1947161ac62e63fa56b1e2aca5ee7335c3d9b7747817e0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a4381.bat

Filesize
722B

MD5
8fbeac5e3e145388d5e0e770265a2992

SHA1
a6ce07e9b3b5f650d6f023318aee8cd737cea4b4

SHA256
c9ae331ecf7f53419f947d06549a6ae7711f1e2ed27b10bcacd62dc86dc21052

SHA512
f347efed9c7845fd5a63563e8b615954e9f8d519f23bcdc6eaf1c6b0b62cab11e1ae755041722d346f0c93730bf292a7beec681e376af42a3783e44b0f78a926

Download Submit
C:\Users\Admin\AppData\Local\Temp\4e0ecb99b4ee189092b1aed638135cbc2cdad8321902b9d4330a80e0435dbd9e.exe.exe

Filesize
684KB

MD5
50f289df0c19484e970849aac4e6f977

SHA1
3dc77c8830836ab844975eb002149b66da2e10be

SHA256
b9b179b305c5268ad428b6ae59de10b4fe99cf0199bbc89b7017181905e97305

SHA512
877d852ea1062b90e2fd2f3c4dc7d05d9697e9a9b2929c830a770b62741f6a11e06de73275eb871113f11143faf1cb40d99f7c247862ffb778d26833ed5d7e38

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
c4ec2631f0913b349423b6d2bd687a6b

SHA1
9b9ae1664a063db7e1bd53073f6f1c3a62fa0e55

SHA256
cdaed7acb956972ce40a95412620150fcf1428c34a8ddbd0e9f0742df0d885bb

SHA512
a8ba683aa3c9d607d7ef9c3ec28a924b23be85a90e5334eb2a9f6edb8117442a818608c44f010b2bdaec052319fcc6436b5628408f4ebb82d207196df1729e86

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-566096764-1992588923-1249862864-1000\_desktop.ini

Filesize
8B

MD5
eb2b82f341fdb4eae25ceb49373ed303

SHA1
cf7db5d16d0cdb9abd32cb4fe1e343e2296142b0

SHA256
8a35cc496890b7089f69f59dd7dd7fed74622e8ff18cf9f99d49c94aa5888c5a

SHA512
895d5f91dcdf77750063ec0b0112b643597bfcc87ddaa30f07864adeadf185ce062ead7699d964bd05135dcf034ca4028165ec95ab2e17b549c5faf2236f8982

Download Submit
memory/1496-2797-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1496-17-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1496-10-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1496-8654-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4100-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4100-8-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download