9ce761bc2e96d0905e74779ff922b8bcd5dab9ced3dec1b87cd007edf45e5b74

Analysis

max time kernel
150s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
20/09/2023, 06:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

9ce761bc2e96d0905e74779ff922b8bcd5dab9ced3dec1b87cd007edf45e5b74.exe
Size

2.8MB
MD5

005a27bd5ce50371dbd5d14ee5c6a1eb
SHA1

37589c7c4dc92100294c11e0d55c5f2be9968843
SHA256

9ce761bc2e96d0905e74779ff922b8bcd5dab9ced3dec1b87cd007edf45e5b74
SHA512

0cbb66b956554e7550b5202b7af7508217302602ce6b42c75bfeee36ab084c189186c63876520f64a9273530d0190d88c81bd9d597d50ed408581186d208bc79
SSDEEP

49152:xBc6gLKJuMarhVnMFwTH8/giBiBcbk4ZxZ2DqFeVMhuxcPh:x/d1XdhBiiMa7

Score

7^/10

spyware stealer

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

pid	Process
1920	Logo1_.exe
4380	9ce761bc2e96d0905e74779ff922b8bcd5dab9ced3dec1b87cd007edf45e5b74.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\eu-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Validator\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\root\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\eu-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\Filters\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\lua\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ca-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Visualizations\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\en-us\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Services\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\uz\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nb-no\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ca-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Security\BrowserCore\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MEIPreload\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Internet Explorer\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account-select\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Apply\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ca-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\de-de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\de-de\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\de-de\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\63875A1D-A10E-435B-AF2F-87E995A359EE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\eu-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\da-dk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\zh-cn\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\pt-br\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ja-jp\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	9ce761bc2e96d0905e74779ff922b8bcd5dab9ced3dec1b87cd007edf45e5b74.exe
File created	C:\Windows\Logo1_.exe	9ce761bc2e96d0905e74779ff922b8bcd5dab9ced3dec1b87cd007edf45e5b74.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4584	9ce761bc2e96d0905e74779ff922b8bcd5dab9ced3dec1b87cd007edf45e5b74.exe
4584	9ce761bc2e96d0905e74779ff922b8bcd5dab9ced3dec1b87cd007edf45e5b74.exe
4584	9ce761bc2e96d0905e74779ff922b8bcd5dab9ced3dec1b87cd007edf45e5b74.exe
4584	9ce761bc2e96d0905e74779ff922b8bcd5dab9ced3dec1b87cd007edf45e5b74.exe
4584	9ce761bc2e96d0905e74779ff922b8bcd5dab9ced3dec1b87cd007edf45e5b74.exe
4584	9ce761bc2e96d0905e74779ff922b8bcd5dab9ced3dec1b87cd007edf45e5b74.exe
4584	9ce761bc2e96d0905e74779ff922b8bcd5dab9ced3dec1b87cd007edf45e5b74.exe
4584	9ce761bc2e96d0905e74779ff922b8bcd5dab9ced3dec1b87cd007edf45e5b74.exe
4584	9ce761bc2e96d0905e74779ff922b8bcd5dab9ced3dec1b87cd007edf45e5b74.exe
4584	9ce761bc2e96d0905e74779ff922b8bcd5dab9ced3dec1b87cd007edf45e5b74.exe
4584	9ce761bc2e96d0905e74779ff922b8bcd5dab9ced3dec1b87cd007edf45e5b74.exe
4584	9ce761bc2e96d0905e74779ff922b8bcd5dab9ced3dec1b87cd007edf45e5b74.exe
4584	9ce761bc2e96d0905e74779ff922b8bcd5dab9ced3dec1b87cd007edf45e5b74.exe
4584	9ce761bc2e96d0905e74779ff922b8bcd5dab9ced3dec1b87cd007edf45e5b74.exe
4584	9ce761bc2e96d0905e74779ff922b8bcd5dab9ced3dec1b87cd007edf45e5b74.exe
4584	9ce761bc2e96d0905e74779ff922b8bcd5dab9ced3dec1b87cd007edf45e5b74.exe
4584	9ce761bc2e96d0905e74779ff922b8bcd5dab9ced3dec1b87cd007edf45e5b74.exe
4584	9ce761bc2e96d0905e74779ff922b8bcd5dab9ced3dec1b87cd007edf45e5b74.exe
4584	9ce761bc2e96d0905e74779ff922b8bcd5dab9ced3dec1b87cd007edf45e5b74.exe
4584	9ce761bc2e96d0905e74779ff922b8bcd5dab9ced3dec1b87cd007edf45e5b74.exe
4584	9ce761bc2e96d0905e74779ff922b8bcd5dab9ced3dec1b87cd007edf45e5b74.exe
4584	9ce761bc2e96d0905e74779ff922b8bcd5dab9ced3dec1b87cd007edf45e5b74.exe
4584	9ce761bc2e96d0905e74779ff922b8bcd5dab9ced3dec1b87cd007edf45e5b74.exe
4584	9ce761bc2e96d0905e74779ff922b8bcd5dab9ced3dec1b87cd007edf45e5b74.exe
4584	9ce761bc2e96d0905e74779ff922b8bcd5dab9ced3dec1b87cd007edf45e5b74.exe
4584	9ce761bc2e96d0905e74779ff922b8bcd5dab9ced3dec1b87cd007edf45e5b74.exe
1920	Logo1_.exe
1920	Logo1_.exe
1920	Logo1_.exe
1920	Logo1_.exe
1920	Logo1_.exe
1920	Logo1_.exe
1920	Logo1_.exe
1920	Logo1_.exe
1920	Logo1_.exe
1920	Logo1_.exe
1920	Logo1_.exe
1920	Logo1_.exe
1920	Logo1_.exe
1920	Logo1_.exe
1920	Logo1_.exe
1920	Logo1_.exe
1920	Logo1_.exe
1920	Logo1_.exe
1920	Logo1_.exe
1920	Logo1_.exe
1920	Logo1_.exe
1920	Logo1_.exe
1920	Logo1_.exe
1920	Logo1_.exe
1920	Logo1_.exe
1920	Logo1_.exe
1920	Logo1_.exe
1920	Logo1_.exe
1920	Logo1_.exe
1920	Logo1_.exe
1920	Logo1_.exe
1920	Logo1_.exe
1920	Logo1_.exe
1920	Logo1_.exe
1920	Logo1_.exe
1920	Logo1_.exe
1920	Logo1_.exe
1920	Logo1_.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 4584 wrote to memory of 3744	4584	9ce761bc2e96d0905e74779ff922b8bcd5dab9ced3dec1b87cd007edf45e5b74.exe	85
PID 4584 wrote to memory of 3744	4584	9ce761bc2e96d0905e74779ff922b8bcd5dab9ced3dec1b87cd007edf45e5b74.exe	85
PID 4584 wrote to memory of 3744	4584	9ce761bc2e96d0905e74779ff922b8bcd5dab9ced3dec1b87cd007edf45e5b74.exe	85
PID 3744 wrote to memory of 3596	3744	net.exe	87
PID 3744 wrote to memory of 3596	3744	net.exe	87
PID 3744 wrote to memory of 3596	3744	net.exe	87
PID 4584 wrote to memory of 1924	4584	9ce761bc2e96d0905e74779ff922b8bcd5dab9ced3dec1b87cd007edf45e5b74.exe	88
PID 4584 wrote to memory of 1924	4584	9ce761bc2e96d0905e74779ff922b8bcd5dab9ced3dec1b87cd007edf45e5b74.exe	88
PID 4584 wrote to memory of 1924	4584	9ce761bc2e96d0905e74779ff922b8bcd5dab9ced3dec1b87cd007edf45e5b74.exe	88
PID 4584 wrote to memory of 1920	4584	9ce761bc2e96d0905e74779ff922b8bcd5dab9ced3dec1b87cd007edf45e5b74.exe	89
PID 4584 wrote to memory of 1920	4584	9ce761bc2e96d0905e74779ff922b8bcd5dab9ced3dec1b87cd007edf45e5b74.exe	89
PID 4584 wrote to memory of 1920	4584	9ce761bc2e96d0905e74779ff922b8bcd5dab9ced3dec1b87cd007edf45e5b74.exe	89
PID 1920 wrote to memory of 3816	1920	Logo1_.exe	91
PID 1920 wrote to memory of 3816	1920	Logo1_.exe	91
PID 1920 wrote to memory of 3816	1920	Logo1_.exe	91
PID 3816 wrote to memory of 3520	3816	net.exe	93
PID 3816 wrote to memory of 3520	3816	net.exe	93
PID 3816 wrote to memory of 3520	3816	net.exe	93
PID 1920 wrote to memory of 3928	1920	Logo1_.exe	97
PID 1920 wrote to memory of 3928	1920	Logo1_.exe	97
PID 1920 wrote to memory of 3928	1920	Logo1_.exe	97
PID 3928 wrote to memory of 2800	3928	net.exe	99
PID 3928 wrote to memory of 2800	3928	net.exe	99
PID 3928 wrote to memory of 2800	3928	net.exe	99
PID 1920 wrote to memory of 3188	1920	Logo1_.exe	56
PID 1920 wrote to memory of 3188	1920	Logo1_.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3188
- C:\Users\Admin\AppData\Local\Temp\9ce761bc2e96d0905e74779ff922b8bcd5dab9ced3dec1b87cd007edf45e5b74.exe
  "C:\Users\Admin\AppData\Local\Temp\9ce761bc2e96d0905e74779ff922b8bcd5dab9ced3dec1b87cd007edf45e5b74.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4584
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3744
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:3596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aE2EE.bat
    3⤵
    PID:1924
  - - C:\Users\Admin\AppData\Local\Temp\9ce761bc2e96d0905e74779ff922b8bcd5dab9ced3dec1b87cd007edf45e5b74.exe
      "C:\Users\Admin\AppData\Local\Temp\9ce761bc2e96d0905e74779ff922b8bcd5dab9ced3dec1b87cd007edf45e5b74.exe"
      4⤵
      Executes dropped EXE
      PID:4380
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1920
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3816
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:3520
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3928
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
258KB

MD5
9ed9144a231b9f2f3d0025239e861e1b

SHA1
a24884d540210da1f10e13d6b23065d1ec46fbd4

SHA256
0d83ed96ccffac5845e3be2cdcd076cdce2aa65f96f7c61d53fb8f9135947a68

SHA512
3da555c45d7f2c3c3d01c5fccfb6ac2a95b691f78721f5faf16c788f20e02c859fc5d68f02c7f239a11157ffa214326faa891ead1628657a5053a6921da3b9e8

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
491KB

MD5
e2c1d8deaeaa216050ed920ec386f041

SHA1
4bb7f0a038a53b94df81e965c031514722a21867

SHA256
0f217f210b13afa2ed3f7beac915a670d24f2d15656fa771888d7e1a358a6182

SHA512
83d6d03fdcbde703d28c7477baf1ad30988e7ed0082f7240e8ffb06f6fe39620e0628214ccf76fd955c2ad3638ea23915fc60a51d5c8005b686dd419902584a5

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
478KB

MD5
3cf6baf3fb3290ce7ddf53d5b84de7d3

SHA1
a76b920a92d231ebc74b28b4eee8d089de240687

SHA256
6b1d406e4f06b5d9d8b9fd912970d6fed4a6a497eec84cc1ec6a018c3dc45aab

SHA512
7d8d3d4c9d4029d7a01e2bd8f0d03419f78c84679eaf4b7b02f02b3496dbd84406faf4c19b7bd4b546e1701f829ae7af9f8b26feaed5794be60a46eb9da9f3f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aE2EE.bat

Filesize
722B

MD5
27dbf45b5d259308fecff4ffafac5c67

SHA1
f901a798167d8eecc6c9addc93d28acbdeb70fe4

SHA256
485775ce441773061c70c4f8471e655ca75a81945d64e5d6b836d5f02f147c18

SHA512
4f316d76a173d22a6fe4104a759c452659c0df5f4604fa35dbb242c337f3c91bf0c1866e7a18db3320f0d26522115d9e7272732795b92e0fb65a487cacf86b44

Download Submit
C:\Users\Admin\AppData\Local\Temp\9ce761bc2e96d0905e74779ff922b8bcd5dab9ced3dec1b87cd007edf45e5b74.exe

Filesize
2.8MB

MD5
095092f4e746810c5829038d48afd55a

SHA1
246eb3d41194dddc826049bbafeb6fc522ec044a

SHA256
2f606012843d144610dc7be55d1716d5d106cbc6acbce57561dc0e62c38b8588

SHA512
7f36fc03bfed0f3cf6ac3406c819993bf995e4f8c26a7589e9032c14b5a9c7048f5567f77b3b15f946c5282fc0be6308a92eab7879332d74c400d0c139ce8400

Download Submit
C:\Users\Admin\AppData\Local\Temp\9ce761bc2e96d0905e74779ff922b8bcd5dab9ced3dec1b87cd007edf45e5b74.exe.exe

Filesize
2.8MB

MD5
095092f4e746810c5829038d48afd55a

SHA1
246eb3d41194dddc826049bbafeb6fc522ec044a

SHA256
2f606012843d144610dc7be55d1716d5d106cbc6acbce57561dc0e62c38b8588

SHA512
7f36fc03bfed0f3cf6ac3406c819993bf995e4f8c26a7589e9032c14b5a9c7048f5567f77b3b15f946c5282fc0be6308a92eab7879332d74c400d0c139ce8400

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
667d6ac5f996c012706645d8d5cd7630

SHA1
bcef6a10572d9536ebed0ee13d9c9ec21a1ac642

SHA256
cc5c59753bcc07b1a1a42aa0800c9b78a8fc33eb5cf51915c02e8211b58afaf3

SHA512
160e5ac38e78a8d7dcaaac148e6042e004cf66fdbfeeafb5eabc5742903e0259d6b87c8bf7f39481f9964ebfce8fe4c80a7e3c4f5108480bfc44c137d6560ac9

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
667d6ac5f996c012706645d8d5cd7630

SHA1
bcef6a10572d9536ebed0ee13d9c9ec21a1ac642

SHA256
cc5c59753bcc07b1a1a42aa0800c9b78a8fc33eb5cf51915c02e8211b58afaf3

SHA512
160e5ac38e78a8d7dcaaac148e6042e004cf66fdbfeeafb5eabc5742903e0259d6b87c8bf7f39481f9964ebfce8fe4c80a7e3c4f5108480bfc44c137d6560ac9

Download Submit
C:\Windows\rundl132.exe

Filesize
33KB

MD5
667d6ac5f996c012706645d8d5cd7630

SHA1
bcef6a10572d9536ebed0ee13d9c9ec21a1ac642

SHA256
cc5c59753bcc07b1a1a42aa0800c9b78a8fc33eb5cf51915c02e8211b58afaf3

SHA512
160e5ac38e78a8d7dcaaac148e6042e004cf66fdbfeeafb5eabc5742903e0259d6b87c8bf7f39481f9964ebfce8fe4c80a7e3c4f5108480bfc44c137d6560ac9

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-919254492-3979293997-764407192-1000\_desktop.ini

Filesize
9B

MD5
e31f26ace63b9ef3f174ef105e914ab9

SHA1
fd184b0b2c4bf79603dacd3a8bf67765067fb504

SHA256
c9570eeb8b3428f1e92641d2a8ac6b227bbd6700b9ef1e9caad6b57f14b12a24

SHA512
4f6169e89d74f0273f07c5b484490ae64321ea1f5ff7112d24aba1628fddc3a308d8443501b957e6f49270408623598604f08c99f2411b94210093a4c01e7a64

Download Submit
memory/1920-17-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1920-1613-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1920-5237-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1920-8-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1920-8731-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4584-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4584-9-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download