cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230831-en
resource tags

arch:x64arch:x86image:win10v2004-20230831-enlocale:en-usos:windows10-2004-x64system
submitted
04-09-2023 09:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe
Size

478KB
MD5

ebd7225ca6d2671c11276e57b4b98968
SHA1

f15a6567337e16fa539e483bec4f422c1931614b
SHA256

cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c
SHA512

1a4334c7779ac3f7765ebd38bde9c80203e4b63a2f9fbb53aace6fbc8904f92eed38592ec8fc8cfd1eb9d51dfa1b2d74f23efe2a58a75d8d64f418f3a695bce0
SSDEEP

12288:oUMHdZc0IursYCYQeSnyZJiqlEbXSb9NtCGOF2O27MVzy:JMHxMYenGJiKEbXWtfOkUy

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 3 IoCs

pid	Process
2340	Logo1_.exe
2920	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe
4632	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe

Loads dropped DLL 1 IoCs

pid	Process
4632	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre1.8.0_66\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\da-dk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Media Player\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\km\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\zh-cn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jjs.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\da-dk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\plugins\rhp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sl-si\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\dc-annotations\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\de-de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\zh-cn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\it-it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmpconfig.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\include\win32\bridge\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-si\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\da-dk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\de-de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PROFILE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ca-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\he-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\nb-no\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\nb-no\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\eu-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\management\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\es-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\en-us\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\Diagnostics\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Validator\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RICEPAPR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ia\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe
File created	C:\Windows\Logo1_.exe	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
816	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe
816	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe
816	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe
816	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe
816	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe
816	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe
816	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe
816	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe
816	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe
816	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe
816	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe
816	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe
816	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe
816	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe
816	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe
816	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe
816	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe
816	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe
816	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe
816	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe
816	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe
816	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe
816	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe
816	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe
816	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe
816	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe
2340	Logo1_.exe
2340	Logo1_.exe
2340	Logo1_.exe
2340	Logo1_.exe
2340	Logo1_.exe
2340	Logo1_.exe
2340	Logo1_.exe
2340	Logo1_.exe
2340	Logo1_.exe
2340	Logo1_.exe
2340	Logo1_.exe
2340	Logo1_.exe
2340	Logo1_.exe
2340	Logo1_.exe
2340	Logo1_.exe
2340	Logo1_.exe
2340	Logo1_.exe
2340	Logo1_.exe
2340	Logo1_.exe
2340	Logo1_.exe
2340	Logo1_.exe
2340	Logo1_.exe
2340	Logo1_.exe
2340	Logo1_.exe
2340	Logo1_.exe
2340	Logo1_.exe
2340	Logo1_.exe
2340	Logo1_.exe
2340	Logo1_.exe
2340	Logo1_.exe
2340	Logo1_.exe
2340	Logo1_.exe
2340	Logo1_.exe
2340	Logo1_.exe
2340	Logo1_.exe
2340	Logo1_.exe
2340	Logo1_.exe
2340	Logo1_.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 816 wrote to memory of 4348	816	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe	86
PID 816 wrote to memory of 4348	816	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe	86
PID 816 wrote to memory of 4348	816	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe	86
PID 4348 wrote to memory of 3696	4348	net.exe	89
PID 4348 wrote to memory of 3696	4348	net.exe	89
PID 4348 wrote to memory of 3696	4348	net.exe	89
PID 816 wrote to memory of 4408	816	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe	90
PID 816 wrote to memory of 4408	816	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe	90
PID 816 wrote to memory of 4408	816	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe	90
PID 816 wrote to memory of 2340	816	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe	92
PID 816 wrote to memory of 2340	816	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe	92
PID 816 wrote to memory of 2340	816	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe	92
PID 2340 wrote to memory of 3592	2340	Logo1_.exe	93
PID 2340 wrote to memory of 3592	2340	Logo1_.exe	93
PID 2340 wrote to memory of 3592	2340	Logo1_.exe	93
PID 4408 wrote to memory of 2920	4408	cmd.exe	95
PID 4408 wrote to memory of 2920	4408	cmd.exe	95
PID 4408 wrote to memory of 2920	4408	cmd.exe	95
PID 3592 wrote to memory of 1028	3592	net.exe	96
PID 3592 wrote to memory of 1028	3592	net.exe	96
PID 3592 wrote to memory of 1028	3592	net.exe	96
PID 2920 wrote to memory of 4632	2920	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe	97
PID 2920 wrote to memory of 4632	2920	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe	97
PID 2920 wrote to memory of 4632	2920	cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe	97
PID 2340 wrote to memory of 1976	2340	Logo1_.exe	98
PID 2340 wrote to memory of 1976	2340	Logo1_.exe	98
PID 2340 wrote to memory of 1976	2340	Logo1_.exe	98
PID 1976 wrote to memory of 4804	1976	net.exe	100
PID 1976 wrote to memory of 4804	1976	net.exe	100
PID 1976 wrote to memory of 4804	1976	net.exe	100
PID 2340 wrote to memory of 3168	2340	Logo1_.exe	47
PID 2340 wrote to memory of 3168	2340	Logo1_.exe	47

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3168
- C:\Users\Admin\AppData\Local\Temp\cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe
  "C:\Users\Admin\AppData\Local\Temp\cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:816
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4348
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:3696
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7791.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4408
  - - C:\Users\Admin\AppData\Local\Temp\cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe
      "C:\Users\Admin\AppData\Local\Temp\cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2920
    - - C:\Users\Admin\AppData\Local\Temp\cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe
        
        "C:\Users\Admin\AppData\Local\Temp\cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe" -burn.unelevated BurnPipe.{DA03C0D7-464B-4A0C-82CD-EA0A9A1981E2} {C09C76A5-26B4-4A46-905B-125D34901FF6} 2920
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4632
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2340
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3592
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:1028
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1976
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:4804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
258KB

MD5
4da1ac2c4f32700517b93712898b036c

SHA1
3f699f656e034a611355c4435358d3144fdf97cc

SHA256
3c9d714a593981994a9ad2c8c88b495ef3c1e3b89ae8c5a29d1f7240e178f069

SHA512
8c7c84dc64ccbf3bf6111ad92c05eed1283d6379c89528001ca8be56f6d13bc7e1e573f9aa72e3fa2f4bf53e4b98f243807a0201d801a57238276d5b211c9be2

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
491KB

MD5
4072f5bf206acbfe404febf3ad9fd31b

SHA1
076d000fc2d753efa21160636e1c3235b5b16264

SHA256
d11418cee65dd95e2dac96464da4d381f974c5580f40ad57e9bacef1b26c343b

SHA512
5b3860067d62b9f3704f20be4da554fcbfd347a3a4fe1a4549d49b7e0fff0c9f70a1a583320d25183f43ade8c766a2234942eeb6019f7302cab69bf1f6fba772

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a7791.bat

Filesize
722B

MD5
920e02657de79894e0e748ffe608d3d6

SHA1
3a326d056197329550a2aff47771ab1da8f8e6fb

SHA256
d7dd44431e2ecd6b4cb219498cc96efcfc5c013496659a7fcaf19d61e0d64c65

SHA512
b1d9ff98f07f2a7b67125ee74e3df133bfcf736dfee78044854d88f26ca1654bb990bb630d7fc5daec16a62afc0534e0335203ad60529714657367db5bbe9cd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe

Filesize
444KB

MD5
2b48f69517044d82e1ee675b1690c08b

SHA1
83ca22c8a8e9355d2b184c516e58b5400d8343e0

SHA256
507bdc3ab5a6d9ddba2df68aff6f59572180134252f5eb8cb46f9bb23006b496

SHA512
97d9b130a483263ddf59c35baceba999d7c8db4effc97bcb935cb57acc7c8d46d3681c95e24975a099e701997330c6c6175e834ddb16abc48d5e9827c74a325b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe

Filesize
444KB

MD5
2b48f69517044d82e1ee675b1690c08b

SHA1
83ca22c8a8e9355d2b184c516e58b5400d8343e0

SHA256
507bdc3ab5a6d9ddba2df68aff6f59572180134252f5eb8cb46f9bb23006b496

SHA512
97d9b130a483263ddf59c35baceba999d7c8db4effc97bcb935cb57acc7c8d46d3681c95e24975a099e701997330c6c6175e834ddb16abc48d5e9827c74a325b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cd48b6f8f7ef5272d552a73021dd43f45dab66fe17a946a67abd639a1e782b5c.exe.exe

Filesize
444KB

MD5
2b48f69517044d82e1ee675b1690c08b

SHA1
83ca22c8a8e9355d2b184c516e58b5400d8343e0

SHA256
507bdc3ab5a6d9ddba2df68aff6f59572180134252f5eb8cb46f9bb23006b496

SHA512
97d9b130a483263ddf59c35baceba999d7c8db4effc97bcb935cb57acc7c8d46d3681c95e24975a099e701997330c6c6175e834ddb16abc48d5e9827c74a325b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\.ba1\logo.png

Filesize
1KB

MD5
d6bd210f227442b3362493d046cea233

SHA1
ff286ac8370fc655aea0ef35e9cf0bfcb6d698de

SHA256
335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef

SHA512
464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\.ba1\wixstdba.dll

Filesize
126KB

MD5
d7bf29763354eda154aad637017b5483

SHA1
dfa7d296bfeecde738ef4708aaabfebec6bc1e48

SHA256
7f5f8fcfd84132579f07e395e65b44e1b031fe01a299bce0e3dd590131c5cb93

SHA512
1c76175732fe68b9b12cb46077daa21e086041adbd65401717a9a1b5f3c516e03c35a90897c22c7281647d6af4a1a5ffb3fbd5706ea376d8f6e574d27396019c

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
346075a5736c44dccf1d8465aec587f9

SHA1
ad9ee7e900806ad60a6b9189a4d1e2d0358ff401

SHA256
a01002f54fa0fb377b3d472f03a62758bed36170ac203ebe444e719e9d190a5f

SHA512
bb21ed52463aa875ce01b3e99ac0760773a2e1ca07b35cac92b70d9e4507fed336c3c237ff041e7b8af5aa3533786b0cdc92bcae3db39a718f5b025146a6e86c

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
346075a5736c44dccf1d8465aec587f9

SHA1
ad9ee7e900806ad60a6b9189a4d1e2d0358ff401

SHA256
a01002f54fa0fb377b3d472f03a62758bed36170ac203ebe444e719e9d190a5f

SHA512
bb21ed52463aa875ce01b3e99ac0760773a2e1ca07b35cac92b70d9e4507fed336c3c237ff041e7b8af5aa3533786b0cdc92bcae3db39a718f5b025146a6e86c

Download Submit
C:\Windows\rundl132.exe

Filesize
33KB

MD5
346075a5736c44dccf1d8465aec587f9

SHA1
ad9ee7e900806ad60a6b9189a4d1e2d0358ff401

SHA256
a01002f54fa0fb377b3d472f03a62758bed36170ac203ebe444e719e9d190a5f

SHA512
bb21ed52463aa875ce01b3e99ac0760773a2e1ca07b35cac92b70d9e4507fed336c3c237ff041e7b8af5aa3533786b0cdc92bcae3db39a718f5b025146a6e86c

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-4272677097-406801653-1594978504-1000\_desktop.ini

Filesize
8B

MD5
587438ba3214d6958f23eced1b2cd39c

SHA1
56d9150b977089419b026aaf6ee032981c437dfd

SHA256
4a9d4c3f321c10e2bb0319dca7695b9b3252a0e1d35cfc2a09bac15d5c36e090

SHA512
31309fcfa73bf18bb138cbe3744414acc13498184290586c8f185e828027f7b0c647f3f102826099465c7995a29e8a33d95f832ffac8d16b619b53f037e4fd63

Download Submit
memory/816-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/816-10-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2340-34-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2340-1392-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2340-8-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2340-5094-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2340-8706-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download