9331432fdb2f0c092fa43877927f8551a8c7cdeb13a515376aff69accfec5952

Analysis

max time kernel
149s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 12:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9331432fdb2f0c092fa43877927f8551a8c7cdeb13a515376aff69accfec5952.exe
Size

96KB
MD5

9bdf0654c011c9bc298f3f1056cbb4ba
SHA1

bf68ac2e43de63dff313e9329752cbc7b7a9d6b3
SHA256

9331432fdb2f0c092fa43877927f8551a8c7cdeb13a515376aff69accfec5952
SHA512

4ddca742115f3dc19e397156e88139d35918f36dcf1c041476c6b5050df32659d3dc9f1543b9a102c370dda199ce0fbd4c4550207fadd61053b694430a894e8e
SSDEEP

1536:rGFaYzMXqtGNtty1yVumRTTChUzS40nWzpXVP/XVXDEiC04pmI+Wy:rGFaY46tGNtty1X0+WzpX9XVXDnj4ry

Score

8^/10

spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	9331432fdb2f0c092fa43877927f8551a8c7cdeb13a515376aff69accfec5952.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Logo1_.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

pid	Process
3680	Logo1_.exe
3924	9331432fdb2f0c092fa43877927f8551a8c7cdeb13a515376aff69accfec5952.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ru-ru\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Configuration\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\cef\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\de-de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\themes\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sm\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ca\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft.NET\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ar\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tt\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\da-dk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cgg\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\DESIGNER\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\he\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\sd\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themeless\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\my\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Defender\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\it-it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ca-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\he-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\it-it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\pt-br\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lo\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\cs-cz\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\da-dk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\en-gb\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\nb-no\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\uk-ua\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	9331432fdb2f0c092fa43877927f8551a8c7cdeb13a515376aff69accfec5952.exe
File created	C:\Windows\Logo1_.exe	9331432fdb2f0c092fa43877927f8551a8c7cdeb13a515376aff69accfec5952.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1952	9331432fdb2f0c092fa43877927f8551a8c7cdeb13a515376aff69accfec5952.exe
1952	9331432fdb2f0c092fa43877927f8551a8c7cdeb13a515376aff69accfec5952.exe
1952	9331432fdb2f0c092fa43877927f8551a8c7cdeb13a515376aff69accfec5952.exe
1952	9331432fdb2f0c092fa43877927f8551a8c7cdeb13a515376aff69accfec5952.exe
1952	9331432fdb2f0c092fa43877927f8551a8c7cdeb13a515376aff69accfec5952.exe
1952	9331432fdb2f0c092fa43877927f8551a8c7cdeb13a515376aff69accfec5952.exe
1952	9331432fdb2f0c092fa43877927f8551a8c7cdeb13a515376aff69accfec5952.exe
1952	9331432fdb2f0c092fa43877927f8551a8c7cdeb13a515376aff69accfec5952.exe
1952	9331432fdb2f0c092fa43877927f8551a8c7cdeb13a515376aff69accfec5952.exe
1952	9331432fdb2f0c092fa43877927f8551a8c7cdeb13a515376aff69accfec5952.exe
1952	9331432fdb2f0c092fa43877927f8551a8c7cdeb13a515376aff69accfec5952.exe
1952	9331432fdb2f0c092fa43877927f8551a8c7cdeb13a515376aff69accfec5952.exe
1952	9331432fdb2f0c092fa43877927f8551a8c7cdeb13a515376aff69accfec5952.exe
1952	9331432fdb2f0c092fa43877927f8551a8c7cdeb13a515376aff69accfec5952.exe
1952	9331432fdb2f0c092fa43877927f8551a8c7cdeb13a515376aff69accfec5952.exe
1952	9331432fdb2f0c092fa43877927f8551a8c7cdeb13a515376aff69accfec5952.exe
1952	9331432fdb2f0c092fa43877927f8551a8c7cdeb13a515376aff69accfec5952.exe
1952	9331432fdb2f0c092fa43877927f8551a8c7cdeb13a515376aff69accfec5952.exe
1952	9331432fdb2f0c092fa43877927f8551a8c7cdeb13a515376aff69accfec5952.exe
1952	9331432fdb2f0c092fa43877927f8551a8c7cdeb13a515376aff69accfec5952.exe
1952	9331432fdb2f0c092fa43877927f8551a8c7cdeb13a515376aff69accfec5952.exe
1952	9331432fdb2f0c092fa43877927f8551a8c7cdeb13a515376aff69accfec5952.exe
1952	9331432fdb2f0c092fa43877927f8551a8c7cdeb13a515376aff69accfec5952.exe
1952	9331432fdb2f0c092fa43877927f8551a8c7cdeb13a515376aff69accfec5952.exe
1952	9331432fdb2f0c092fa43877927f8551a8c7cdeb13a515376aff69accfec5952.exe
1952	9331432fdb2f0c092fa43877927f8551a8c7cdeb13a515376aff69accfec5952.exe
3680	Logo1_.exe
3680	Logo1_.exe
3680	Logo1_.exe
3680	Logo1_.exe
3680	Logo1_.exe
3680	Logo1_.exe
3680	Logo1_.exe
3680	Logo1_.exe
3680	Logo1_.exe
3680	Logo1_.exe
3680	Logo1_.exe
3680	Logo1_.exe
3680	Logo1_.exe
3680	Logo1_.exe
3680	Logo1_.exe
3680	Logo1_.exe
3680	Logo1_.exe
3680	Logo1_.exe
3680	Logo1_.exe
3680	Logo1_.exe
3680	Logo1_.exe
3680	Logo1_.exe
3680	Logo1_.exe
3680	Logo1_.exe
3680	Logo1_.exe
3680	Logo1_.exe
3680	Logo1_.exe
3680	Logo1_.exe
3680	Logo1_.exe
3680	Logo1_.exe
3680	Logo1_.exe
3680	Logo1_.exe
3680	Logo1_.exe
3680	Logo1_.exe
3680	Logo1_.exe
3680	Logo1_.exe
3680	Logo1_.exe
3680	Logo1_.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1952 wrote to memory of 2636	1952	9331432fdb2f0c092fa43877927f8551a8c7cdeb13a515376aff69accfec5952.exe	83
PID 1952 wrote to memory of 2636	1952	9331432fdb2f0c092fa43877927f8551a8c7cdeb13a515376aff69accfec5952.exe	83
PID 1952 wrote to memory of 2636	1952	9331432fdb2f0c092fa43877927f8551a8c7cdeb13a515376aff69accfec5952.exe	83
PID 2636 wrote to memory of 1612	2636	net.exe	85
PID 2636 wrote to memory of 1612	2636	net.exe	85
PID 2636 wrote to memory of 1612	2636	net.exe	85
PID 1952 wrote to memory of 548	1952	9331432fdb2f0c092fa43877927f8551a8c7cdeb13a515376aff69accfec5952.exe	89
PID 1952 wrote to memory of 548	1952	9331432fdb2f0c092fa43877927f8551a8c7cdeb13a515376aff69accfec5952.exe	89
PID 1952 wrote to memory of 548	1952	9331432fdb2f0c092fa43877927f8551a8c7cdeb13a515376aff69accfec5952.exe	89
PID 1952 wrote to memory of 3680	1952	9331432fdb2f0c092fa43877927f8551a8c7cdeb13a515376aff69accfec5952.exe	90
PID 1952 wrote to memory of 3680	1952	9331432fdb2f0c092fa43877927f8551a8c7cdeb13a515376aff69accfec5952.exe	90
PID 1952 wrote to memory of 3680	1952	9331432fdb2f0c092fa43877927f8551a8c7cdeb13a515376aff69accfec5952.exe	90
PID 3680 wrote to memory of 2572	3680	Logo1_.exe	92
PID 3680 wrote to memory of 2572	3680	Logo1_.exe	92
PID 3680 wrote to memory of 2572	3680	Logo1_.exe	92
PID 2572 wrote to memory of 5044	2572	net.exe	95
PID 2572 wrote to memory of 5044	2572	net.exe	95
PID 2572 wrote to memory of 5044	2572	net.exe	95
PID 548 wrote to memory of 3924	548	cmd.exe	94
PID 548 wrote to memory of 3924	548	cmd.exe	94
PID 548 wrote to memory of 3924	548	cmd.exe	94
PID 3680 wrote to memory of 3844	3680	Logo1_.exe	98
PID 3680 wrote to memory of 3844	3680	Logo1_.exe	98
PID 3680 wrote to memory of 3844	3680	Logo1_.exe	98
PID 3844 wrote to memory of 2172	3844	net.exe	100
PID 3844 wrote to memory of 2172	3844	net.exe	100
PID 3844 wrote to memory of 2172	3844	net.exe	100
PID 3680 wrote to memory of 3508	3680	Logo1_.exe	56
PID 3680 wrote to memory of 3508	3680	Logo1_.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3508
- C:\Users\Admin\AppData\Local\Temp\9331432fdb2f0c092fa43877927f8551a8c7cdeb13a515376aff69accfec5952.exe
  "C:\Users\Admin\AppData\Local\Temp\9331432fdb2f0c092fa43877927f8551a8c7cdeb13a515376aff69accfec5952.exe"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2636
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:1612
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a544A.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:548
  - - C:\Users\Admin\AppData\Local\Temp\9331432fdb2f0c092fa43877927f8551a8c7cdeb13a515376aff69accfec5952.exe
      "C:\Users\Admin\AppData\Local\Temp\9331432fdb2f0c092fa43877927f8551a8c7cdeb13a515376aff69accfec5952.exe"
      4⤵
      Executes dropped EXE
      PID:3924
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops file in Drivers directory
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3680
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2572
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:5044
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3844
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
258KB

MD5
e194e3f599f585b521b00ba7d99c03a5

SHA1
2ade918605a7a60bcc840819b52c6fb5f470921b

SHA256
b70334eb15d0c19fcb70b2d250e32a01f1a17bd230401155d3c4fe3065242aa9

SHA512
b7e3c0741cc3ac540da389b2fa66501e1a6c433ab0b22c99b38f40dc57d940d81979b08859d8daa67cd002b02ead5daac4ad9cafce5186bf35b536f6de4b7957

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
577KB

MD5
cac99ad0161a99e0d6fd07e1843524b7

SHA1
c3d87148ecc623592a8061ce4ad6c88584e115ad

SHA256
62d5cd98103b1dc5452f455a26f2b566812386597eb9cfee2ca3b5e01f0a0f27

SHA512
f479dc0ea615699d832539642d4bd63325e1b47e147fe3e94cc6584fc205fa4a1e454375ea5da87238b8210d3565ab742136c3ce850842b76a1335e626041081

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
644KB

MD5
d9b62e4240dd99918ec39a90574fcc1e

SHA1
aca7b6d133487779dad04399979342285ac7ac74

SHA256
3c9be9eeff4911ecb235ec57a0c90c6db74b371d45c7a6fae2afac78a1bf1391

SHA512
8980894349e1d3708f8176fcfc23675061d402126a77af27e6eb61d4d67d41bb2b1e743865f1626a77cca89aff29aa24d21c8cf3f879aba9bd8c0b9a035b8026

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a544A.bat

Filesize
722B

MD5
825c1855c63aed5c31e47ba93f0156c4

SHA1
caa9ea80c94efe53941ed749905f68fc9a07d806

SHA256
cf8b272e33d1be8de9047a684b9dd7d797e5889e0edbaf35213a355c041d7345

SHA512
dbdc5f49083bbef1fe3b3752f5ae8fc93c3d3f8b45dd20b7a4572ba76256f69c0fca98fe4c15cf107755f8023fc9c9b955b92159b83a251365df06231230fd49

Download Submit
C:\Users\Admin\AppData\Local\Temp\9331432fdb2f0c092fa43877927f8551a8c7cdeb13a515376aff69accfec5952.exe.exe

Filesize
62KB

MD5
c54f1fc981737d618eaab97ba5df6614

SHA1
7d4422e8c078f2699093effe564854748b62bc7b

SHA256
2a96aa7b2e19c2f7970c258a7760e5cd503442ef5375edca947488fc2d8374c4

SHA512
85a454cc272fb6bbe69d833a22a16c3882b899c8dc92b2ae54423c75758c8fd5df683d1deb82bc5de859e96c72b52cc9aec7699cb90f621e9cdc5852e931d65a

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
0c024d12adef144def06e6f299357485

SHA1
896f33f1c0bc5c6644094f07d44e2bcc377958bb

SHA256
df70e984201f34822e49a6da9037e738e596a51d3e190cf4b76b8c64ebd3c30d

SHA512
072a920b5fd0373d40947b9410becd9df1bfdff8913bb0650272a3e4c46b29b826b42998b61426b7eb6fa8d081066d0b0aa183dbf0044e9119b10f9a3faae09d

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
842B

MD5
6f4adf207ef402d9ef40c6aa52ffd245

SHA1
4b05b495619c643f02e278dede8f5b1392555a57

SHA256
d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e

SHA512
a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-4124900551-4068476067-3491212533-1000\_desktop.ini

Filesize
9B

MD5
31874817e0fb055be8d2c971c0e3bbde

SHA1
ee8a35d6a86cb6d13f354d67d912e194bb09c74b

SHA256
94de8b492bc2db9a9592f7c9433547eb7f80826ed67f48d2bb7e22db9d49f544

SHA512
55747c69ae50fa212576d095f60cf33b42e26789cf8c34fc5120a45b1988aae95f91d9e37cb17298c5ac5243b2e4c40e1d0e084ce7fe14bceb4ebb318c65c944

Download Submit
memory/1952-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1952-10-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3680-20-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3680-12-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3680-5012-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3680-8645-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download