9b7135c8b57fbff60c86a22f79b74d64d869ca56015cd1fa3c386fafb2d0dde1

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10-06-2024 14:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9b7135c8b57fbff60c86a22f79b74d64d869ca56015cd1fa3c386fafb2d0dde1.exe
Size

72KB
MD5

aedc962c31238cc14f60846f72d673d7
SHA1

6f994753a71f48fb3bf8014c981a30a2ee06eddf
SHA256

9b7135c8b57fbff60c86a22f79b74d64d869ca56015cd1fa3c386fafb2d0dde1
SHA512

e4b9d36dae05da7ae533b9df9e83c05629a2cfae1fb33a1600c32fc7ec859a5f12ab19b7c4d96643c1701adf7a512dab644eef977378e2f5c7be54d5706e9f50
SSDEEP

1536:Hje+Zk7qzUJBeLkbiT29dXXC4ayFGyHNXk:Hje+aezUDbHXHC+4yHN0

Score

7^/10

spyware stealer

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

pid	Process
2192	Logo1_.exe
1624	9b7135c8b57fbff60c86a22f79b74d64d869ca56015cd1fa3c386fafb2d0dde1.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\Simple\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\Diagnostics\Simple\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\eu-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sv-se\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CANYON\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\eu-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\he-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Integration\Integrator.exe	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\pt-br\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ARCTIC\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ICE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B8436FDE-48B5-46DA-A041-D5945D20D942\root\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\pt-br\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\versions\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Examples\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\en-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft.NET\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\my\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\plugin2\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_filter\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hr-hr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\wa\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\sv-se\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\gui\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\root\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sl-si\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Logo1_.exe	9b7135c8b57fbff60c86a22f79b74d64d869ca56015cd1fa3c386fafb2d0dde1.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	9b7135c8b57fbff60c86a22f79b74d64d869ca56015cd1fa3c386fafb2d0dde1.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3392	9b7135c8b57fbff60c86a22f79b74d64d869ca56015cd1fa3c386fafb2d0dde1.exe
3392	9b7135c8b57fbff60c86a22f79b74d64d869ca56015cd1fa3c386fafb2d0dde1.exe
3392	9b7135c8b57fbff60c86a22f79b74d64d869ca56015cd1fa3c386fafb2d0dde1.exe
3392	9b7135c8b57fbff60c86a22f79b74d64d869ca56015cd1fa3c386fafb2d0dde1.exe
3392	9b7135c8b57fbff60c86a22f79b74d64d869ca56015cd1fa3c386fafb2d0dde1.exe
3392	9b7135c8b57fbff60c86a22f79b74d64d869ca56015cd1fa3c386fafb2d0dde1.exe
3392	9b7135c8b57fbff60c86a22f79b74d64d869ca56015cd1fa3c386fafb2d0dde1.exe
3392	9b7135c8b57fbff60c86a22f79b74d64d869ca56015cd1fa3c386fafb2d0dde1.exe
3392	9b7135c8b57fbff60c86a22f79b74d64d869ca56015cd1fa3c386fafb2d0dde1.exe
3392	9b7135c8b57fbff60c86a22f79b74d64d869ca56015cd1fa3c386fafb2d0dde1.exe
3392	9b7135c8b57fbff60c86a22f79b74d64d869ca56015cd1fa3c386fafb2d0dde1.exe
3392	9b7135c8b57fbff60c86a22f79b74d64d869ca56015cd1fa3c386fafb2d0dde1.exe
3392	9b7135c8b57fbff60c86a22f79b74d64d869ca56015cd1fa3c386fafb2d0dde1.exe
3392	9b7135c8b57fbff60c86a22f79b74d64d869ca56015cd1fa3c386fafb2d0dde1.exe
3392	9b7135c8b57fbff60c86a22f79b74d64d869ca56015cd1fa3c386fafb2d0dde1.exe
3392	9b7135c8b57fbff60c86a22f79b74d64d869ca56015cd1fa3c386fafb2d0dde1.exe
3392	9b7135c8b57fbff60c86a22f79b74d64d869ca56015cd1fa3c386fafb2d0dde1.exe
3392	9b7135c8b57fbff60c86a22f79b74d64d869ca56015cd1fa3c386fafb2d0dde1.exe
3392	9b7135c8b57fbff60c86a22f79b74d64d869ca56015cd1fa3c386fafb2d0dde1.exe
3392	9b7135c8b57fbff60c86a22f79b74d64d869ca56015cd1fa3c386fafb2d0dde1.exe
3392	9b7135c8b57fbff60c86a22f79b74d64d869ca56015cd1fa3c386fafb2d0dde1.exe
3392	9b7135c8b57fbff60c86a22f79b74d64d869ca56015cd1fa3c386fafb2d0dde1.exe
3392	9b7135c8b57fbff60c86a22f79b74d64d869ca56015cd1fa3c386fafb2d0dde1.exe
3392	9b7135c8b57fbff60c86a22f79b74d64d869ca56015cd1fa3c386fafb2d0dde1.exe
3392	9b7135c8b57fbff60c86a22f79b74d64d869ca56015cd1fa3c386fafb2d0dde1.exe
3392	9b7135c8b57fbff60c86a22f79b74d64d869ca56015cd1fa3c386fafb2d0dde1.exe
2192	Logo1_.exe
2192	Logo1_.exe
2192	Logo1_.exe
2192	Logo1_.exe
2192	Logo1_.exe
2192	Logo1_.exe
2192	Logo1_.exe
2192	Logo1_.exe
2192	Logo1_.exe
2192	Logo1_.exe
2192	Logo1_.exe
2192	Logo1_.exe
2192	Logo1_.exe
2192	Logo1_.exe
2192	Logo1_.exe
2192	Logo1_.exe
2192	Logo1_.exe
2192	Logo1_.exe
2192	Logo1_.exe
2192	Logo1_.exe
2192	Logo1_.exe
2192	Logo1_.exe
2192	Logo1_.exe
2192	Logo1_.exe
2192	Logo1_.exe
2192	Logo1_.exe
2192	Logo1_.exe
2192	Logo1_.exe
2192	Logo1_.exe
2192	Logo1_.exe
2192	Logo1_.exe
2192	Logo1_.exe
2192	Logo1_.exe
2192	Logo1_.exe
2192	Logo1_.exe
2192	Logo1_.exe
2192	Logo1_.exe
2192	Logo1_.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 3392 wrote to memory of 4160	3392	9b7135c8b57fbff60c86a22f79b74d64d869ca56015cd1fa3c386fafb2d0dde1.exe	82
PID 3392 wrote to memory of 4160	3392	9b7135c8b57fbff60c86a22f79b74d64d869ca56015cd1fa3c386fafb2d0dde1.exe	82
PID 3392 wrote to memory of 4160	3392	9b7135c8b57fbff60c86a22f79b74d64d869ca56015cd1fa3c386fafb2d0dde1.exe	82
PID 4160 wrote to memory of 2752	4160	net.exe	84
PID 4160 wrote to memory of 2752	4160	net.exe	84
PID 4160 wrote to memory of 2752	4160	net.exe	84
PID 3392 wrote to memory of 1452	3392	9b7135c8b57fbff60c86a22f79b74d64d869ca56015cd1fa3c386fafb2d0dde1.exe	88
PID 3392 wrote to memory of 1452	3392	9b7135c8b57fbff60c86a22f79b74d64d869ca56015cd1fa3c386fafb2d0dde1.exe	88
PID 3392 wrote to memory of 1452	3392	9b7135c8b57fbff60c86a22f79b74d64d869ca56015cd1fa3c386fafb2d0dde1.exe	88
PID 3392 wrote to memory of 2192	3392	9b7135c8b57fbff60c86a22f79b74d64d869ca56015cd1fa3c386fafb2d0dde1.exe	89
PID 3392 wrote to memory of 2192	3392	9b7135c8b57fbff60c86a22f79b74d64d869ca56015cd1fa3c386fafb2d0dde1.exe	89
PID 3392 wrote to memory of 2192	3392	9b7135c8b57fbff60c86a22f79b74d64d869ca56015cd1fa3c386fafb2d0dde1.exe	89
PID 2192 wrote to memory of 4264	2192	Logo1_.exe	91
PID 2192 wrote to memory of 4264	2192	Logo1_.exe	91
PID 2192 wrote to memory of 4264	2192	Logo1_.exe	91
PID 4264 wrote to memory of 1908	4264	net.exe	94
PID 4264 wrote to memory of 1908	4264	net.exe	94
PID 4264 wrote to memory of 1908	4264	net.exe	94
PID 1452 wrote to memory of 1624	1452	cmd.exe	93
PID 1452 wrote to memory of 1624	1452	cmd.exe	93
PID 1452 wrote to memory of 1624	1452	cmd.exe	93
PID 2192 wrote to memory of 2164	2192	Logo1_.exe	95
PID 2192 wrote to memory of 2164	2192	Logo1_.exe	95
PID 2192 wrote to memory of 2164	2192	Logo1_.exe	95
PID 2164 wrote to memory of 4560	2164	net.exe	97
PID 2164 wrote to memory of 4560	2164	net.exe	97
PID 2164 wrote to memory of 4560	2164	net.exe	97
PID 2192 wrote to memory of 3488	2192	Logo1_.exe	56
PID 2192 wrote to memory of 3488	2192	Logo1_.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3488
- C:\Users\Admin\AppData\Local\Temp\9b7135c8b57fbff60c86a22f79b74d64d869ca56015cd1fa3c386fafb2d0dde1.exe
  "C:\Users\Admin\AppData\Local\Temp\9b7135c8b57fbff60c86a22f79b74d64d869ca56015cd1fa3c386fafb2d0dde1.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3392
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4160
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:2752
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4CC8.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1452
  - - C:\Users\Admin\AppData\Local\Temp\9b7135c8b57fbff60c86a22f79b74d64d869ca56015cd1fa3c386fafb2d0dde1.exe
      "C:\Users\Admin\AppData\Local\Temp\9b7135c8b57fbff60c86a22f79b74d64d869ca56015cd1fa3c386fafb2d0dde1.exe"
      4⤵
      Executes dropped EXE
      PID:1624
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2192
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4264
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:1908
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2164
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:4560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.exe

Filesize
583KB

MD5
80b4ed875f0b2d49bc5ad056ea34e86e

SHA1
8b6cfd1956a55cc22cbdddc8799d571974d1f274

SHA256
622c928a4cada8ca1f49b08c72266e229a183ca5ffed94f06b4ccfc6558624a0

SHA512
d75ee42a91eff1c955cb3f41f944de6cacf25adc3079de910ec6fcfa949a7a6687a0c5091cf544fc0e7ee79151d47fa56f76186e06a08edf703ad8b19f78e883

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
649KB

MD5
1ad09ab121869e9bedf81b1e82331d05

SHA1
21270e52207071b7d304acb7d776c9abba38c15c

SHA256
834cd914a6bc7c3eadf3b23bacc01433aa6a32411ab547d958604a1c434518b7

SHA512
4b1f28d726ec031fd0350a21ea7091087ae2688818716f7add7524fdf06a07d5937a4aa53c6029d2fab093714b1b48b8032927b56e2c207158946f6c71e6646b

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a4CC8.bat

Filesize
722B

MD5
80bc131f26b3747eb0ff7b653e191b41

SHA1
2d194e225fbe6f5d0ae02b43cb17c4add15182dd

SHA256
844f57117b4095f62ad28958a651f2b8829a6c99d1f47fb43079954f54f4b677

SHA512
62d803657bbd53bb30859e38d4682161be6a35fede2e2f275a14d6be263bbc5470e0a12ecd8131bc5f0b2c7282093d226df5a342dcce2d286e315bf8e5faba88

Download Submit
C:\Users\Admin\AppData\Local\Temp\9b7135c8b57fbff60c86a22f79b74d64d869ca56015cd1fa3c386fafb2d0dde1.exe.exe

Filesize
33KB

MD5
bdbce90ce74990df3b2c7c8484dde146

SHA1
ae6aadaf5467b97779d4c1a81b5cd3dfb9d8ecb4

SHA256
f4a3c012f2859ead10af1298d9b20fbd8ca2257f73d530a2b0c25937cb16f6eb

SHA512
78e2f31759ce490f38e898ef17a700dd0898cc32b526325e8d7230b4ff119c39124cd2abf30038f70318931cc995abee523b334a29812bf875302dc126c9f958

Download Submit
C:\Windows\Logo1_.exe

Filesize
39KB

MD5
3119e880ce5d6d029185f7ed591e11d0

SHA1
3ab197daedf94e992062faa4eda18905b87c75bb

SHA256
b1eada5fd013195853bb65ee2b9fa55eb97840d20077d7a2fd43167800608eda

SHA512
18cafd3a73312811037cb0e44a578670498b09350d72febd262d62528094b9ba738357ef861bb9cb7704097b9c930b9aa38ee5823520e22cf71d4ebb453bf4d7

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1337824034-2731376981-3755436523-1000\_desktop.ini

Filesize
9B

MD5
60b1ffe4d5892b7ae054738eec1fd425

SHA1
80d4e944617f4132b1c6917345b158f3693f35c8

SHA256
5e9944cc48c7ec641cf7b1b0125f47f26102c371a973612f0583f604bc3900d4

SHA512
7f5c200924dbb5531df997e6a35cb94f36b54f5651284b0d6404f0576301125ef72b410a170fca889d46c033063663cfc7791f9e4c3c30695af069053eee66cc

Download Submit
memory/2192-11-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2192-18-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2192-5220-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2192-8680-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3392-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3392-10-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download