7fb452aad8382d72e5e036cbcc84b411383d891a2ba9f01b199581e803e32c47

Analysis

max time kernel
149s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
13-05-2024 14:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7fb452aad8382d72e5e036cbcc84b411383d891a2ba9f01b199581e803e32c47.exe
Size

70KB
MD5

c2b408720a083a40c77461ea675f2125
SHA1

c0a6806222414d70c0e38b207fb764d5cd78a95e
SHA256

7fb452aad8382d72e5e036cbcc84b411383d891a2ba9f01b199581e803e32c47
SHA512

e2eff1ebbefe15b22e9b088efba636d54233d53b82c56dc09fed431e35a523e087d17d91e693b6093a4c32cf78f40b8afb2708d98988971d7b943a2adda722fe
SSDEEP

1536:/iSe+Zk78NR3dN5nPYriw+d9bHrkT5gUHz7FxtJ:/Pe+a+3dN5QrBkfkT5xHzD

Score

7^/10

spyware stealer

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

pid	Process
4116	Logo1_.exe
3100	7fb452aad8382d72e5e036cbcc84b411383d891a2ba9f01b199581e803e32c47.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hans\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sv-se\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\REFINED\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\de-de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\he-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ie\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\intf\modules\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\it-it\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\nb-no\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\Addons\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\fr-fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\eu-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.exe	Logo1_.exe
File created	C:\Program Files (x86)\Windows Media Player\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\WINWORD.EXE	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\dark\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\libs\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lg\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example1.Diagnostics\Diagnostics\Simple\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ca-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\sl-si\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ar-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RMNSQUE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Configuration\Registration\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\root\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fr-fr\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Dll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	7fb452aad8382d72e5e036cbcc84b411383d891a2ba9f01b199581e803e32c47.exe
File created	C:\Windows\Logo1_.exe	7fb452aad8382d72e5e036cbcc84b411383d891a2ba9f01b199581e803e32c47.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4396	7fb452aad8382d72e5e036cbcc84b411383d891a2ba9f01b199581e803e32c47.exe
4396	7fb452aad8382d72e5e036cbcc84b411383d891a2ba9f01b199581e803e32c47.exe
4396	7fb452aad8382d72e5e036cbcc84b411383d891a2ba9f01b199581e803e32c47.exe
4396	7fb452aad8382d72e5e036cbcc84b411383d891a2ba9f01b199581e803e32c47.exe
4396	7fb452aad8382d72e5e036cbcc84b411383d891a2ba9f01b199581e803e32c47.exe
4396	7fb452aad8382d72e5e036cbcc84b411383d891a2ba9f01b199581e803e32c47.exe
4396	7fb452aad8382d72e5e036cbcc84b411383d891a2ba9f01b199581e803e32c47.exe
4396	7fb452aad8382d72e5e036cbcc84b411383d891a2ba9f01b199581e803e32c47.exe
4396	7fb452aad8382d72e5e036cbcc84b411383d891a2ba9f01b199581e803e32c47.exe
4396	7fb452aad8382d72e5e036cbcc84b411383d891a2ba9f01b199581e803e32c47.exe
4396	7fb452aad8382d72e5e036cbcc84b411383d891a2ba9f01b199581e803e32c47.exe
4396	7fb452aad8382d72e5e036cbcc84b411383d891a2ba9f01b199581e803e32c47.exe
4396	7fb452aad8382d72e5e036cbcc84b411383d891a2ba9f01b199581e803e32c47.exe
4396	7fb452aad8382d72e5e036cbcc84b411383d891a2ba9f01b199581e803e32c47.exe
4396	7fb452aad8382d72e5e036cbcc84b411383d891a2ba9f01b199581e803e32c47.exe
4396	7fb452aad8382d72e5e036cbcc84b411383d891a2ba9f01b199581e803e32c47.exe
4396	7fb452aad8382d72e5e036cbcc84b411383d891a2ba9f01b199581e803e32c47.exe
4396	7fb452aad8382d72e5e036cbcc84b411383d891a2ba9f01b199581e803e32c47.exe
4396	7fb452aad8382d72e5e036cbcc84b411383d891a2ba9f01b199581e803e32c47.exe
4396	7fb452aad8382d72e5e036cbcc84b411383d891a2ba9f01b199581e803e32c47.exe
4396	7fb452aad8382d72e5e036cbcc84b411383d891a2ba9f01b199581e803e32c47.exe
4396	7fb452aad8382d72e5e036cbcc84b411383d891a2ba9f01b199581e803e32c47.exe
4396	7fb452aad8382d72e5e036cbcc84b411383d891a2ba9f01b199581e803e32c47.exe
4396	7fb452aad8382d72e5e036cbcc84b411383d891a2ba9f01b199581e803e32c47.exe
4396	7fb452aad8382d72e5e036cbcc84b411383d891a2ba9f01b199581e803e32c47.exe
4396	7fb452aad8382d72e5e036cbcc84b411383d891a2ba9f01b199581e803e32c47.exe
4116	Logo1_.exe
4116	Logo1_.exe
4116	Logo1_.exe
4116	Logo1_.exe
4116	Logo1_.exe
4116	Logo1_.exe
4116	Logo1_.exe
4116	Logo1_.exe
4116	Logo1_.exe
4116	Logo1_.exe
4116	Logo1_.exe
4116	Logo1_.exe
4116	Logo1_.exe
4116	Logo1_.exe
4116	Logo1_.exe
4116	Logo1_.exe
4116	Logo1_.exe
4116	Logo1_.exe
4116	Logo1_.exe
4116	Logo1_.exe
4116	Logo1_.exe
4116	Logo1_.exe
4116	Logo1_.exe
4116	Logo1_.exe
4116	Logo1_.exe
4116	Logo1_.exe
4116	Logo1_.exe
4116	Logo1_.exe
4116	Logo1_.exe
4116	Logo1_.exe
4116	Logo1_.exe
4116	Logo1_.exe
4116	Logo1_.exe
4116	Logo1_.exe
4116	Logo1_.exe
4116	Logo1_.exe
4116	Logo1_.exe
4116	Logo1_.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 4396 wrote to memory of 4828	4396	7fb452aad8382d72e5e036cbcc84b411383d891a2ba9f01b199581e803e32c47.exe	85
PID 4396 wrote to memory of 4828	4396	7fb452aad8382d72e5e036cbcc84b411383d891a2ba9f01b199581e803e32c47.exe	85
PID 4396 wrote to memory of 4828	4396	7fb452aad8382d72e5e036cbcc84b411383d891a2ba9f01b199581e803e32c47.exe	85
PID 4828 wrote to memory of 324	4828	net.exe	87
PID 4828 wrote to memory of 324	4828	net.exe	87
PID 4828 wrote to memory of 324	4828	net.exe	87
PID 4396 wrote to memory of 4584	4396	7fb452aad8382d72e5e036cbcc84b411383d891a2ba9f01b199581e803e32c47.exe	92
PID 4396 wrote to memory of 4584	4396	7fb452aad8382d72e5e036cbcc84b411383d891a2ba9f01b199581e803e32c47.exe	92
PID 4396 wrote to memory of 4584	4396	7fb452aad8382d72e5e036cbcc84b411383d891a2ba9f01b199581e803e32c47.exe	92
PID 4396 wrote to memory of 4116	4396	7fb452aad8382d72e5e036cbcc84b411383d891a2ba9f01b199581e803e32c47.exe	93
PID 4396 wrote to memory of 4116	4396	7fb452aad8382d72e5e036cbcc84b411383d891a2ba9f01b199581e803e32c47.exe	93
PID 4396 wrote to memory of 4116	4396	7fb452aad8382d72e5e036cbcc84b411383d891a2ba9f01b199581e803e32c47.exe	93
PID 4116 wrote to memory of 4112	4116	Logo1_.exe	94
PID 4116 wrote to memory of 4112	4116	Logo1_.exe	94
PID 4116 wrote to memory of 4112	4116	Logo1_.exe	94
PID 4112 wrote to memory of 2112	4112	net.exe	96
PID 4112 wrote to memory of 2112	4112	net.exe	96
PID 4112 wrote to memory of 2112	4112	net.exe	96
PID 4584 wrote to memory of 3100	4584	cmd.exe	98
PID 4584 wrote to memory of 3100	4584	cmd.exe	98
PID 4116 wrote to memory of 644	4116	Logo1_.exe	99
PID 4116 wrote to memory of 644	4116	Logo1_.exe	99
PID 4116 wrote to memory of 644	4116	Logo1_.exe	99
PID 644 wrote to memory of 2736	644	net.exe	101
PID 644 wrote to memory of 2736	644	net.exe	101
PID 644 wrote to memory of 2736	644	net.exe	101
PID 4116 wrote to memory of 3420	4116	Logo1_.exe	56
PID 4116 wrote to memory of 3420	4116	Logo1_.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3420
- C:\Users\Admin\AppData\Local\Temp\7fb452aad8382d72e5e036cbcc84b411383d891a2ba9f01b199581e803e32c47.exe
  "C:\Users\Admin\AppData\Local\Temp\7fb452aad8382d72e5e036cbcc84b411383d891a2ba9f01b199581e803e32c47.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4396
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4828
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:324
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6716.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4584
  - - C:\Users\Admin\AppData\Local\Temp\7fb452aad8382d72e5e036cbcc84b411383d891a2ba9f01b199581e803e32c47.exe
      "C:\Users\Admin\AppData\Local\Temp\7fb452aad8382d72e5e036cbcc84b411383d891a2ba9f01b199581e803e32c47.exe"
      4⤵
      Executes dropped EXE
      PID:3100
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4116
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4112
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2112
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:644
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.exe

Filesize
577KB

MD5
56dff40d6b9bd9c0faa93c001703a62a

SHA1
5382f5e3cb2a4a1d952a1a352383b042dba9ce70

SHA256
fcdedf720a1d38c2626c8c6541644ceab2fe9fde50fbfa5a9665a1cc6a45091e

SHA512
6b239e3df43002e5443a072f3e92f3d1f076ffa1fa51bff2ea0534d2e75febc86a0089f4c9f5797a28ec288a6273128229095cc08230a3f9d352abb19f8acebd

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
643KB

MD5
b06c23c388c6c6a3219fdaf5efaabccf

SHA1
ada13c3c4449d222de774ebd037078ba31d33cd2

SHA256
8efeb8be3a4ae59e4106e6c1d9e122d8ecb84b71cf01796f27d94ecfe80e0809

SHA512
aefc2fbbf660ee465ac7f174ab8f3de242c352d473a02ee96214d29a5e854e88c7ad842685bdb81698c8d51e0b597d7379c3a039e704839be748fe96a68c23b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a6716.bat

Filesize
722B

MD5
7dd8dfcc3b92ef51a8efe3b129555288

SHA1
b624399d047f77183637f69f3cc0b1b90e40ac4d

SHA256
c1a6a651a983b12f94cb004638806c8690eb2c97d11195dd5f632de24acf242f

SHA512
bd9f60ca25618e8dbbd642004889e4554603c8c04e7c986752c5bf7de9cf6c6da5731f580021bc698289e9d7321a07b25f0f4594a03e02ee195a564aebfede4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7fb452aad8382d72e5e036cbcc84b411383d891a2ba9f01b199581e803e32c47.exe.exe

Filesize
36KB

MD5
9f498971cbe636662f3d210747d619e1

SHA1
44b8e2732fa1e2f204fc70eaa1cb406616250085

SHA256
8adf6748981c3e7b62f5dbca992be6675574fffbce7673743f2d7fe787d56a41

SHA512
b73083c2f7b028d2946cb8f7b4fe2289fedaa4175364a2aac37db0aeff4602aede772ccc9eba7e6dcfcb7276e52604ca45d8021952201b5834485b48bca3dc93

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
f45e6c5efcb60796280b160b181a07dc

SHA1
8d175dae2c97edaedeb1693ab2f1b4a9b9d981d4

SHA256
7447829ed8519dd4ee03c37defff6d9c5f2bf06e2ae605da9efece0c495f5844

SHA512
1165d2d74f5a0dddd6d99f320c4563a1625da3b8125243baee289ce747c1665766e8dcdd6ae259e11efff5b27e572a8f432c3a85260d677874c7e1dbbcf5d088

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-4018855536-2201274732-320770143-1000\_desktop.ini

Filesize
9B

MD5
392ab9dcf5a9daf53626ea1f2e61d0b9

SHA1
0a2cdc7f8f9edf33f9fde3f8b90e0020190c8fb7

SHA256
9bbc94aad502d7d7a7f502ddb9cbd93b1c89eff13e445971c94ac09215ada67d

SHA512
5d1fea63a7793a65dc63c32cfe3ab2e1af941ded8e760f08fbe991e5b30433f86f920d717235a635020740c8f6f7996b4b8e8147e331b29141fcbb7bdc68144d

Download Submit
memory/4116-11-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4116-18-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4116-5220-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4116-8725-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4396-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4396-10-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download