cdc4e9a97cfdb29e14ebee1564049b662945f3cde9d8ccb2e479d21c165ffdf1

Analysis

max time kernel
156s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
05-01-2024 19:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

cdc4e9a97cfdb29e14ebee1564049b662945f3cde9d8ccb2e479d21c165ffdf1.exe
Size

67KB
MD5

5077127cd8e3f2ad3f4edc280324cf91
SHA1

7b7bb040200537e015b1abf761b989303e31813e
SHA256

cdc4e9a97cfdb29e14ebee1564049b662945f3cde9d8ccb2e479d21c165ffdf1
SHA512

94ab89aa75c491bd1053c076c78081c58d2fed4f57f9293c476a9eb18346ed6ed96f74ffe4814d36b2b93e18efb68bf27e750b02765dab17e8150b2b08105d3c
SSDEEP

1536:hxDacx1aeg1vjrI9U/xvyyyZoEV0JuRUFyMOaHQ1l:hMf9kU0+k0JXXOeQ

Score

7^/10

spyware stealer

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

pid	Process
4276	Logo1_.exe
4144	cdc4e9a97cfdb29e14ebee1564049b662945f3cde9d8ccb2e479d21c165ffdf1.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\sl-si\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\brx\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ckb\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ko\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\da-dk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\bridge\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\meta\reader\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\he-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\eu-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sv-se\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nb-no\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\da-dk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\he-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\da-dk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sv-se\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Cultures\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files-select\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-gb\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ps\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\he-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\root\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_out\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\images\themeless\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\plugins\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RMNSQUE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	cdc4e9a97cfdb29e14ebee1564049b662945f3cde9d8ccb2e479d21c165ffdf1.exe
File created	C:\Windows\Logo1_.exe	cdc4e9a97cfdb29e14ebee1564049b662945f3cde9d8ccb2e479d21c165ffdf1.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1328	cdc4e9a97cfdb29e14ebee1564049b662945f3cde9d8ccb2e479d21c165ffdf1.exe
1328	cdc4e9a97cfdb29e14ebee1564049b662945f3cde9d8ccb2e479d21c165ffdf1.exe
1328	cdc4e9a97cfdb29e14ebee1564049b662945f3cde9d8ccb2e479d21c165ffdf1.exe
1328	cdc4e9a97cfdb29e14ebee1564049b662945f3cde9d8ccb2e479d21c165ffdf1.exe
1328	cdc4e9a97cfdb29e14ebee1564049b662945f3cde9d8ccb2e479d21c165ffdf1.exe
1328	cdc4e9a97cfdb29e14ebee1564049b662945f3cde9d8ccb2e479d21c165ffdf1.exe
1328	cdc4e9a97cfdb29e14ebee1564049b662945f3cde9d8ccb2e479d21c165ffdf1.exe
1328	cdc4e9a97cfdb29e14ebee1564049b662945f3cde9d8ccb2e479d21c165ffdf1.exe
1328	cdc4e9a97cfdb29e14ebee1564049b662945f3cde9d8ccb2e479d21c165ffdf1.exe
1328	cdc4e9a97cfdb29e14ebee1564049b662945f3cde9d8ccb2e479d21c165ffdf1.exe
1328	cdc4e9a97cfdb29e14ebee1564049b662945f3cde9d8ccb2e479d21c165ffdf1.exe
1328	cdc4e9a97cfdb29e14ebee1564049b662945f3cde9d8ccb2e479d21c165ffdf1.exe
1328	cdc4e9a97cfdb29e14ebee1564049b662945f3cde9d8ccb2e479d21c165ffdf1.exe
1328	cdc4e9a97cfdb29e14ebee1564049b662945f3cde9d8ccb2e479d21c165ffdf1.exe
1328	cdc4e9a97cfdb29e14ebee1564049b662945f3cde9d8ccb2e479d21c165ffdf1.exe
1328	cdc4e9a97cfdb29e14ebee1564049b662945f3cde9d8ccb2e479d21c165ffdf1.exe
1328	cdc4e9a97cfdb29e14ebee1564049b662945f3cde9d8ccb2e479d21c165ffdf1.exe
1328	cdc4e9a97cfdb29e14ebee1564049b662945f3cde9d8ccb2e479d21c165ffdf1.exe
1328	cdc4e9a97cfdb29e14ebee1564049b662945f3cde9d8ccb2e479d21c165ffdf1.exe
1328	cdc4e9a97cfdb29e14ebee1564049b662945f3cde9d8ccb2e479d21c165ffdf1.exe
1328	cdc4e9a97cfdb29e14ebee1564049b662945f3cde9d8ccb2e479d21c165ffdf1.exe
1328	cdc4e9a97cfdb29e14ebee1564049b662945f3cde9d8ccb2e479d21c165ffdf1.exe
1328	cdc4e9a97cfdb29e14ebee1564049b662945f3cde9d8ccb2e479d21c165ffdf1.exe
1328	cdc4e9a97cfdb29e14ebee1564049b662945f3cde9d8ccb2e479d21c165ffdf1.exe
1328	cdc4e9a97cfdb29e14ebee1564049b662945f3cde9d8ccb2e479d21c165ffdf1.exe
1328	cdc4e9a97cfdb29e14ebee1564049b662945f3cde9d8ccb2e479d21c165ffdf1.exe
4276	Logo1_.exe
4276	Logo1_.exe
4276	Logo1_.exe
4276	Logo1_.exe
4276	Logo1_.exe
4276	Logo1_.exe
4276	Logo1_.exe
4276	Logo1_.exe
4276	Logo1_.exe
4276	Logo1_.exe
4276	Logo1_.exe
4276	Logo1_.exe
4276	Logo1_.exe
4276	Logo1_.exe
4276	Logo1_.exe
4276	Logo1_.exe
4276	Logo1_.exe
4276	Logo1_.exe
4276	Logo1_.exe
4276	Logo1_.exe
4276	Logo1_.exe
4276	Logo1_.exe
4276	Logo1_.exe
4276	Logo1_.exe
4276	Logo1_.exe
4276	Logo1_.exe
4276	Logo1_.exe
4276	Logo1_.exe
4276	Logo1_.exe
4276	Logo1_.exe
4276	Logo1_.exe
4276	Logo1_.exe
4276	Logo1_.exe
4276	Logo1_.exe
4276	Logo1_.exe
4276	Logo1_.exe
4276	Logo1_.exe
4276	Logo1_.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1328 wrote to memory of 3476	1328	cdc4e9a97cfdb29e14ebee1564049b662945f3cde9d8ccb2e479d21c165ffdf1.exe	92
PID 1328 wrote to memory of 3476	1328	cdc4e9a97cfdb29e14ebee1564049b662945f3cde9d8ccb2e479d21c165ffdf1.exe	92
PID 1328 wrote to memory of 3476	1328	cdc4e9a97cfdb29e14ebee1564049b662945f3cde9d8ccb2e479d21c165ffdf1.exe	92
PID 3476 wrote to memory of 4216	3476	net.exe	94
PID 3476 wrote to memory of 4216	3476	net.exe	94
PID 3476 wrote to memory of 4216	3476	net.exe	94
PID 1328 wrote to memory of 3808	1328	cdc4e9a97cfdb29e14ebee1564049b662945f3cde9d8ccb2e479d21c165ffdf1.exe	95
PID 1328 wrote to memory of 3808	1328	cdc4e9a97cfdb29e14ebee1564049b662945f3cde9d8ccb2e479d21c165ffdf1.exe	95
PID 1328 wrote to memory of 3808	1328	cdc4e9a97cfdb29e14ebee1564049b662945f3cde9d8ccb2e479d21c165ffdf1.exe	95
PID 1328 wrote to memory of 4276	1328	cdc4e9a97cfdb29e14ebee1564049b662945f3cde9d8ccb2e479d21c165ffdf1.exe	97
PID 1328 wrote to memory of 4276	1328	cdc4e9a97cfdb29e14ebee1564049b662945f3cde9d8ccb2e479d21c165ffdf1.exe	97
PID 1328 wrote to memory of 4276	1328	cdc4e9a97cfdb29e14ebee1564049b662945f3cde9d8ccb2e479d21c165ffdf1.exe	97
PID 4276 wrote to memory of 2392	4276	Logo1_.exe	98
PID 4276 wrote to memory of 2392	4276	Logo1_.exe	98
PID 4276 wrote to memory of 2392	4276	Logo1_.exe	98
PID 2392 wrote to memory of 2348	2392	net.exe	100
PID 2392 wrote to memory of 2348	2392	net.exe	100
PID 2392 wrote to memory of 2348	2392	net.exe	100
PID 3808 wrote to memory of 4144	3808	cmd.exe	101
PID 3808 wrote to memory of 4144	3808	cmd.exe	101
PID 3808 wrote to memory of 4144	3808	cmd.exe	101
PID 4276 wrote to memory of 4928	4276	Logo1_.exe	102
PID 4276 wrote to memory of 4928	4276	Logo1_.exe	102
PID 4276 wrote to memory of 4928	4276	Logo1_.exe	102
PID 4928 wrote to memory of 3588	4928	net.exe	104
PID 4928 wrote to memory of 3588	4928	net.exe	104
PID 4928 wrote to memory of 3588	4928	net.exe	104
PID 4276 wrote to memory of 3576	4276	Logo1_.exe	43
PID 4276 wrote to memory of 3576	4276	Logo1_.exe	43

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3576
- C:\Users\Admin\AppData\Local\Temp\cdc4e9a97cfdb29e14ebee1564049b662945f3cde9d8ccb2e479d21c165ffdf1.exe
  "C:\Users\Admin\AppData\Local\Temp\cdc4e9a97cfdb29e14ebee1564049b662945f3cde9d8ccb2e479d21c165ffdf1.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1328
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3476
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:4216
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aDB8B.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3808
  - - C:\Users\Admin\AppData\Local\Temp\cdc4e9a97cfdb29e14ebee1564049b662945f3cde9d8ccb2e479d21c165ffdf1.exe
      "C:\Users\Admin\AppData\Local\Temp\cdc4e9a97cfdb29e14ebee1564049b662945f3cde9d8ccb2e479d21c165ffdf1.exe"
      4⤵
      Executes dropped EXE
      PID:4144
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4276
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2392
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2348
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4928
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:3588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
258KB

MD5
d3adc69a0af918de8ca779119dc3824e

SHA1
1acd37dbe349ee094f20adedeead47187d449876

SHA256
331366057a460595eea4cd12de73bd9e2fcc6127487fc6a070b1d1c056700f9f

SHA512
346c88bf50e019ff7ebe812584dedba2b1dd13ac02e58f75c0e6c3834daf9c87000bf4f1bba0d2075edfaa24413cc11decf9dcddb05dcc7d9c72294186f1e733

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
577KB

MD5
64fcb1314553bbd5d37cbd53859f6a9b

SHA1
b4a2cbec34e9c82e14a755e8d81d2716e3336211

SHA256
94a1ae0381b67a16312dbe48bc84f2445c4234c230c7444accd74157e4b6f41c

SHA512
665d48ec7b8a9ca393885b23f4d73b1b1a1d6b5bb3fec7b2e19250cd39bc34d35bdb878fb39bb46373e763c859bf8bba0d23d4d53a188d292ff1c94cf92da21a

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

Filesize
488KB

MD5
f3a219efeb83fbd4829722cfc47975ac

SHA1
6ac52fe7af8ee95ed136f432c1563d8bc44c5cf8

SHA256
9d831a1989490b2cba9754cb5e5e5fe83604e546e51eb7d1d2c13cb176f1db82

SHA512
c597ae5abbfc5616ff2e89432e9f4c90d0491f5433af522834844cf9bbc832d2d4aff1e1abf22bd232ec7ef285c539a68837f56e7c33efd82b0a8ad9282b3ef7

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aDB8B.bat

Filesize
722B

MD5
f1988986def5cd6ff835b03a6f34d21c

SHA1
6bba44ba5a3f2393e4451e3398d264592f9ac64e

SHA256
6ed95c38beb1d934a87fc7c30a9629f9746ca434a382e30e44af41566efef8e9

SHA512
4d67611b6a9143e3455c5eff6ef9cc447837064da7344ca246a83d089a820669852d1463e0cbe8fb48535e490903c76d1464cbe8d4be6496041f5dbf31df36ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\cdc4e9a97cfdb29e14ebee1564049b662945f3cde9d8ccb2e479d21c165ffdf1.exe.exe

Filesize
33KB

MD5
69b16c7b7746ba5c642fc05b3561fc73

SHA1
83d80d668dca76b899e1bf662ddee0e0c18ac791

SHA256
0deceb6b1b7a2dd1f13133ac7328ff420dad4610cee1fa7466e8e0f6baa39116

SHA512
6b8eebcfe5b04141640047fe468371ad02bb115ee9ef00260c0b33cfd56b142c2e01b3b1c6f07281aa57b1f3b9fdb1f1082fe5620f88a57b92d8f547267ef154

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
e8ee4723f696b9e3ecde75768c7018be

SHA1
68bcc682ab485eeead9552174bd6d69bf82f96e7

SHA256
905167896d2eecbb77f54d30f6f4e76fc75a804a7d6748f813724afebe930e44

SHA512
6329f42ff79d9fe1a32cf8a7d6bd3e1acdca94e1e0041afc8e9da3a78931f35343def9c9f333091d3cc6db7dd6bbe2e3626a8a74a37535bb048af4b6b56a5e7e

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3073191680-435865314-2862784915-1000\_desktop.ini

Filesize
8B

MD5
209b72362215bdaaf45b2d2388ee962c

SHA1
872a46c03b4ff1322f5dd750c7ac0a07e5113ca0

SHA256
56dc9a9a2aef97a2582545195a5ae52880339dff396cf5a749551379418aed62

SHA512
45e9bfd535948c288f7342c28cc31fa63331dddc3b2f38afeb6cc1547f1301c46c97f9925905ee4d0ca46bb2d5f40181b913cfeaf9763ae6a38debdd24db7cc9

Download Submit
memory/1328-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1328-8-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4276-247-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4276-1545-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4276-4407-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4276-17-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4276-4756-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4276-10-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4276-5689-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4276-8295-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download