1abbb3947ae01ad0babb9ae82b5875f976c8df1da25d14838a31e285c0aa07f5

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 13:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1abbb3947ae01ad0babb9ae82b5875f976c8df1da25d14838a31e285c0aa07f5.exe
Size

176KB
MD5

401e8a990286a11259321ecbf63b09bd
SHA1

f8fc744fa28f1e35f138ac39f3ae3638635f7e4a
SHA256

1abbb3947ae01ad0babb9ae82b5875f976c8df1da25d14838a31e285c0aa07f5
SHA512

505bfa7147e982068ba29d91bcc8e00c5024bd48e801f93fa0860d849ab7a3a60da8b08ff4786e0099a2103b5f29dc57f4fcc06087be1cf6192998f29497a041
SSDEEP

3072:CftffjmNzzQpgLQHVdLoSewS7fRlDvggtJ6xYlcv9Wielt5WWD/3FMo+S8ovOGaL:SVfjmNzzIB0ZqNv

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4104	Logo1_.exe
1088	1abbb3947ae01ad0babb9ae82b5875f976c8df1da25d14838a31e285c0aa07f5.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\sl-si\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\eu-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_2019.305.632.0_neutral_~_8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ga\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ne\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ru-RU\View3d\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\pstn\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ie\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Temp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access_output\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-150_8wekyb3d8bbwe\Assets\AppTiles\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\wabmig.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\da-dk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\MSBuild\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\en-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-sl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\tr-tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\dark\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sk-sk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kab\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_output\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\it-it\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\da-dk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\cookie_exporter.exe	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\private_browsing.exe	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sw-KE\View3d\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsApps\Microsoft.UI.Xaml.2.0_2.1810.18004.0_x64__8wekyb3d8bbwe\Microsoft.UI.Xaml\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sv-se\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\fr-fr\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	1abbb3947ae01ad0babb9ae82b5875f976c8df1da25d14838a31e285c0aa07f5.exe
File created	C:\Windows\Logo1_.exe	1abbb3947ae01ad0babb9ae82b5875f976c8df1da25d14838a31e285c0aa07f5.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe

Modifies system certificate store 2 TTPs 2 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2	1abbb3947ae01ad0babb9ae82b5875f976c8df1da25d14838a31e285c0aa07f5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2\Blob = 5c0000000100000004000000000400007e0000000100000008000000000010c51e92d201620000000100000020000000e7685634efacf69ace939a6b255b7b4fabef42935b50a265acb5cb6027e44e7009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030119000000010000001000000091161b894b117ecdc257628db460cc04030000000100000014000000742c3192e607e424eb4549542be1bbc53e6174e21d000000010000001000000027b3517667331ce2c1e74002b5ff2298140000000100000014000000e27f7bd877d5df9e0a3f9eb4cb0e2ea9efdb69770b000000010000004600000056006500720069005300690067006e00200043006c006100730073002000330020005000750062006c006900630020005000720069006d00610072007900200043004100000004000000010000001000000010fc635df6263e0df325be5f79cd67670f0000000100000010000000d7c63be0837dbabf881d4fbf5f986ad853000000010000002400000030223020060a2b0601040182375e010130123010060a2b0601040182373c0101030200c07a000000010000000e000000300c060a2b0601040182375e010268000000010000000800000000003db65bd9d5012000000001000000400200003082023c308201a5021070bae41d10d92934b638ca7b03ccbabf300d06092a864886f70d0101020500305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479301e170d3936303132393030303030305a170d3238303830313233353935395a305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f7269747930819f300d06092a864886f70d010101050003818d0030818902818100c95c599ef21b8a0114b410df0440dbe357af6a45408f840c0bd133d9d911cfee02581f25f72aa84405aaec031f787f9e93b99a00aa237dd6ac85a26345c77227ccf44cc67571d239ef4f42f075df0a90c68e206f980ff8ac235f702936a4c986e7b19a20cb53a585e73dbe7d9afe244533dc7615ed0fa271644c652e816845a70203010001300d06092a864886f70d010102050003818100bb4c122bcf2c26004f1413dda6fbfc0a11848cf3281c67922f7cb6c5fadff0e895bc1d8f6c2ca851cc73d8a4c053f04ed626c076015781925e21f1d1b1ffe7d02158cd6917e3441c9c194439895cdc9c000f568d0299eda290454ce4bb10a43df032030ef1cef8e8c9518ce6629fe69fc07db7729cc9363a6b9f4ea8ff640d64	1abbb3947ae01ad0babb9ae82b5875f976c8df1da25d14838a31e285c0aa07f5.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
4104	Logo1_.exe
4104	Logo1_.exe
4104	Logo1_.exe
4104	Logo1_.exe
4104	Logo1_.exe
4104	Logo1_.exe
4104	Logo1_.exe
4104	Logo1_.exe
4104	Logo1_.exe
4104	Logo1_.exe
4104	Logo1_.exe
4104	Logo1_.exe
4104	Logo1_.exe
4104	Logo1_.exe
4104	Logo1_.exe
4104	Logo1_.exe
4104	Logo1_.exe
4104	Logo1_.exe
4104	Logo1_.exe
4104	Logo1_.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeBackupPrivilege	632	dw20.exe
Token: SeBackupPrivilege	632	dw20.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 3128	1940	1abbb3947ae01ad0babb9ae82b5875f976c8df1da25d14838a31e285c0aa07f5.exe	83
PID 1940 wrote to memory of 3128	1940	1abbb3947ae01ad0babb9ae82b5875f976c8df1da25d14838a31e285c0aa07f5.exe	83
PID 1940 wrote to memory of 3128	1940	1abbb3947ae01ad0babb9ae82b5875f976c8df1da25d14838a31e285c0aa07f5.exe	83
PID 1940 wrote to memory of 4104	1940	1abbb3947ae01ad0babb9ae82b5875f976c8df1da25d14838a31e285c0aa07f5.exe	84
PID 1940 wrote to memory of 4104	1940	1abbb3947ae01ad0babb9ae82b5875f976c8df1da25d14838a31e285c0aa07f5.exe	84
PID 1940 wrote to memory of 4104	1940	1abbb3947ae01ad0babb9ae82b5875f976c8df1da25d14838a31e285c0aa07f5.exe	84
PID 4104 wrote to memory of 3412	4104	Logo1_.exe	85
PID 4104 wrote to memory of 3412	4104	Logo1_.exe	85
PID 4104 wrote to memory of 3412	4104	Logo1_.exe	85
PID 3412 wrote to memory of 1812	3412	net.exe	88
PID 3412 wrote to memory of 1812	3412	net.exe	88
PID 3412 wrote to memory of 1812	3412	net.exe	88
PID 3128 wrote to memory of 1088	3128	cmd.exe	89
PID 3128 wrote to memory of 1088	3128	cmd.exe	89
PID 3128 wrote to memory of 1088	3128	cmd.exe	89
PID 1088 wrote to memory of 632	1088	1abbb3947ae01ad0babb9ae82b5875f976c8df1da25d14838a31e285c0aa07f5.exe	93
PID 1088 wrote to memory of 632	1088	1abbb3947ae01ad0babb9ae82b5875f976c8df1da25d14838a31e285c0aa07f5.exe	93
PID 1088 wrote to memory of 632	1088	1abbb3947ae01ad0babb9ae82b5875f976c8df1da25d14838a31e285c0aa07f5.exe	93
PID 4104 wrote to memory of 3452	4104	Logo1_.exe	56
PID 4104 wrote to memory of 3452	4104	Logo1_.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3452
- C:\Users\Admin\AppData\Local\Temp\1abbb3947ae01ad0babb9ae82b5875f976c8df1da25d14838a31e285c0aa07f5.exe
  "C:\Users\Admin\AppData\Local\Temp\1abbb3947ae01ad0babb9ae82b5875f976c8df1da25d14838a31e285c0aa07f5.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1940
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a564E.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3128
  - - C:\Users\Admin\AppData\Local\Temp\1abbb3947ae01ad0babb9ae82b5875f976c8df1da25d14838a31e285c0aa07f5.exe
      "C:\Users\Admin\AppData\Local\Temp\1abbb3947ae01ad0babb9ae82b5875f976c8df1da25d14838a31e285c0aa07f5.exe"
      4⤵
      Executes dropped EXE
      Modifies system certificate store
      Suspicious use of WriteProcessMemory
      PID:1088
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe
        
        dw20.exe -x -s 1852
        5⤵
        Checks processor information in registry
        Enumerates system info in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:632
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4104
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3412
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:1812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
33be0187f1e633adbe0c5ae9ad53c7a9

SHA1
fd306ea070094d58e75a29b6066d3f4ed84edf59

SHA256
ea29b7e76640bdb1fa6a67be00730246a1e9d8d7626c57555ecc1509ef669f5f

SHA512
ae2b8cb4c835657e3af39a46cbc5de310f498703c19c9dd925403a63c6e0351d54bfefe1da87de7d4bacbf49878986758c7b51b70c80b9832081af4a4844d515

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
570KB

MD5
d7738b0cd3ed4cfceb0d64e9b9b66e45

SHA1
21259ef7418b700c561e405d8e2480ff8f5e7bfc

SHA256
876317eb964e596ef62a3fd3b1b05b24eb4d0aef8d24f61112d2474c47f811a7

SHA512
9612f9d09fcd74f3b9bc1cffe9874679c200a430808c432a85fd897cecb304fe09c469bda436e7b65905a6c947d943dd26710c36609fa436c8d3b24e21ec7a51

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
636KB

MD5
2500f702e2b9632127c14e4eaae5d424

SHA1
8726fef12958265214eeb58001c995629834b13a

SHA256
82e5b0001f025ca3b8409c98e4fb06c119c68de1e4ef60a156360cb4ef61d19c

SHA512
f420c62fa1f6897f51dd7a0f0e910fb54ad14d51973a2d4840eeea0448c860bf83493fb1c07be65f731efc39e19f8a99886c8cfd058cee482fe52d255a33a55c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C3948BE6E525B8A8CEE9FAC91C9E392_F83C7CE432EB2A0104CE0F63B9A54C4E

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a564E.bat

Filesize
722B

MD5
231537bbef473ef3133ba32cec232178

SHA1
def812f4378371d18a380cc3bccf6379e07d6944

SHA256
051b44b2eb16b6d2bcb23a46fb0757c38fd362f79b4bc04c87120b0ca00e69e7

SHA512
126773e8126ed515a77a6310871a616e5e1a89b06fcf6379fdf5e0599c86663a5b762671db19d63e4a97f15c3e4eae8e1b7d249f42ad5760d0c8399c92c7f19b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1abbb3947ae01ad0babb9ae82b5875f976c8df1da25d14838a31e285c0aa07f5.exe.exe

Filesize
149KB

MD5
ac103c73e45cbc6dd14e41e1e709def6

SHA1
e729ff31404ddaeb5ce6da5f0999626031f8738c

SHA256
2e71a66d3b9f0e520d344ee2f9500fa43598de6a1964facbc994f3b1b3a9af08

SHA512
4f7793d3eea2ccea2a2e41760b1202686c45c68cf5c93a65dd9b6638096eb8a8d1d05ea7ac394e1248241313105c58150dbb0058d4ce38ae49c4ec1a8a0ec868

Download Submit
C:\Windows\Logo1_.exe

Filesize
26KB

MD5
2d1828590bf5c5a319a997cb08b9bb77

SHA1
ba869be4bf8ed88f35a57796f51a8cad6460dcdf

SHA256
f18e2ef8f2c1a498f3f19f74b6e68b2c34fcb1c6ffc076374442ea99c975b259

SHA512
9cc414143383061bfd54dcc4675dc06976d0ea0411d8ade40dcc4c60ecddc75ca3e0fb68193bd88aba2010eda8e1dadd4f8f6208cfcdf2a5e5bdebbb435b9549

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3571316656-3665257725-2415531812-1000\_desktop.ini

Filesize
9B

MD5
4d28283e4d415600ffc2f8fda6d8c91e

SHA1
053dcb8d5d84b75459bc82d8740ee4684d680016

SHA256
b855effeaf01610130d3f38de35bc7f98bfc6643d98d4198af18534f048e8df7

SHA512
73a758cd5e5ac48d62dd89719be604214895e0cc9a10ff7464a6cf9161a37fd27d15dd2d2565f18198b381ac6442bcb36f38614df7b1176061a83616517a7edb

Download Submit
memory/1088-41-0x00000000746B0000-0x0000000074C61000-memory.dmp

Filesize
5.7MB

Download
memory/1088-20-0x00000000746B0000-0x0000000074C61000-memory.dmp

Filesize
5.7MB

Download
memory/1088-19-0x00000000746B0000-0x0000000074C61000-memory.dmp

Filesize
5.7MB

Download
memory/1088-18-0x00000000746B2000-0x00000000746B3000-memory.dmp

Filesize
4KB

Download
memory/1940-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1940-8-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4104-60-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4104-56-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4104-50-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4104-1088-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4104-1255-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4104-43-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4104-4833-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4104-12-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4104-5272-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download