2f76c167166dfd198bb3356c8a5ef9564f0e398eec5fa1dc0e2033c904022de8

Analysis

max time kernel
150s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
03/06/2024, 15:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2f76c167166dfd198bb3356c8a5ef9564f0e398eec5fa1dc0e2033c904022de8.exe
Size

400KB
MD5

5b4850d16220e897b6d192d193935bab
SHA1

bdd741810ad3e9391dae1f5b5be122b36f2b9cc8
SHA256

2f76c167166dfd198bb3356c8a5ef9564f0e398eec5fa1dc0e2033c904022de8
SHA512

36c45ea17fd0c328d696ea6afad5c2b75afa4a66f9130cef17704358ff480b0aa0cacdc1b7bed9b907dcaeaeed0391fd4ab34eec68a80f2fff609a7a0b123736
SSDEEP

6144:N+aezsP2zPVz7jUBs8hqcBCi6dbfra4erJlt9A+xX1oOAisEIWmGeNkfGuYF1moW:N+aQahVy41

Score

7^/10

spyware stealer

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

pid	Process
4856	Logo1_.exe
4248	2f76c167166dfd198bb3356c8a5ef9564f0e398eec5fa1dc0e2033c904022de8.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\de-de\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\nb-no\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\swidtag\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Internet Explorer\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\or_IN\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\da-dk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\da-dk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\home-view\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\MEIPreload\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\zh-cn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SPRING\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft.NET\ADOMD.NET\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\es_MX\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ms\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sl-si\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\da-dk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sv-se\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft.NET\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\eu-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\pt-br\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\eu-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\root\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\en-il\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Dll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	2f76c167166dfd198bb3356c8a5ef9564f0e398eec5fa1dc0e2033c904022de8.exe
File created	C:\Windows\Logo1_.exe	2f76c167166dfd198bb3356c8a5ef9564f0e398eec5fa1dc0e2033c904022de8.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1396	2f76c167166dfd198bb3356c8a5ef9564f0e398eec5fa1dc0e2033c904022de8.exe
1396	2f76c167166dfd198bb3356c8a5ef9564f0e398eec5fa1dc0e2033c904022de8.exe
1396	2f76c167166dfd198bb3356c8a5ef9564f0e398eec5fa1dc0e2033c904022de8.exe
1396	2f76c167166dfd198bb3356c8a5ef9564f0e398eec5fa1dc0e2033c904022de8.exe
1396	2f76c167166dfd198bb3356c8a5ef9564f0e398eec5fa1dc0e2033c904022de8.exe
1396	2f76c167166dfd198bb3356c8a5ef9564f0e398eec5fa1dc0e2033c904022de8.exe
1396	2f76c167166dfd198bb3356c8a5ef9564f0e398eec5fa1dc0e2033c904022de8.exe
1396	2f76c167166dfd198bb3356c8a5ef9564f0e398eec5fa1dc0e2033c904022de8.exe
1396	2f76c167166dfd198bb3356c8a5ef9564f0e398eec5fa1dc0e2033c904022de8.exe
1396	2f76c167166dfd198bb3356c8a5ef9564f0e398eec5fa1dc0e2033c904022de8.exe
1396	2f76c167166dfd198bb3356c8a5ef9564f0e398eec5fa1dc0e2033c904022de8.exe
1396	2f76c167166dfd198bb3356c8a5ef9564f0e398eec5fa1dc0e2033c904022de8.exe
1396	2f76c167166dfd198bb3356c8a5ef9564f0e398eec5fa1dc0e2033c904022de8.exe
1396	2f76c167166dfd198bb3356c8a5ef9564f0e398eec5fa1dc0e2033c904022de8.exe
1396	2f76c167166dfd198bb3356c8a5ef9564f0e398eec5fa1dc0e2033c904022de8.exe
1396	2f76c167166dfd198bb3356c8a5ef9564f0e398eec5fa1dc0e2033c904022de8.exe
1396	2f76c167166dfd198bb3356c8a5ef9564f0e398eec5fa1dc0e2033c904022de8.exe
1396	2f76c167166dfd198bb3356c8a5ef9564f0e398eec5fa1dc0e2033c904022de8.exe
1396	2f76c167166dfd198bb3356c8a5ef9564f0e398eec5fa1dc0e2033c904022de8.exe
1396	2f76c167166dfd198bb3356c8a5ef9564f0e398eec5fa1dc0e2033c904022de8.exe
1396	2f76c167166dfd198bb3356c8a5ef9564f0e398eec5fa1dc0e2033c904022de8.exe
1396	2f76c167166dfd198bb3356c8a5ef9564f0e398eec5fa1dc0e2033c904022de8.exe
1396	2f76c167166dfd198bb3356c8a5ef9564f0e398eec5fa1dc0e2033c904022de8.exe
1396	2f76c167166dfd198bb3356c8a5ef9564f0e398eec5fa1dc0e2033c904022de8.exe
1396	2f76c167166dfd198bb3356c8a5ef9564f0e398eec5fa1dc0e2033c904022de8.exe
1396	2f76c167166dfd198bb3356c8a5ef9564f0e398eec5fa1dc0e2033c904022de8.exe
4856	Logo1_.exe
4856	Logo1_.exe
4856	Logo1_.exe
4856	Logo1_.exe
4856	Logo1_.exe
4856	Logo1_.exe
4856	Logo1_.exe
4856	Logo1_.exe
4856	Logo1_.exe
4856	Logo1_.exe
4856	Logo1_.exe
4856	Logo1_.exe
4856	Logo1_.exe
4856	Logo1_.exe
4856	Logo1_.exe
4856	Logo1_.exe
4856	Logo1_.exe
4856	Logo1_.exe
4856	Logo1_.exe
4856	Logo1_.exe
4856	Logo1_.exe
4856	Logo1_.exe
4856	Logo1_.exe
4856	Logo1_.exe
4856	Logo1_.exe
4856	Logo1_.exe
4856	Logo1_.exe
4856	Logo1_.exe
4856	Logo1_.exe
4856	Logo1_.exe
4856	Logo1_.exe
4856	Logo1_.exe
4856	Logo1_.exe
4856	Logo1_.exe
4856	Logo1_.exe
4856	Logo1_.exe
4856	Logo1_.exe
4856	Logo1_.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1396 wrote to memory of 848	1396	2f76c167166dfd198bb3356c8a5ef9564f0e398eec5fa1dc0e2033c904022de8.exe	81
PID 1396 wrote to memory of 848	1396	2f76c167166dfd198bb3356c8a5ef9564f0e398eec5fa1dc0e2033c904022de8.exe	81
PID 1396 wrote to memory of 848	1396	2f76c167166dfd198bb3356c8a5ef9564f0e398eec5fa1dc0e2033c904022de8.exe	81
PID 848 wrote to memory of 4680	848	net.exe	83
PID 848 wrote to memory of 4680	848	net.exe	83
PID 848 wrote to memory of 4680	848	net.exe	83
PID 1396 wrote to memory of 3724	1396	2f76c167166dfd198bb3356c8a5ef9564f0e398eec5fa1dc0e2033c904022de8.exe	87
PID 1396 wrote to memory of 3724	1396	2f76c167166dfd198bb3356c8a5ef9564f0e398eec5fa1dc0e2033c904022de8.exe	87
PID 1396 wrote to memory of 3724	1396	2f76c167166dfd198bb3356c8a5ef9564f0e398eec5fa1dc0e2033c904022de8.exe	87
PID 1396 wrote to memory of 4856	1396	2f76c167166dfd198bb3356c8a5ef9564f0e398eec5fa1dc0e2033c904022de8.exe	89
PID 1396 wrote to memory of 4856	1396	2f76c167166dfd198bb3356c8a5ef9564f0e398eec5fa1dc0e2033c904022de8.exe	89
PID 1396 wrote to memory of 4856	1396	2f76c167166dfd198bb3356c8a5ef9564f0e398eec5fa1dc0e2033c904022de8.exe	89
PID 3724 wrote to memory of 4248	3724	cmd.exe	90
PID 3724 wrote to memory of 4248	3724	cmd.exe	90
PID 4856 wrote to memory of 1612	4856	Logo1_.exe	91
PID 4856 wrote to memory of 1612	4856	Logo1_.exe	91
PID 4856 wrote to memory of 1612	4856	Logo1_.exe	91
PID 1612 wrote to memory of 748	1612	net.exe	93
PID 1612 wrote to memory of 748	1612	net.exe	93
PID 1612 wrote to memory of 748	1612	net.exe	93
PID 4856 wrote to memory of 1940	4856	Logo1_.exe	94
PID 4856 wrote to memory of 1940	4856	Logo1_.exe	94
PID 4856 wrote to memory of 1940	4856	Logo1_.exe	94
PID 1940 wrote to memory of 4792	1940	net.exe	96
PID 1940 wrote to memory of 4792	1940	net.exe	96
PID 1940 wrote to memory of 4792	1940	net.exe	96
PID 4856 wrote to memory of 3484	4856	Logo1_.exe	56
PID 4856 wrote to memory of 3484	4856	Logo1_.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3484
- C:\Users\Admin\AppData\Local\Temp\2f76c167166dfd198bb3356c8a5ef9564f0e398eec5fa1dc0e2033c904022de8.exe
  "C:\Users\Admin\AppData\Local\Temp\2f76c167166dfd198bb3356c8a5ef9564f0e398eec5fa1dc0e2033c904022de8.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1396
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:848
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:4680
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a57D4.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3724
  - - C:\Users\Admin\AppData\Local\Temp\2f76c167166dfd198bb3356c8a5ef9564f0e398eec5fa1dc0e2033c904022de8.exe
      "C:\Users\Admin\AppData\Local\Temp\2f76c167166dfd198bb3356c8a5ef9564f0e398eec5fa1dc0e2033c904022de8.exe"
      4⤵
      Executes dropped EXE
      PID:4248
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4856
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1612
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:748
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1940
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:4792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
264KB

MD5
c0ad9453492036edf7c366cdfd9970e4

SHA1
b43b223cad6f8c349b5138a0d2ccc439d435b303

SHA256
9da3db4094a033f920f9aad3266e823e9d592ad78acac24dd0e358ebb059ec3b

SHA512
776b87da0cab39e6ee8daade00f9ce91a6d46bfc097aec78c46460ba0e8644ae71b43d1b458167966bdee97312b6d3ab4be71b55da4f9a5181e9bd1255483b26

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
583KB

MD5
cadbc1b25e26e7b616fcc198937dd36f

SHA1
ff565fb87f0e0ce560bcc77c59b2b5ce14b18328

SHA256
9f9434143eb8b7666b0d0c8c88cc350c0c03ba8ae0ba25e611056fcd5a955c19

SHA512
37fa017e93645b5a28e105dee37e3b9cb850689a2627509ce26b0f34545c684767875f38d90d6e905f05a9a11d05840f4f0a8f866b5a5565750c79b9dd2dd774

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
649KB

MD5
1ad09ab121869e9bedf81b1e82331d05

SHA1
21270e52207071b7d304acb7d776c9abba38c15c

SHA256
834cd914a6bc7c3eadf3b23bacc01433aa6a32411ab547d958604a1c434518b7

SHA512
4b1f28d726ec031fd0350a21ea7091087ae2688818716f7add7524fdf06a07d5937a4aa53c6029d2fab093714b1b48b8032927b56e2c207158946f6c71e6646b

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a57D4.bat

Filesize
722B

MD5
5a733b9c32eb85cc14ab8b245aa98606

SHA1
89685a096d579f37d9b1000ab95053d133e16e2b

SHA256
0c5e4fa92361b9eeedf2e25acff67cde7b717d84b7519098d71dab0bffc5bde6

SHA512
74c132f25420766cbb0308f6aef64d187500c83dd8e2ea627d07d84a17e26fc4a5bc0de3a405f605261c3e1570488c3e3e0054613b1e93990e63f4071b549d00

Download Submit
C:\Users\Admin\AppData\Local\Temp\2f76c167166dfd198bb3356c8a5ef9564f0e398eec5fa1dc0e2033c904022de8.exe.exe

Filesize
360KB

MD5
5fbd45261a2de3bb42f489e825a9a935

SHA1
ff388f6e9efe651ec62c4152c1739783e7899293

SHA256
9e63701598199d5c47217e23b44d0e3ec5d53f5419166b1b6c68a7e9e8fc47a4

SHA512
7f22b1995a07016adb342c551454d602bfbe511525139aee8581b62116608e9e278fd81c26382f1333c7eccded4474196e73c093bb5cbf8e8f203e865024c058

Download Submit
C:\Windows\Logo1_.exe

Filesize
39KB

MD5
e6c7bf55188d71231750f9b606026ff0

SHA1
ec05472357b89ab9905ba7f079c275d4a6b86edf

SHA256
28612d2c64ed84d1ec223c74aac02dffb75840364574930c5bbc4eea629be22b

SHA512
d812d93c3fe8417bf98a1685b31e6c146471e0c4a37b9340ba0a57763852221be002375e109efff0bb01192c3f8180e6bda68d6f6ed927b45cb02f2b1998baa6

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3571316656-3665257725-2415531812-1000\_desktop.ini

Filesize
8B

MD5
a6f28952c332969f9e6d9f7d1a449737

SHA1
31c0826adb63cc03162fb9e88781f4b50da8f11b

SHA256
d9d875805581110dafdfb2ceb34c5e60f50fe720963f9813c287e4845248d208

SHA512
8187572ee8fbb9a42af34a3444be3a4309c5a798e7b1f27fce5b28b7168b72d015b1c10e611ccd3a9361af2aaeab831d2734017f77adff341c3fdb876c296eac

Download Submit
memory/1396-9-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1396-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4856-18-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4856-2352-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4856-11-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4856-8708-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download