323ddab5b4de87a4ab87adad956ea90ef1d5f8c5274961f98fe63600da0646c1

Analysis

max time kernel
150s
max time network
102s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2024, 14:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

323ddab5b4de87a4ab87adad956ea90ef1d5f8c5274961f98fe63600da0646c1.exe
Size

491KB
MD5

90e617b3cb538bdbebb67d1acb928fd2
SHA1

1d21aa75aef945020c81a487e85f11b42a5780e1
SHA256

323ddab5b4de87a4ab87adad956ea90ef1d5f8c5274961f98fe63600da0646c1
SHA512

b5c2b80566046eabfee7e64f4773db78674a3abae013ecbfaff9ccbeb418a4f65e06553cd541ce6585cdc5ee956f41775d171161c5a9a0833f7d3d486bfa32bd
SSDEEP

12288:IKI1quIf1gL5pRTcAkS/3hzN8qE43fm78V:DI1q45jcAkSYqyE

Score

7^/10

spyware stealer

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

pid	Process
1104	Logo1_.exe
3540	323ddab5b4de87a4ab87adad956ea90ef1d5f8c5274961f98fe63600da0646c1.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kn\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ca-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\eu-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\de-de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\themes\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVLP.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ca-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\eu-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\pt-br\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\es-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\en-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TEXTCONV\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\text_renderer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmplayer.exe	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PROFILE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\da-dk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\de-de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\uk-UA\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office 15\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\plugins\rhp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ca-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\root\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\css\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	323ddab5b4de87a4ab87adad956ea90ef1d5f8c5274961f98fe63600da0646c1.exe
File created	C:\Windows\Logo1_.exe	323ddab5b4de87a4ab87adad956ea90ef1d5f8c5274961f98fe63600da0646c1.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1112	323ddab5b4de87a4ab87adad956ea90ef1d5f8c5274961f98fe63600da0646c1.exe
1112	323ddab5b4de87a4ab87adad956ea90ef1d5f8c5274961f98fe63600da0646c1.exe
1112	323ddab5b4de87a4ab87adad956ea90ef1d5f8c5274961f98fe63600da0646c1.exe
1112	323ddab5b4de87a4ab87adad956ea90ef1d5f8c5274961f98fe63600da0646c1.exe
1112	323ddab5b4de87a4ab87adad956ea90ef1d5f8c5274961f98fe63600da0646c1.exe
1112	323ddab5b4de87a4ab87adad956ea90ef1d5f8c5274961f98fe63600da0646c1.exe
1112	323ddab5b4de87a4ab87adad956ea90ef1d5f8c5274961f98fe63600da0646c1.exe
1112	323ddab5b4de87a4ab87adad956ea90ef1d5f8c5274961f98fe63600da0646c1.exe
1112	323ddab5b4de87a4ab87adad956ea90ef1d5f8c5274961f98fe63600da0646c1.exe
1112	323ddab5b4de87a4ab87adad956ea90ef1d5f8c5274961f98fe63600da0646c1.exe
1112	323ddab5b4de87a4ab87adad956ea90ef1d5f8c5274961f98fe63600da0646c1.exe
1112	323ddab5b4de87a4ab87adad956ea90ef1d5f8c5274961f98fe63600da0646c1.exe
1112	323ddab5b4de87a4ab87adad956ea90ef1d5f8c5274961f98fe63600da0646c1.exe
1112	323ddab5b4de87a4ab87adad956ea90ef1d5f8c5274961f98fe63600da0646c1.exe
1112	323ddab5b4de87a4ab87adad956ea90ef1d5f8c5274961f98fe63600da0646c1.exe
1112	323ddab5b4de87a4ab87adad956ea90ef1d5f8c5274961f98fe63600da0646c1.exe
1112	323ddab5b4de87a4ab87adad956ea90ef1d5f8c5274961f98fe63600da0646c1.exe
1112	323ddab5b4de87a4ab87adad956ea90ef1d5f8c5274961f98fe63600da0646c1.exe
1112	323ddab5b4de87a4ab87adad956ea90ef1d5f8c5274961f98fe63600da0646c1.exe
1112	323ddab5b4de87a4ab87adad956ea90ef1d5f8c5274961f98fe63600da0646c1.exe
1112	323ddab5b4de87a4ab87adad956ea90ef1d5f8c5274961f98fe63600da0646c1.exe
1112	323ddab5b4de87a4ab87adad956ea90ef1d5f8c5274961f98fe63600da0646c1.exe
1112	323ddab5b4de87a4ab87adad956ea90ef1d5f8c5274961f98fe63600da0646c1.exe
1112	323ddab5b4de87a4ab87adad956ea90ef1d5f8c5274961f98fe63600da0646c1.exe
1112	323ddab5b4de87a4ab87adad956ea90ef1d5f8c5274961f98fe63600da0646c1.exe
1112	323ddab5b4de87a4ab87adad956ea90ef1d5f8c5274961f98fe63600da0646c1.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe
1104	Logo1_.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1112 wrote to memory of 3492	1112	323ddab5b4de87a4ab87adad956ea90ef1d5f8c5274961f98fe63600da0646c1.exe	84
PID 1112 wrote to memory of 3492	1112	323ddab5b4de87a4ab87adad956ea90ef1d5f8c5274961f98fe63600da0646c1.exe	84
PID 1112 wrote to memory of 3492	1112	323ddab5b4de87a4ab87adad956ea90ef1d5f8c5274961f98fe63600da0646c1.exe	84
PID 3492 wrote to memory of 4668	3492	net.exe	86
PID 3492 wrote to memory of 4668	3492	net.exe	86
PID 3492 wrote to memory of 4668	3492	net.exe	86
PID 1112 wrote to memory of 436	1112	323ddab5b4de87a4ab87adad956ea90ef1d5f8c5274961f98fe63600da0646c1.exe	90
PID 1112 wrote to memory of 436	1112	323ddab5b4de87a4ab87adad956ea90ef1d5f8c5274961f98fe63600da0646c1.exe	90
PID 1112 wrote to memory of 436	1112	323ddab5b4de87a4ab87adad956ea90ef1d5f8c5274961f98fe63600da0646c1.exe	90
PID 1112 wrote to memory of 1104	1112	323ddab5b4de87a4ab87adad956ea90ef1d5f8c5274961f98fe63600da0646c1.exe	92
PID 1112 wrote to memory of 1104	1112	323ddab5b4de87a4ab87adad956ea90ef1d5f8c5274961f98fe63600da0646c1.exe	92
PID 1112 wrote to memory of 1104	1112	323ddab5b4de87a4ab87adad956ea90ef1d5f8c5274961f98fe63600da0646c1.exe	92
PID 1104 wrote to memory of 1392	1104	Logo1_.exe	93
PID 1104 wrote to memory of 1392	1104	Logo1_.exe	93
PID 1104 wrote to memory of 1392	1104	Logo1_.exe	93
PID 436 wrote to memory of 3540	436	cmd.exe	95
PID 436 wrote to memory of 3540	436	cmd.exe	95
PID 1392 wrote to memory of 3964	1392	net.exe	96
PID 1392 wrote to memory of 3964	1392	net.exe	96
PID 1392 wrote to memory of 3964	1392	net.exe	96
PID 1104 wrote to memory of 1072	1104	Logo1_.exe	99
PID 1104 wrote to memory of 1072	1104	Logo1_.exe	99
PID 1104 wrote to memory of 1072	1104	Logo1_.exe	99
PID 1072 wrote to memory of 2188	1072	net.exe	101
PID 1072 wrote to memory of 2188	1072	net.exe	101
PID 1072 wrote to memory of 2188	1072	net.exe	101
PID 1104 wrote to memory of 3508	1104	Logo1_.exe	56
PID 1104 wrote to memory of 3508	1104	Logo1_.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3508
- C:\Users\Admin\AppData\Local\Temp\323ddab5b4de87a4ab87adad956ea90ef1d5f8c5274961f98fe63600da0646c1.exe
  "C:\Users\Admin\AppData\Local\Temp\323ddab5b4de87a4ab87adad956ea90ef1d5f8c5274961f98fe63600da0646c1.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1112
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3492
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:4668
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a41CC.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:436
  - - C:\Users\Admin\AppData\Local\Temp\323ddab5b4de87a4ab87adad956ea90ef1d5f8c5274961f98fe63600da0646c1.exe
      "C:\Users\Admin\AppData\Local\Temp\323ddab5b4de87a4ab87adad956ea90ef1d5f8c5274961f98fe63600da0646c1.exe"
      4⤵
      Executes dropped EXE
      PID:3540
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1104
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1392
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:3964
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1072
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\SaveHide.exe

Filesize
640KB

MD5
2b4f73c1c4e288b5c4c3f9a4e7e36992

SHA1
6149ba64f90048f9e39b9235844a8f0e9f7b67bc

SHA256
2c0adf06cca43f785ed84c82573919e51c612f1ec6df57d4f5945a56e6f909b4

SHA512
ba257de06ee25e012079602b978e40ef689f26ce664b5b60206fe5e9a3e5ee300853f96cc0bd084e331591509dfaa93fbdc0e3f2beffa1c086a0f54d496f44c2

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
643KB

MD5
409182603becc55c541434f07d1d7cf1

SHA1
ccc8cd6353f58ef04cd0f31513643872aa55f7b8

SHA256
1a54b69a041e9608d050ed76a68f4a30a007850d9879d31eb78c3046d3a5735d

SHA512
89802ff33990769e172559e297dff5a7ee0675f14c3424bf947353044a6c2187fd138dbe993112415815e237e7788de463f8a5819fcfd23232bc301514a0e72f

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a41CC.bat

Filesize
722B

MD5
1fc1a435b3499d7e6d775f8427d818de

SHA1
3d7f0c23dfb655d5daf9970b5a5e8dc79c8dfc91

SHA256
18912b90c242dc05d919dfbfa6c7ec03b7a4b6b92e37ec0c384e6645bd1c36c6

SHA512
40595d817e8a9951b5943842559b636d39923fe4ac4fbe712f03cd1e49a36cf4ff86a784e4b76c7f4345dd90d90543e414c3c1f0c480dc82b970358053bd1419

Download Submit
C:\Users\Admin\AppData\Local\Temp\323ddab5b4de87a4ab87adad956ea90ef1d5f8c5274961f98fe63600da0646c1.exe.exe

Filesize
458KB

MD5
619f7135621b50fd1900ff24aade1524

SHA1
6c7ea8bbd435163ae3945cbef30ef6b9872a4591

SHA256
344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2

SHA512
2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
dbaeead00c5f2c719ea726ce5d681465

SHA1
d9bb3c9a2747bb4625f265d46f48722ef88271c7

SHA256
ccb9ee55ad02f5fda55d5b0e8c06e4071fe895b47d622ebc24a79d7c87d3e1a8

SHA512
1526d4e26278f1225a07fdf935de1d7364638af5b77473d2ec97316edf53cc89c4482c496d4b9c7009ee9d969429e9251057a1664ceb0ebda1aef16c703ffa95

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-877519540-908060166-1852957295-1000\_desktop.ini

Filesize
8B

MD5
1b16d2dbd4281ce4e4e5729c608dcb0b

SHA1
851e624080ba5598edb808d4b30fe2d74999ce18

SHA256
c9e46fb51d0588ca1e48ca66731e11992770b9b74a982f9bdbb6ce5b5b75d549

SHA512
cd1c4cf7c7871cb48ce735226b25f689b340037e6c992441e566161de7fca7410762d1a0c2670ee4b6546f7ee854d3219e0e2315c3e0387d9bbe3f08076b5a59

Download Submit
memory/1104-11-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1104-18-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1104-5181-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1104-8733-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1112-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1112-10-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download