be728f86ec93958f300b9d36740ba6c12b0ab5d5f9554ff86ed9c87f686aa937

Analysis

max time kernel
149s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
10/07/2024, 04:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

be728f86ec93958f300b9d36740ba6c12b0ab5d5f9554ff86ed9c87f686aa937.exe
Size

1.3MB
MD5

9fe1882c032b5e51c335c50b4b37902f
SHA1

5fc01266eb91b6b095c4e9e61211329916ad7ab0
SHA256

be728f86ec93958f300b9d36740ba6c12b0ab5d5f9554ff86ed9c87f686aa937
SHA512

a779390053a8db71503c15a95cb320f64b432971796f9d63db110997573362f0478039f3768be1c554bc9538f498d19558057bddc3d301f3bba6ec77f6b40fca
SSDEEP

24576:3Z+05tErv2XwKvHoBHErvOmnD4TxJeUrtONbcDvX+ZRDSq9yG0+GYCwdD5sguoax:3Z+05RvyiUTxwuoNbxzyG0QCKD5daDEy

Score

9^/10

persistence ransomware spyware stealer

Malware Config

Signatures

Renames multiple (216) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	be728f86ec93958f300b9d36740ba6c12b0ab5d5f9554ff86ed9c87f686aa937.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Logo1_.exe

Executes dropped EXE 3 IoCs

pid	Process
3584	Logo1_.exe
216	be728f86ec93958f300b9d36740ba6c12b0ab5d5f9554ff86ed9c87f686aa937.exe
5024	be728f86ec93958f300b9d36740ba6c12b0ab5d5f9554ff86ed9c87f686aa937.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\load = "C:\\Windows\\uninstall\\rundl132.exe"	be728f86ec93958f300b9d36740ba6c12b0ab5d5f9554ff86ed9c87f686aa937.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\load = "C:\\Windows\\uninstall\\rundl132.exe"	Logo1_.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\tnameserv.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe.Exe	Logo1_.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe.Exe	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\bin\idlj.exe.Exe	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\bin\rmic.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBridge\SkypeBridge.exe	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE.Exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\SoundRec.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\SpeechToTextOverlay64-Retail.exe	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe.Exe	Logo1_.exe
File created	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateBroker.exe.Exe	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\codecpacks.heif.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe	Logo1_.exe
File created	C:\Program Files\Java\jre-1.8\bin\unpack200.exe.Exe	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\Integration\Integrator.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\3DViewer.exe	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateCore.exe.Exe	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\bin\pack200.exe.Exe	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\GameBar.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\GameBar.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\MicrosoftEdgeUpdate.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jhat.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\policytool.exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe	Logo1_.exe
File created	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateBroker.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateComRegisterShell64.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\Installer\setup.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\klist.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Music.UI.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateOnDemand.exe.Exe	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\chrome.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARMHelper.exe.Exe	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe.Exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\klist.exe	Logo1_.exe
File created	C:\Program Files\Java\jre-1.8\bin\ktab.exe.Exe	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe.Exe	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE.Exe	Logo1_.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe.Exe	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\uninstall\rundl132.exe	be728f86ec93958f300b9d36740ba6c12b0ab5d5f9554ff86ed9c87f686aa937.exe
File created	C:\Windows\Logo1_.exe	be728f86ec93958f300b9d36740ba6c12b0ab5d5f9554ff86ed9c87f686aa937.exe
File opened for modification	C:\Windows\uninstall\rundl132.exe	Logo1_.exe
File created	C:\Windows\RichDll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5008	be728f86ec93958f300b9d36740ba6c12b0ab5d5f9554ff86ed9c87f686aa937.exe
5008	be728f86ec93958f300b9d36740ba6c12b0ab5d5f9554ff86ed9c87f686aa937.exe
5008	be728f86ec93958f300b9d36740ba6c12b0ab5d5f9554ff86ed9c87f686aa937.exe
5008	be728f86ec93958f300b9d36740ba6c12b0ab5d5f9554ff86ed9c87f686aa937.exe
5008	be728f86ec93958f300b9d36740ba6c12b0ab5d5f9554ff86ed9c87f686aa937.exe
5008	be728f86ec93958f300b9d36740ba6c12b0ab5d5f9554ff86ed9c87f686aa937.exe
5008	be728f86ec93958f300b9d36740ba6c12b0ab5d5f9554ff86ed9c87f686aa937.exe
5008	be728f86ec93958f300b9d36740ba6c12b0ab5d5f9554ff86ed9c87f686aa937.exe
5008	be728f86ec93958f300b9d36740ba6c12b0ab5d5f9554ff86ed9c87f686aa937.exe
5008	be728f86ec93958f300b9d36740ba6c12b0ab5d5f9554ff86ed9c87f686aa937.exe
5008	be728f86ec93958f300b9d36740ba6c12b0ab5d5f9554ff86ed9c87f686aa937.exe
5008	be728f86ec93958f300b9d36740ba6c12b0ab5d5f9554ff86ed9c87f686aa937.exe
5008	be728f86ec93958f300b9d36740ba6c12b0ab5d5f9554ff86ed9c87f686aa937.exe
5008	be728f86ec93958f300b9d36740ba6c12b0ab5d5f9554ff86ed9c87f686aa937.exe
5008	be728f86ec93958f300b9d36740ba6c12b0ab5d5f9554ff86ed9c87f686aa937.exe
5008	be728f86ec93958f300b9d36740ba6c12b0ab5d5f9554ff86ed9c87f686aa937.exe
5008	be728f86ec93958f300b9d36740ba6c12b0ab5d5f9554ff86ed9c87f686aa937.exe
5008	be728f86ec93958f300b9d36740ba6c12b0ab5d5f9554ff86ed9c87f686aa937.exe
5008	be728f86ec93958f300b9d36740ba6c12b0ab5d5f9554ff86ed9c87f686aa937.exe
5008	be728f86ec93958f300b9d36740ba6c12b0ab5d5f9554ff86ed9c87f686aa937.exe
5008	be728f86ec93958f300b9d36740ba6c12b0ab5d5f9554ff86ed9c87f686aa937.exe
5008	be728f86ec93958f300b9d36740ba6c12b0ab5d5f9554ff86ed9c87f686aa937.exe
5008	be728f86ec93958f300b9d36740ba6c12b0ab5d5f9554ff86ed9c87f686aa937.exe
5008	be728f86ec93958f300b9d36740ba6c12b0ab5d5f9554ff86ed9c87f686aa937.exe
5008	be728f86ec93958f300b9d36740ba6c12b0ab5d5f9554ff86ed9c87f686aa937.exe
5008	be728f86ec93958f300b9d36740ba6c12b0ab5d5f9554ff86ed9c87f686aa937.exe
3584	Logo1_.exe
3584	Logo1_.exe
3584	Logo1_.exe
3584	Logo1_.exe
3584	Logo1_.exe
3584	Logo1_.exe
3584	Logo1_.exe
3584	Logo1_.exe
3584	Logo1_.exe
3584	Logo1_.exe
3584	Logo1_.exe
3584	Logo1_.exe
3584	Logo1_.exe
3584	Logo1_.exe
3584	Logo1_.exe
3584	Logo1_.exe
3584	Logo1_.exe
3584	Logo1_.exe
3584	Logo1_.exe
3584	Logo1_.exe
3584	Logo1_.exe
3584	Logo1_.exe
3584	Logo1_.exe
3584	Logo1_.exe
3584	Logo1_.exe
3584	Logo1_.exe
3584	Logo1_.exe
3584	Logo1_.exe
3584	Logo1_.exe
3584	Logo1_.exe
3584	Logo1_.exe
3584	Logo1_.exe
3584	Logo1_.exe
3584	Logo1_.exe
3584	Logo1_.exe
3584	Logo1_.exe
3584	Logo1_.exe
3584	Logo1_.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 5008 wrote to memory of 2948	5008	be728f86ec93958f300b9d36740ba6c12b0ab5d5f9554ff86ed9c87f686aa937.exe	80
PID 5008 wrote to memory of 2948	5008	be728f86ec93958f300b9d36740ba6c12b0ab5d5f9554ff86ed9c87f686aa937.exe	80
PID 5008 wrote to memory of 2948	5008	be728f86ec93958f300b9d36740ba6c12b0ab5d5f9554ff86ed9c87f686aa937.exe	80
PID 2948 wrote to memory of 3360	2948	net.exe	83
PID 2948 wrote to memory of 3360	2948	net.exe	83
PID 2948 wrote to memory of 3360	2948	net.exe	83
PID 5008 wrote to memory of 3604	5008	be728f86ec93958f300b9d36740ba6c12b0ab5d5f9554ff86ed9c87f686aa937.exe	86
PID 5008 wrote to memory of 3604	5008	be728f86ec93958f300b9d36740ba6c12b0ab5d5f9554ff86ed9c87f686aa937.exe	86
PID 5008 wrote to memory of 3604	5008	be728f86ec93958f300b9d36740ba6c12b0ab5d5f9554ff86ed9c87f686aa937.exe	86
PID 5008 wrote to memory of 3584	5008	be728f86ec93958f300b9d36740ba6c12b0ab5d5f9554ff86ed9c87f686aa937.exe	88
PID 5008 wrote to memory of 3584	5008	be728f86ec93958f300b9d36740ba6c12b0ab5d5f9554ff86ed9c87f686aa937.exe	88
PID 5008 wrote to memory of 3584	5008	be728f86ec93958f300b9d36740ba6c12b0ab5d5f9554ff86ed9c87f686aa937.exe	88
PID 3584 wrote to memory of 1064	3584	Logo1_.exe	89
PID 3584 wrote to memory of 1064	3584	Logo1_.exe	89
PID 3584 wrote to memory of 1064	3584	Logo1_.exe	89
PID 3604 wrote to memory of 216	3604	cmd.exe	91
PID 3604 wrote to memory of 216	3604	cmd.exe	91
PID 3604 wrote to memory of 216	3604	cmd.exe	91
PID 1064 wrote to memory of 64	1064	net.exe	92
PID 1064 wrote to memory of 64	1064	net.exe	92
PID 1064 wrote to memory of 64	1064	net.exe	92
PID 216 wrote to memory of 5024	216	be728f86ec93958f300b9d36740ba6c12b0ab5d5f9554ff86ed9c87f686aa937.exe	93
PID 216 wrote to memory of 5024	216	be728f86ec93958f300b9d36740ba6c12b0ab5d5f9554ff86ed9c87f686aa937.exe	93
PID 216 wrote to memory of 5024	216	be728f86ec93958f300b9d36740ba6c12b0ab5d5f9554ff86ed9c87f686aa937.exe	93
PID 3584 wrote to memory of 3156	3584	Logo1_.exe	95
PID 3584 wrote to memory of 3156	3584	Logo1_.exe	95
PID 3584 wrote to memory of 3156	3584	Logo1_.exe	95
PID 3156 wrote to memory of 3052	3156	net.exe	97
PID 3156 wrote to memory of 3052	3156	net.exe	97
PID 3156 wrote to memory of 3052	3156	net.exe	97
PID 3584 wrote to memory of 3544	3584	Logo1_.exe	56
PID 3584 wrote to memory of 3544	3584	Logo1_.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3544
- C:\Users\Admin\AppData\Local\Temp\be728f86ec93958f300b9d36740ba6c12b0ab5d5f9554ff86ed9c87f686aa937.exe
  "C:\Users\Admin\AppData\Local\Temp\be728f86ec93958f300b9d36740ba6c12b0ab5d5f9554ff86ed9c87f686aa937.exe"
  2⤵
  - Drops file in Drivers directory
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5008
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2948
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:3360
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB4C9.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3604
  - - C:\Users\Admin\AppData\Local\Temp\be728f86ec93958f300b9d36740ba6c12b0ab5d5f9554ff86ed9c87f686aa937.exe
      "C:\Users\Admin\AppData\Local\Temp\be728f86ec93958f300b9d36740ba6c12b0ab5d5f9554ff86ed9c87f686aa937.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:216
    - - C:\Users\Admin\AppData\Local\Temp\be728f86ec93958f300b9d36740ba6c12b0ab5d5f9554ff86ed9c87f686aa937.exe
        
        "C:\Users\Admin\AppData\Local\Temp\be728f86ec93958f300b9d36740ba6c12b0ab5d5f9554ff86ed9c87f686aa937.exe" -z2
        5⤵
        Executes dropped EXE
        
        PID:5024
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops file in Drivers directory
    - Executes dropped EXE
    - Adds Run key to start application
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3584
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1064
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:64
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3156
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:3052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.exe.Exe

Filesize
613KB

MD5
957da4c41d9536ccfa60f108efca858a

SHA1
1e8c2e6905ec7a33223be76753813e4c3488e5e8

SHA256
ce3fbce1e9def7f33d54e0cdfa21824495266b78ce6c167236c2f19775fa1333

SHA512
6b1d5da2cbc5022cd908e8db70ee2782d7e53c6b337b545909b920dca674b2e43418c78f4b9b7b569ad86735980e32212ae449573499c3f6329e3c90920e69b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aB4C9.bat

Filesize
722B

MD5
7075ea1d57b680236c85579492526509

SHA1
f027a7f462a4caa7bb5636cbb201b1313434976f

SHA256
53449453a8cf0e91126ff8ef680a8d3c5c0b8622b82dd1b293bce4da5f3e84e0

SHA512
0b0d4060a2015322711cabf1e4386b8ef436992dfcbf0990ba4bc2307a80696c817796fb227c66e892c5b6afc84e20cf93e0fe7a633cac2f57e27f298351c458

Download Submit
C:\Users\Admin\AppData\Local\Temp\be728f86ec93958f300b9d36740ba6c12b0ab5d5f9554ff86ed9c87f686aa937.exe.exe

Filesize
1.3MB

MD5
0e3388b926c56152f09db6e3c9f201af

SHA1
b3cda93064e1af57f6f3975c2f594e04722bdbe1

SHA256
a3539705432118adb5fba381787adabf4849cba591c0d7088e423cfb835bf522

SHA512
cb543c19a066bdb31f3416b68eb618d4507a74b52a6e47b7a5a6f2a798b571208b6835792794c655d76b3f9839e06ec6d5c74b32362b5b161809e534fa291b46

Download Submit
C:\Windows\Logo1_.exe

Filesize
69KB

MD5
da79cc012e1b885a2e5f124c1555e2b0

SHA1
ae73909e579e5e08cef224201f110acf76e7b3de

SHA256
1e36b5c0b0205de3ddfe6582239ef752c71f871a525cd817f8088a388db6d43c

SHA512
5ab8c0b46cf962c70bf2a51db9d4eb023427fec2322059606088f91d3ee10686407612c22520e78b322ed31b9fe7632bc2fa38dc0410f86df32c517aeb7494fc

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
842B

MD5
6f4adf207ef402d9ef40c6aa52ffd245

SHA1
4b05b495619c643f02e278dede8f5b1392555a57

SHA256
d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e

SHA512
a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47

Download Submit
memory/3584-12-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3584-14-0x0000000000450000-0x0000000000490000-memory.dmp

Filesize
256KB

Download
memory/3584-25-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/3584-26-0x0000000000450000-0x0000000000490000-memory.dmp

Filesize
256KB

Download
memory/5008-0-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/5008-1-0x0000000000450000-0x0000000000470000-memory.dmp

Filesize
128KB

Download
memory/5008-11-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download