040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2023, 01:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe
Size

66KB
MD5

b0740d80c3b9d5106fe78701189af31f
SHA1

a269636c61fa84ab72b59a5a06b4e0d7b9cc886c
SHA256

040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b
SHA512

5af31140dd0766e97e9306ba1c92c5843518977eb09929747a96abf7541fd298ccbd05f70091f33b721150d312d351da2fa11b809ca2f7bfacfa1c8d6ce42c71
SSDEEP

1536:Ai4srz8dOBN9aunrxb4yzwC132n6RbK1A:A48oBN9aulb4yzjRbaA

Score

7^/10

spyware stealer

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

pid	Process
2476	Logo1_.exe
4404	040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\pt-br\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\themes\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-ma\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\Diagnostics\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SATIN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\Diagnostics\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-cn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\themes\dark\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EVRGREEN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Calculator\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\Licenses\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sl-si\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\tnameserv.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\lua\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\en-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\pt-br\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\en-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\etc\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\WATER\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ca-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe
File created	C:\Windows\Logo1_.exe	040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2468	040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe
2468	040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe
2468	040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe
2468	040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe
2468	040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe
2468	040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe
2468	040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe
2468	040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe
2468	040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe
2468	040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe
2468	040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe
2468	040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe
2468	040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe
2468	040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe
2468	040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe
2468	040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe
2468	040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe
2468	040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe
2468	040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe
2468	040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe
2468	040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe
2468	040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe
2468	040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe
2468	040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe
2468	040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe
2468	040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe
2476	Logo1_.exe
2476	Logo1_.exe
2476	Logo1_.exe
2476	Logo1_.exe
2476	Logo1_.exe
2476	Logo1_.exe
2476	Logo1_.exe
2476	Logo1_.exe
2476	Logo1_.exe
2476	Logo1_.exe
2476	Logo1_.exe
2476	Logo1_.exe
2476	Logo1_.exe
2476	Logo1_.exe
2476	Logo1_.exe
2476	Logo1_.exe
2476	Logo1_.exe
2476	Logo1_.exe
2476	Logo1_.exe
2476	Logo1_.exe
2476	Logo1_.exe
2476	Logo1_.exe
2476	Logo1_.exe
2476	Logo1_.exe
2476	Logo1_.exe
2476	Logo1_.exe
2476	Logo1_.exe
2476	Logo1_.exe
2476	Logo1_.exe
2476	Logo1_.exe
2476	Logo1_.exe
2476	Logo1_.exe
2476	Logo1_.exe
2476	Logo1_.exe
2476	Logo1_.exe
2476	Logo1_.exe
2476	Logo1_.exe
2476	Logo1_.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 3868	2468	040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe	82
PID 2468 wrote to memory of 3868	2468	040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe	82
PID 2468 wrote to memory of 3868	2468	040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe	82
PID 3868 wrote to memory of 4316	3868	net.exe	84
PID 3868 wrote to memory of 4316	3868	net.exe	84
PID 3868 wrote to memory of 4316	3868	net.exe	84
PID 2468 wrote to memory of 3456	2468	040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe	85
PID 2468 wrote to memory of 3456	2468	040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe	85
PID 2468 wrote to memory of 3456	2468	040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe	85
PID 2468 wrote to memory of 2476	2468	040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe	87
PID 2468 wrote to memory of 2476	2468	040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe	87
PID 2468 wrote to memory of 2476	2468	040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe	87
PID 2476 wrote to memory of 3684	2476	Logo1_.exe	89
PID 2476 wrote to memory of 3684	2476	Logo1_.exe	89
PID 2476 wrote to memory of 3684	2476	Logo1_.exe	89
PID 3684 wrote to memory of 4644	3684	net.exe	90
PID 3684 wrote to memory of 4644	3684	net.exe	90
PID 3684 wrote to memory of 4644	3684	net.exe	90
PID 3456 wrote to memory of 4404	3456	cmd.exe	91
PID 3456 wrote to memory of 4404	3456	cmd.exe	91
PID 3456 wrote to memory of 4404	3456	cmd.exe	91
PID 2476 wrote to memory of 3824	2476	Logo1_.exe	93
PID 2476 wrote to memory of 3824	2476	Logo1_.exe	93
PID 2476 wrote to memory of 3824	2476	Logo1_.exe	93
PID 3824 wrote to memory of 4092	3824	net.exe	95
PID 3824 wrote to memory of 4092	3824	net.exe	95
PID 3824 wrote to memory of 4092	3824	net.exe	95
PID 2476 wrote to memory of 3152	2476	Logo1_.exe	50
PID 2476 wrote to memory of 3152	2476	Logo1_.exe	50

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3152
- C:\Users\Admin\AppData\Local\Temp\040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe
  "C:\Users\Admin\AppData\Local\Temp\040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2468
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3868
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:4316
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD958.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3456
  - - C:\Users\Admin\AppData\Local\Temp\040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe
      "C:\Users\Admin\AppData\Local\Temp\040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe"
      4⤵
      Executes dropped EXE
      PID:4404
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2476
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3684
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:4644
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3824
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:4092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
258KB

MD5
3d85e6d92ac7be70637f958dde2b011e

SHA1
de203840649525f16e0bca64ac03d6288a1b7316

SHA256
7d1496ae1660972107f77423879bcf3dbd8c4d4feed5690d8a756d1aadc5ded7

SHA512
7744e7e7570e10113f07b2f576679642a16269979978edac66a3e311171635dadc407d08533761e97231f77fc37684b6b7aca655b7d6a6d95fd4ac6764e34afd

Download Submit
C:\Program Files\SuspendResolve.exe

Filesize
619KB

MD5
6960486b0b15bbc16ebd4880d6d8cf53

SHA1
a6e64425f1f3a00497bcfaa1b19f77795a457645

SHA256
eb2550f51212b4aff4fb87768a016dba7b9a32e1d4d317a815614c751444cd41

SHA512
0063c2899f173dd5bf8824e39ea74eda931cbc7a4a69d4805239eb0b3e574849787ea3542568c3096504836c3d08c7713e599b8239eeb3c6d0894693287ab02b

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
478KB

MD5
f42c7fca4a74677fc3f9dff9c92bc66a

SHA1
485aefa513bd7cf9546571c9d5bbfaea2e2aa761

SHA256
a762874c0c4e1b60ae4dd0d93778af865eceff9edb71debfc90b7827cec0665f

SHA512
afd338ea3b920930eb18853143277705d7a481611d207c732bbaea188e289481c42f80a48af4d2712e823424d993346a01b148aa64583198e4dbf2bf75c791f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aD958.bat

Filesize
722B

MD5
75adc8799a9ca60b428dddf402b5d3bc

SHA1
8ead366ecded946e6d93007058d7325a8cd8f78e

SHA256
84a38e45e38f6e231b6a4b55dc60fd1b0f32e1821286adc92827e983959ad6c1

SHA512
652202d59686b7a770eb49a8b915a3b308e74885dd61006f1948e442b457a6b0eaeb21845a2dad1c56b0ba7b9b42123d0c9e0ca2d13f33136ccdf42d3937ef3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe

Filesize
33KB

MD5
52886e1f39689e26425482ee3a448ec2

SHA1
ac125f76ce72cc9afb6d45a9d416f414d89aa526

SHA256
6ec5438e178d75a9598cc4a56f3a91975537bc7357d42dd7a95b663cc45ecb1c

SHA512
f3c4e4513bdd3b420320c38383b7fc41d0d0a16ba023db47cd48ba5803e86103e9ac134cddf9b0d9deef076819784f77bbd8c8c24aef4293bed9803ad3e85508

Download Submit
C:\Users\Admin\AppData\Local\Temp\040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe.exe

Filesize
33KB

MD5
52886e1f39689e26425482ee3a448ec2

SHA1
ac125f76ce72cc9afb6d45a9d416f414d89aa526

SHA256
6ec5438e178d75a9598cc4a56f3a91975537bc7357d42dd7a95b663cc45ecb1c

SHA512
f3c4e4513bdd3b420320c38383b7fc41d0d0a16ba023db47cd48ba5803e86103e9ac134cddf9b0d9deef076819784f77bbd8c8c24aef4293bed9803ad3e85508

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
4b8d5611897671cb722c88a92fea57cd

SHA1
d2bd76334c02d3aff4a8dfe3477162c85f8c14c9

SHA256
0a05a55fa316d55995d50de7a9ebcde75cbedee25846d320bffaef1eec6b34a2

SHA512
821aaadb27a1d2f0ac1b2fd3c9da43dc65ad00481d18f4a4c660b1bf0065dbe8ba1a736c713c40923b98ad8858f14e5c50efa21530efbe430db54a477b9075a8

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
4b8d5611897671cb722c88a92fea57cd

SHA1
d2bd76334c02d3aff4a8dfe3477162c85f8c14c9

SHA256
0a05a55fa316d55995d50de7a9ebcde75cbedee25846d320bffaef1eec6b34a2

SHA512
821aaadb27a1d2f0ac1b2fd3c9da43dc65ad00481d18f4a4c660b1bf0065dbe8ba1a736c713c40923b98ad8858f14e5c50efa21530efbe430db54a477b9075a8

Download Submit
C:\Windows\rundl132.exe

Filesize
33KB

MD5
4b8d5611897671cb722c88a92fea57cd

SHA1
d2bd76334c02d3aff4a8dfe3477162c85f8c14c9

SHA256
0a05a55fa316d55995d50de7a9ebcde75cbedee25846d320bffaef1eec6b34a2

SHA512
821aaadb27a1d2f0ac1b2fd3c9da43dc65ad00481d18f4a4c660b1bf0065dbe8ba1a736c713c40923b98ad8858f14e5c50efa21530efbe430db54a477b9075a8

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-4176143399-3250363947-192774652-1000\_desktop.ini

Filesize
9B

MD5
16548fefb55deef0a354259a11e1cc14

SHA1
6e4f38c24333eb1c8bcc91e4e4042ce600a44c4f

SHA256
f6d78c8a802bfc4dded630ac9f8d33fb335ab11d45bb742fac993f8d42ea327c

SHA512
1fcd0a93c383bf38b97073a84ac50c78149cd1160299e71676fc5a3a6f655affac3a0e2433cf5bc4c145cda0ec44a23d13e1da953e15feefb0b9cefd84204271

Download Submit
memory/2468-143-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2468-133-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2476-150-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2476-930-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2476-2437-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2476-5544-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2476-141-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2476-8766-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download