d1c7ed57191524d4625024b6fc0eb7ebbcabbc1602f54538cf3cd8ce54918c1d

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
30/05/2024, 18:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d1c7ed57191524d4625024b6fc0eb7ebbcabbc1602f54538cf3cd8ce54918c1d.exe
Size

368KB
MD5

994328b11a007d758b8847fb02b81468
SHA1

b33b8d95fae04e70693a0294571cc708d15e06f8
SHA256

d1c7ed57191524d4625024b6fc0eb7ebbcabbc1602f54538cf3cd8ce54918c1d
SHA512

0423bc3ee4a302364b3e83921e89e0f56199ada840b9cd5a422865a2880f32848ee99d8e080d42b777c866b867204356ed9212b34f7ff60be860e506dee4ce0a
SSDEEP

6144:M1mzU66bkWmchVySqkvAH3qo0wWJC6G/SMT4FWqC:M1uU66b5zhVymA/XSRh

Score

7^/10

spyware stealer

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

pid	Process
208	Logo1_.exe
2408	d1c7ed57191524d4625024b6fc0eb7ebbcabbc1602f54538cf3cd8ce54918c1d.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre-1.8\lib\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\loc\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\COMPASS\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hans\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Calculator\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\fr-fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sm\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\es-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\root\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\it-it\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\root\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\es-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\pt-br\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft.NET\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft.NET\ADOMD.NET\130\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ie\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pa\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\eu-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre-1.8\lib\amd64\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\gmp-clearkey\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\it-it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\sl-si\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\cs-cz\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\en-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\es-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\security\policy\limited\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft.NET\ADOMD.NET\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hu-hu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Logo1_.exe	d1c7ed57191524d4625024b6fc0eb7ebbcabbc1602f54538cf3cd8ce54918c1d.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	d1c7ed57191524d4625024b6fc0eb7ebbcabbc1602f54538cf3cd8ce54918c1d.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2136	d1c7ed57191524d4625024b6fc0eb7ebbcabbc1602f54538cf3cd8ce54918c1d.exe
2136	d1c7ed57191524d4625024b6fc0eb7ebbcabbc1602f54538cf3cd8ce54918c1d.exe
2136	d1c7ed57191524d4625024b6fc0eb7ebbcabbc1602f54538cf3cd8ce54918c1d.exe
2136	d1c7ed57191524d4625024b6fc0eb7ebbcabbc1602f54538cf3cd8ce54918c1d.exe
2136	d1c7ed57191524d4625024b6fc0eb7ebbcabbc1602f54538cf3cd8ce54918c1d.exe
2136	d1c7ed57191524d4625024b6fc0eb7ebbcabbc1602f54538cf3cd8ce54918c1d.exe
2136	d1c7ed57191524d4625024b6fc0eb7ebbcabbc1602f54538cf3cd8ce54918c1d.exe
2136	d1c7ed57191524d4625024b6fc0eb7ebbcabbc1602f54538cf3cd8ce54918c1d.exe
2136	d1c7ed57191524d4625024b6fc0eb7ebbcabbc1602f54538cf3cd8ce54918c1d.exe
2136	d1c7ed57191524d4625024b6fc0eb7ebbcabbc1602f54538cf3cd8ce54918c1d.exe
2136	d1c7ed57191524d4625024b6fc0eb7ebbcabbc1602f54538cf3cd8ce54918c1d.exe
2136	d1c7ed57191524d4625024b6fc0eb7ebbcabbc1602f54538cf3cd8ce54918c1d.exe
2136	d1c7ed57191524d4625024b6fc0eb7ebbcabbc1602f54538cf3cd8ce54918c1d.exe
2136	d1c7ed57191524d4625024b6fc0eb7ebbcabbc1602f54538cf3cd8ce54918c1d.exe
2136	d1c7ed57191524d4625024b6fc0eb7ebbcabbc1602f54538cf3cd8ce54918c1d.exe
2136	d1c7ed57191524d4625024b6fc0eb7ebbcabbc1602f54538cf3cd8ce54918c1d.exe
2136	d1c7ed57191524d4625024b6fc0eb7ebbcabbc1602f54538cf3cd8ce54918c1d.exe
2136	d1c7ed57191524d4625024b6fc0eb7ebbcabbc1602f54538cf3cd8ce54918c1d.exe
2136	d1c7ed57191524d4625024b6fc0eb7ebbcabbc1602f54538cf3cd8ce54918c1d.exe
2136	d1c7ed57191524d4625024b6fc0eb7ebbcabbc1602f54538cf3cd8ce54918c1d.exe
2136	d1c7ed57191524d4625024b6fc0eb7ebbcabbc1602f54538cf3cd8ce54918c1d.exe
2136	d1c7ed57191524d4625024b6fc0eb7ebbcabbc1602f54538cf3cd8ce54918c1d.exe
2136	d1c7ed57191524d4625024b6fc0eb7ebbcabbc1602f54538cf3cd8ce54918c1d.exe
2136	d1c7ed57191524d4625024b6fc0eb7ebbcabbc1602f54538cf3cd8ce54918c1d.exe
2136	d1c7ed57191524d4625024b6fc0eb7ebbcabbc1602f54538cf3cd8ce54918c1d.exe
2136	d1c7ed57191524d4625024b6fc0eb7ebbcabbc1602f54538cf3cd8ce54918c1d.exe
208	Logo1_.exe
208	Logo1_.exe
208	Logo1_.exe
208	Logo1_.exe
208	Logo1_.exe
208	Logo1_.exe
208	Logo1_.exe
208	Logo1_.exe
208	Logo1_.exe
208	Logo1_.exe
208	Logo1_.exe
208	Logo1_.exe
208	Logo1_.exe
208	Logo1_.exe
208	Logo1_.exe
208	Logo1_.exe
208	Logo1_.exe
208	Logo1_.exe
208	Logo1_.exe
208	Logo1_.exe
208	Logo1_.exe
208	Logo1_.exe
208	Logo1_.exe
208	Logo1_.exe
208	Logo1_.exe
208	Logo1_.exe
208	Logo1_.exe
208	Logo1_.exe
208	Logo1_.exe
208	Logo1_.exe
208	Logo1_.exe
208	Logo1_.exe
208	Logo1_.exe
208	Logo1_.exe
208	Logo1_.exe
208	Logo1_.exe
208	Logo1_.exe
208	Logo1_.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 3196	2136	d1c7ed57191524d4625024b6fc0eb7ebbcabbc1602f54538cf3cd8ce54918c1d.exe	82
PID 2136 wrote to memory of 3196	2136	d1c7ed57191524d4625024b6fc0eb7ebbcabbc1602f54538cf3cd8ce54918c1d.exe	82
PID 2136 wrote to memory of 3196	2136	d1c7ed57191524d4625024b6fc0eb7ebbcabbc1602f54538cf3cd8ce54918c1d.exe	82
PID 3196 wrote to memory of 3200	3196	net.exe	84
PID 3196 wrote to memory of 3200	3196	net.exe	84
PID 3196 wrote to memory of 3200	3196	net.exe	84
PID 2136 wrote to memory of 2196	2136	d1c7ed57191524d4625024b6fc0eb7ebbcabbc1602f54538cf3cd8ce54918c1d.exe	87
PID 2136 wrote to memory of 2196	2136	d1c7ed57191524d4625024b6fc0eb7ebbcabbc1602f54538cf3cd8ce54918c1d.exe	87
PID 2136 wrote to memory of 2196	2136	d1c7ed57191524d4625024b6fc0eb7ebbcabbc1602f54538cf3cd8ce54918c1d.exe	87
PID 2136 wrote to memory of 208	2136	d1c7ed57191524d4625024b6fc0eb7ebbcabbc1602f54538cf3cd8ce54918c1d.exe	88
PID 2136 wrote to memory of 208	2136	d1c7ed57191524d4625024b6fc0eb7ebbcabbc1602f54538cf3cd8ce54918c1d.exe	88
PID 2136 wrote to memory of 208	2136	d1c7ed57191524d4625024b6fc0eb7ebbcabbc1602f54538cf3cd8ce54918c1d.exe	88
PID 208 wrote to memory of 912	208	Logo1_.exe	90
PID 208 wrote to memory of 912	208	Logo1_.exe	90
PID 208 wrote to memory of 912	208	Logo1_.exe	90
PID 912 wrote to memory of 4484	912	net.exe	92
PID 912 wrote to memory of 4484	912	net.exe	92
PID 912 wrote to memory of 4484	912	net.exe	92
PID 2196 wrote to memory of 2408	2196	cmd.exe	93
PID 2196 wrote to memory of 2408	2196	cmd.exe	93
PID 208 wrote to memory of 4136	208	Logo1_.exe	94
PID 208 wrote to memory of 4136	208	Logo1_.exe	94
PID 208 wrote to memory of 4136	208	Logo1_.exe	94
PID 4136 wrote to memory of 2980	4136	net.exe	96
PID 4136 wrote to memory of 2980	4136	net.exe	96
PID 4136 wrote to memory of 2980	4136	net.exe	96
PID 208 wrote to memory of 3516	208	Logo1_.exe	56
PID 208 wrote to memory of 3516	208	Logo1_.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3516
- C:\Users\Admin\AppData\Local\Temp\d1c7ed57191524d4625024b6fc0eb7ebbcabbc1602f54538cf3cd8ce54918c1d.exe
  "C:\Users\Admin\AppData\Local\Temp\d1c7ed57191524d4625024b6fc0eb7ebbcabbc1602f54538cf3cd8ce54918c1d.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2136
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3196
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:3200
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3018.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2196
  - - C:\Users\Admin\AppData\Local\Temp\d1c7ed57191524d4625024b6fc0eb7ebbcabbc1602f54538cf3cd8ce54918c1d.exe
      "C:\Users\Admin\AppData\Local\Temp\d1c7ed57191524d4625024b6fc0eb7ebbcabbc1602f54538cf3cd8ce54918c1d.exe"
      4⤵
      Executes dropped EXE
      PID:2408
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:208
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:912
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:4484
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4136
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.exe

Filesize
577KB

MD5
5e30d16b8e69d6c1a539ec4bbc19d2f7

SHA1
fb69e35b1f9306dce3df2f359b60ff947b046558

SHA256
7b843f374d695e9bdbb119ae4264f5e2b7495dc5001cc291b4df3c70a969fb75

SHA512
fbfd982615b7e7277f1e92a29b67f65b55828554355219659df3e131450a97242553def5c6e230399f241ce674ee9b0b5cbf23f823c6a10ee6a51f30721806f3

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
643KB

MD5
b489893e2a89eb1682d618b8824fb7c3

SHA1
8f929e84ce714a7247920ec3902292e977ebb26d

SHA256
720afba2de160448f339c299f4607089254ec8f82168694d7808273128822e81

SHA512
a6f03b3cd792ad476e69854adc6280898882379bba50bab0af36d718d5b6806b585f172024f99a4f282785b9759ad3383643c9283daaa5947b79e8102d2c90c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a3018.bat

Filesize
722B

MD5
3328b3c320630df41a785b1334b8f238

SHA1
9ca6242bf40562223403b08d77182a4285491c58

SHA256
ce1da8d4bf2399b13448679f7e8504a5a4d4793bb6b6d96e8af72ab63e0d32be

SHA512
a40ce517207e22bedb3d81b034b547568d7386ee14ca2bb1adee53a944246824c452bc88eabad6880291ad37d0b41c4d834376f05a9d4a9c16119468fa2683f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\d1c7ed57191524d4625024b6fc0eb7ebbcabbc1602f54538cf3cd8ce54918c1d.exe.exe

Filesize
335KB

MD5
40ac62c087648ccc2c58dae066d34c98

SHA1
0e87efb6ddfe59e534ea9e829cad35be8563e5f7

SHA256
482c4c1562490e164d5f17990253373691aa5eab55a81c7f890fe9583a9ea916

SHA512
0c1ff13ff88409d54fee2ceb07fe65135ce2a9aa6f8da51ac0158abb2cfbb3a898ef26f476931986f1367622f21a7c0b0e742d0f4de8be6e215596b0d88c518f

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
726937f6d8546adf90a8ccc396c9568b

SHA1
562a243cad15148d094b1a79493cceecbc0358b7

SHA256
32ff9d1250cf6ed2d3bdbe31c9c733f2dca643ecc4fe816d83aa33c6736b4ee4

SHA512
d0864bc167728f211c9add8c35824301b630f8e682213b5c02fdb0333416551604b92d7120b4ce4b6028497893ed155c719adaff769f0d2b17d44a32c3be4b81

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-4018855536-2201274732-320770143-1000\_desktop.ini

Filesize
9B

MD5
588b2065b2adfd8dfd688104d02aad5a

SHA1
263f0ca294d728a13f51220aea8123aa257cc6e2

SHA256
f9ab49edf14c6bda17287f7caa63d3b3bb20a65215f1462cf05577a5c1c472e6

SHA512
99106035ac4547c81fd737f5f79ddd32ea10fde9e3ea97102472c871aa9f94ee3f68823bcc4bb308e92265a9c3cacd4b1f5c9f52f8d3e630cdf6bdcd3c737e2d

Download Submit
memory/208-9-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/208-18-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/208-2974-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/208-8656-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2136-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2136-11-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download