95d40f5e7584aaa8df75b7ae420cfe98702a6a2a498558f1ff9aac02087ad857

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240704-en
resource tags

arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
submitted
09/07/2024, 09:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95d40f5e7584aaa8df75b7ae420cfe98702a6a2a498558f1ff9aac02087ad857.exe
Size

264KB
MD5

5dc6df8fcb77a829557c591d8f0711f7
SHA1

cb6d58da5284de15e536217540c6e4b96b4c38b0
SHA256

95d40f5e7584aaa8df75b7ae420cfe98702a6a2a498558f1ff9aac02087ad857
SHA512

8b890e1f9f0a84ad1d195100286538fe8ba586cfe9fa305b1fb9cee12d7cd3c05dcc8082f8b3afb4d628fd211e8650dbc3106a5be78dbe390337c63b20a6ea76
SSDEEP

3072:eXfZQioJK+LRkgUA1nQZwFGVO4Mqg+WDY:sALRp1nQ4QLd

Score

7^/10

spyware stealer

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

pid	Process
3696	Logo1_.exe
1900	95d40f5e7584aaa8df75b7ae420cfe98702a6a2a498558f1ff9aac02087ad857.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-cn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\nb-no\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Oracle\Java\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EXPEDITN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft.NET\ADOMD.NET\130\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\VisualElements\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ESEN\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-sl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\root\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre-1.8\bin\plugin2\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ka\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files-select\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\he-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOICONS.EXE	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pt_BR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\zh-cn\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\codec\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\Diagnostics\Simple\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\root\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\FREN\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Mu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\es-es\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	95d40f5e7584aaa8df75b7ae420cfe98702a6a2a498558f1ff9aac02087ad857.exe
File created	C:\Windows\Logo1_.exe	95d40f5e7584aaa8df75b7ae420cfe98702a6a2a498558f1ff9aac02087ad857.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3936	95d40f5e7584aaa8df75b7ae420cfe98702a6a2a498558f1ff9aac02087ad857.exe
3936	95d40f5e7584aaa8df75b7ae420cfe98702a6a2a498558f1ff9aac02087ad857.exe
3936	95d40f5e7584aaa8df75b7ae420cfe98702a6a2a498558f1ff9aac02087ad857.exe
3936	95d40f5e7584aaa8df75b7ae420cfe98702a6a2a498558f1ff9aac02087ad857.exe
3936	95d40f5e7584aaa8df75b7ae420cfe98702a6a2a498558f1ff9aac02087ad857.exe
3936	95d40f5e7584aaa8df75b7ae420cfe98702a6a2a498558f1ff9aac02087ad857.exe
3936	95d40f5e7584aaa8df75b7ae420cfe98702a6a2a498558f1ff9aac02087ad857.exe
3936	95d40f5e7584aaa8df75b7ae420cfe98702a6a2a498558f1ff9aac02087ad857.exe
3936	95d40f5e7584aaa8df75b7ae420cfe98702a6a2a498558f1ff9aac02087ad857.exe
3936	95d40f5e7584aaa8df75b7ae420cfe98702a6a2a498558f1ff9aac02087ad857.exe
3936	95d40f5e7584aaa8df75b7ae420cfe98702a6a2a498558f1ff9aac02087ad857.exe
3936	95d40f5e7584aaa8df75b7ae420cfe98702a6a2a498558f1ff9aac02087ad857.exe
3936	95d40f5e7584aaa8df75b7ae420cfe98702a6a2a498558f1ff9aac02087ad857.exe
3936	95d40f5e7584aaa8df75b7ae420cfe98702a6a2a498558f1ff9aac02087ad857.exe
3936	95d40f5e7584aaa8df75b7ae420cfe98702a6a2a498558f1ff9aac02087ad857.exe
3936	95d40f5e7584aaa8df75b7ae420cfe98702a6a2a498558f1ff9aac02087ad857.exe
3936	95d40f5e7584aaa8df75b7ae420cfe98702a6a2a498558f1ff9aac02087ad857.exe
3936	95d40f5e7584aaa8df75b7ae420cfe98702a6a2a498558f1ff9aac02087ad857.exe
3936	95d40f5e7584aaa8df75b7ae420cfe98702a6a2a498558f1ff9aac02087ad857.exe
3936	95d40f5e7584aaa8df75b7ae420cfe98702a6a2a498558f1ff9aac02087ad857.exe
3936	95d40f5e7584aaa8df75b7ae420cfe98702a6a2a498558f1ff9aac02087ad857.exe
3936	95d40f5e7584aaa8df75b7ae420cfe98702a6a2a498558f1ff9aac02087ad857.exe
3936	95d40f5e7584aaa8df75b7ae420cfe98702a6a2a498558f1ff9aac02087ad857.exe
3936	95d40f5e7584aaa8df75b7ae420cfe98702a6a2a498558f1ff9aac02087ad857.exe
3936	95d40f5e7584aaa8df75b7ae420cfe98702a6a2a498558f1ff9aac02087ad857.exe
3936	95d40f5e7584aaa8df75b7ae420cfe98702a6a2a498558f1ff9aac02087ad857.exe
3696	Logo1_.exe
3696	Logo1_.exe
3696	Logo1_.exe
3696	Logo1_.exe
3696	Logo1_.exe
3696	Logo1_.exe
3696	Logo1_.exe
3696	Logo1_.exe
3696	Logo1_.exe
3696	Logo1_.exe
3696	Logo1_.exe
3696	Logo1_.exe
3696	Logo1_.exe
3696	Logo1_.exe
3696	Logo1_.exe
3696	Logo1_.exe
3696	Logo1_.exe
3696	Logo1_.exe
3696	Logo1_.exe
3696	Logo1_.exe
3696	Logo1_.exe
3696	Logo1_.exe
3696	Logo1_.exe
3696	Logo1_.exe
3696	Logo1_.exe
3696	Logo1_.exe
3696	Logo1_.exe
3696	Logo1_.exe
3696	Logo1_.exe
3696	Logo1_.exe
3696	Logo1_.exe
3696	Logo1_.exe
3696	Logo1_.exe
3696	Logo1_.exe
3696	Logo1_.exe
3696	Logo1_.exe
3696	Logo1_.exe
3696	Logo1_.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 3936 wrote to memory of 1660	3936	95d40f5e7584aaa8df75b7ae420cfe98702a6a2a498558f1ff9aac02087ad857.exe	82
PID 3936 wrote to memory of 1660	3936	95d40f5e7584aaa8df75b7ae420cfe98702a6a2a498558f1ff9aac02087ad857.exe	82
PID 3936 wrote to memory of 1660	3936	95d40f5e7584aaa8df75b7ae420cfe98702a6a2a498558f1ff9aac02087ad857.exe	82
PID 1660 wrote to memory of 4048	1660	net.exe	85
PID 1660 wrote to memory of 4048	1660	net.exe	85
PID 1660 wrote to memory of 4048	1660	net.exe	85
PID 3936 wrote to memory of 5064	3936	95d40f5e7584aaa8df75b7ae420cfe98702a6a2a498558f1ff9aac02087ad857.exe	88
PID 3936 wrote to memory of 5064	3936	95d40f5e7584aaa8df75b7ae420cfe98702a6a2a498558f1ff9aac02087ad857.exe	88
PID 3936 wrote to memory of 5064	3936	95d40f5e7584aaa8df75b7ae420cfe98702a6a2a498558f1ff9aac02087ad857.exe	88
PID 3936 wrote to memory of 3696	3936	95d40f5e7584aaa8df75b7ae420cfe98702a6a2a498558f1ff9aac02087ad857.exe	90
PID 3936 wrote to memory of 3696	3936	95d40f5e7584aaa8df75b7ae420cfe98702a6a2a498558f1ff9aac02087ad857.exe	90
PID 3936 wrote to memory of 3696	3936	95d40f5e7584aaa8df75b7ae420cfe98702a6a2a498558f1ff9aac02087ad857.exe	90
PID 3696 wrote to memory of 3768	3696	Logo1_.exe	91
PID 3696 wrote to memory of 3768	3696	Logo1_.exe	91
PID 3696 wrote to memory of 3768	3696	Logo1_.exe	91
PID 3768 wrote to memory of 3320	3768	net.exe	93
PID 3768 wrote to memory of 3320	3768	net.exe	93
PID 3768 wrote to memory of 3320	3768	net.exe	93
PID 5064 wrote to memory of 1900	5064	cmd.exe	94
PID 5064 wrote to memory of 1900	5064	cmd.exe	94
PID 5064 wrote to memory of 1900	5064	cmd.exe	94
PID 3696 wrote to memory of 1112	3696	Logo1_.exe	95
PID 3696 wrote to memory of 1112	3696	Logo1_.exe	95
PID 3696 wrote to memory of 1112	3696	Logo1_.exe	95
PID 1112 wrote to memory of 2100	1112	net.exe	97
PID 1112 wrote to memory of 2100	1112	net.exe	97
PID 1112 wrote to memory of 2100	1112	net.exe	97
PID 3696 wrote to memory of 3504	3696	Logo1_.exe	56
PID 3696 wrote to memory of 3504	3696	Logo1_.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3504
- C:\Users\Admin\AppData\Local\Temp\95d40f5e7584aaa8df75b7ae420cfe98702a6a2a498558f1ff9aac02087ad857.exe
  "C:\Users\Admin\AppData\Local\Temp\95d40f5e7584aaa8df75b7ae420cfe98702a6a2a498558f1ff9aac02087ad857.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3936
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1660
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:4048
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a81E2.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5064
  - - C:\Users\Admin\AppData\Local\Temp\95d40f5e7584aaa8df75b7ae420cfe98702a6a2a498558f1ff9aac02087ad857.exe
      "C:\Users\Admin\AppData\Local\Temp\95d40f5e7584aaa8df75b7ae420cfe98702a6a2a498558f1ff9aac02087ad857.exe"
      4⤵
      Executes dropped EXE
      PID:1900
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3696
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3768
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:3320
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1112
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
258KB

MD5
c031b4deb10e992ecc2fca24f69450e1

SHA1
d28ada07ce8378dbc4e907f3b1448ec9a113b72e

SHA256
c30dd1399eb0902d404a7621f178fbb3fbc35f54990633d7eaf7c1c6adcd347b

SHA512
ef69c695a9db7a4bfee74d158120319b68e33dd640b20c87ef5040883e3cc091a542781030eaf106f410e24b0b8d9720c57bd8f7a9c9e8cc79e2b31c582432b3

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
577KB

MD5
85b3c759a2ed635012bfaeb86058e569

SHA1
f1da6baceaa2fd1e1552b6d7f4ca60ddb00d5b15

SHA256
c466f320a737a15a928eed470238234b5c17a09f9233003ec25fefeec45ed3fe

SHA512
c84069664b979ef6865f481647b0d94477d8e383c8c4d35d88b948216e33e48718dbbefccf55d4483fa308cca4f124abc192177ffce18c5d7d2bbb0a35c4bbd6

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
643KB

MD5
c08994604c02bf7431e4c46295a779d5

SHA1
7f526582e292083589253bbc8b2cd093b2229ff2

SHA256
218bfecab8804a634b05ebcedc30eab7aa8fa8ed5775495ba9545517c311f00e

SHA512
13d9b746d0fe6922ecff9b5bf0ac896a63da11610341d4a7701e2a8d8fc5c0511d7bd9f4f54d3756b770998601b4f7b39b7e5c36d824dd42470fb0b499065c34

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a81E2.bat

Filesize
722B

MD5
14354d82f56eb3889a94caf0f111066f

SHA1
4cb594090277c9cfd59ac6ddf7e6f96ac2758b11

SHA256
98213a7755ca541b0b85fbe990f1062aed58bcbfd59e48ecf42d31ecd1f05602

SHA512
733c12f9e97f33bbe69a13defbfb11e5c0ff8f3cb74e4f999855c18dcc9099ebbc34b42105e4b733d1c3c1eb8a07e1e5a9d983fe5f6e051fd4b2f3a48819beea

Download Submit
C:\Users\Admin\AppData\Local\Temp\95d40f5e7584aaa8df75b7ae420cfe98702a6a2a498558f1ff9aac02087ad857.exe.exe

Filesize
231KB

MD5
6f581a41167d2d484fcba20e6fc3c39a

SHA1
d48de48d24101b9baaa24f674066577e38e6b75c

SHA256
3eb8d53778eab9fb13b4c97aeab56e4bad2a6ea3748d342f22eaf4d7aa3185a7

SHA512
e1177b6cea89445d58307b3327c78909adff225497f9abb8de571cdd114b547a8f515ec3ab038b583bf752a085b231f6329d6ca82fbe6be8a58cd97a1dbaf0f6

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
55f0baaeeb761a40ade638b231978a1a

SHA1
43285993b9512b483c283e6628f510f11638e516

SHA256
26721debf0e04b4ebf38931d8c44e2d985651d0cbc590a06de7a68b93b848479

SHA512
56c48ef92de26cb0d373d06ad4ddc49687681de59d9156a7f1bb34f3743bb6b38d5ae991370c60efc04a3a69da5d4a43e035fdc4e179b523ac7ab62c6df3a717

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-771719357-2485960699-3367710044-1000\_desktop.ini

Filesize
8B

MD5
d8dca68320777bb03e3a6dbdb7624c4f

SHA1
094cbdfea49743824e2aaf9c66082c25da2157b1

SHA256
ebe46a39e49fe879afd1b4ac0de5c6c62e8e90342cd71aaaf3ec1d84269e9c6e

SHA512
9097e8a3df0ae12235002caaef04951ab586d84ea9db1b9952e684b5ab570a033ba1bf047598fca329652cab23a5ec1516e6cd6dbcbd979fd32b9b8afbdf88cc

Download Submit
memory/3696-11-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3696-18-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3696-5160-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3696-8644-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3936-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3936-10-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download