d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c

Analysis

max time kernel
149s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
16/04/2024, 12:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe
Size

76KB
MD5

e07b751df71c59e42caa061542fa043c
SHA1

f2ef0ab1f49fd619212a5fdb8278d1e81ea1c137
SHA256

d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c
SHA512

9a3b2d1cd357e6a3393bc626fea3ce01f0063c6ff09a37bee9bfa10d0c1770d6683e81a0c2d6b65efd66df3ce37ae00f2b20a30712c66248c50bfa0aeb938ea5
SSDEEP

1536:Are+Zk7qzUJBC2KsgSMcJziXriw+d9bHrkT5gUHz7FxtJ:Are+aezUa6pBiXrBkfkT5xHzD

Score

7^/10

spyware stealer

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

pid	Process
2196	Logo1_.exe
2376	d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hr-hr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hr-hr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\uk-ua\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\nb-no\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\fr-fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\cs-cz\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bn_IN\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\de-de\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\root\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\WidevineCdm\_platform_specific\win_x64\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ca\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Media Player\wmpnscfg.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\da-dk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\{703E9549-BDC2-4121-B382-D61E8F1A4A8B}\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOXMLED.EXE	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sv-se\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\es-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\he-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-si\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Dll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe
File created	C:\Windows\Logo1_.exe	d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2040	d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe
2040	d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe
2040	d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe
2040	d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe
2040	d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe
2040	d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe
2040	d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe
2040	d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe
2040	d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe
2040	d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe
2040	d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe
2040	d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe
2040	d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe
2040	d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe
2040	d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe
2040	d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe
2040	d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe
2040	d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe
2040	d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe
2040	d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe
2040	d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe
2040	d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe
2040	d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe
2040	d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe
2040	d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe
2040	d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe
2196	Logo1_.exe
2196	Logo1_.exe
2196	Logo1_.exe
2196	Logo1_.exe
2196	Logo1_.exe
2196	Logo1_.exe
2196	Logo1_.exe
2196	Logo1_.exe
2196	Logo1_.exe
2196	Logo1_.exe
2196	Logo1_.exe
2196	Logo1_.exe
2196	Logo1_.exe
2196	Logo1_.exe
2196	Logo1_.exe
2196	Logo1_.exe
2196	Logo1_.exe
2196	Logo1_.exe
2196	Logo1_.exe
2196	Logo1_.exe
2196	Logo1_.exe
2196	Logo1_.exe
2196	Logo1_.exe
2196	Logo1_.exe
2196	Logo1_.exe
2196	Logo1_.exe
2196	Logo1_.exe
2196	Logo1_.exe
2196	Logo1_.exe
2196	Logo1_.exe
2196	Logo1_.exe
2196	Logo1_.exe
2196	Logo1_.exe
2196	Logo1_.exe
2196	Logo1_.exe
2196	Logo1_.exe
2196	Logo1_.exe
2196	Logo1_.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2040 wrote to memory of 4404	2040	d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe	86
PID 2040 wrote to memory of 4404	2040	d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe	86
PID 2040 wrote to memory of 4404	2040	d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe	86
PID 4404 wrote to memory of 1552	4404	net.exe	88
PID 4404 wrote to memory of 1552	4404	net.exe	88
PID 4404 wrote to memory of 1552	4404	net.exe	88
PID 2040 wrote to memory of 4100	2040	d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe	93
PID 2040 wrote to memory of 4100	2040	d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe	93
PID 2040 wrote to memory of 4100	2040	d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe	93
PID 2040 wrote to memory of 2196	2040	d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe	95
PID 2040 wrote to memory of 2196	2040	d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe	95
PID 2040 wrote to memory of 2196	2040	d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe	95
PID 2196 wrote to memory of 1196	2196	Logo1_.exe	96
PID 2196 wrote to memory of 1196	2196	Logo1_.exe	96
PID 2196 wrote to memory of 1196	2196	Logo1_.exe	96
PID 1196 wrote to memory of 64	1196	net.exe	98
PID 1196 wrote to memory of 64	1196	net.exe	98
PID 1196 wrote to memory of 64	1196	net.exe	98
PID 4100 wrote to memory of 2376	4100	cmd.exe	99
PID 4100 wrote to memory of 2376	4100	cmd.exe	99
PID 2196 wrote to memory of 2980	2196	Logo1_.exe	102
PID 2196 wrote to memory of 2980	2196	Logo1_.exe	102
PID 2196 wrote to memory of 2980	2196	Logo1_.exe	102
PID 2980 wrote to memory of 4788	2980	net.exe	104
PID 2980 wrote to memory of 4788	2980	net.exe	104
PID 2980 wrote to memory of 4788	2980	net.exe	104
PID 2196 wrote to memory of 3388	2196	Logo1_.exe	56
PID 2196 wrote to memory of 3388	2196	Logo1_.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3388
- C:\Users\Admin\AppData\Local\Temp\d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe
  "C:\Users\Admin\AppData\Local\Temp\d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4404
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:1552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3604.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4100
  - - C:\Users\Admin\AppData\Local\Temp\d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe
      "C:\Users\Admin\AppData\Local\Temp\d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe"
      4⤵
      Executes dropped EXE
      PID:2376
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2196
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1196
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:64
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2980
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:4788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
264KB

MD5
398a7064313570d5e852fb87febbf03f

SHA1
117d0ca007b73a8c7115f8880f54540e37ff7490

SHA256
30429016be8ea9e22585980572b4b2af1ddabb9cba93e9222a231f4d95353751

SHA512
e96c03db73e0b3d86b6a51fcc20f4b131116b1c2a649030b8f13d60d207944bd4ec1fe734c32e3f390d454dad3f6ad780ff52209c56852cc4456559102f01c80

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
583KB

MD5
441b401c5191ddec15929d573dd9f886

SHA1
39b882580d7cdaac5467f5690376802328cd71ed

SHA256
f2ede70fc47f2c6d5a7c4c81fa5a0e9e2ea30ea8b3c8bf1faf5b41c284d8f011

SHA512
6de442770ea889cc400f5a5e0c243ef455965724ccf29ef3226102ff618af3697518d97ab56ce9ee08a7888edf11c14f2250edc2a0df244b76407cb95895d6b8

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
649KB

MD5
482a73e91b0d994114ceb6e8e1c6709e

SHA1
921ba9e891d6451017854225fe3ad646e6fb1bbf

SHA256
5960ed0b6779000f4ce9209325bedc4962cf04c31927eca1f51d0923e37522f8

SHA512
73a05a5aaca7a3bf22ca1d522a793a857deb16db761838c77fc6cd1a10e5862d2270165198fdf2a2249bc4324507b89c9e2205e69275005a0e2c42572d79a27d

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a3604.bat

Filesize
722B

MD5
4ad7d863d817582ce2ad3d0c99cc4400

SHA1
e691d913feadc16307414f2e9a6cd1a60b4b4fbe

SHA256
8f3f64bdcea2e054165e5676c109334a0edf46e4ee11b970e540b810f64d1903

SHA512
04f3a63af2e88139fdfa8d10cd716bacbe3a2a4595fb4b4cb2f3029ef6ffe13f909c79c28eb4997c6a180d5d4a158e15bd70dc13de30a7069a05c7a808c5a8dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\d44aae4258e4a38f14dc3a85f92af5d543c87ee1635fca63c4d4dbc0a5cc669c.exe.exe

Filesize
36KB

MD5
9f498971cbe636662f3d210747d619e1

SHA1
44b8e2732fa1e2f204fc70eaa1cb406616250085

SHA256
8adf6748981c3e7b62f5dbca992be6675574fffbce7673743f2d7fe787d56a41

SHA512
b73083c2f7b028d2946cb8f7b4fe2289fedaa4175364a2aac37db0aeff4602aede772ccc9eba7e6dcfcb7276e52604ca45d8021952201b5834485b48bca3dc93

Download Submit
C:\Windows\Logo1_.exe

Filesize
39KB

MD5
0209d825c40705a1752ceecc4fe453c6

SHA1
875b45703ab4a4f9b7b13c16277b235d43f075ef

SHA256
0fbeb3b115479ea9f34e86e511238d235b942922660740d37e9f249b4e3fdf1e

SHA512
b88b1ba93382a3a6fe4253a0c8fe69baa02a0c0dd74b2e6c79d7688f5c16be144676bb7bd3e061be96603148738845fddd05bbd4782d3abcb0bf495c1c96aa40

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1132431369-515282257-1998160155-1000\_desktop.ini

Filesize
9B

MD5
02ced53ce3f5b175c3bbec378047e7a7

SHA1
dafdf07efa697ec99b3d7b9f7512439a52ea618d

SHA256
485bb2341321a2837fd015a36963ea549c7c6f40985e165fd56c8a1e89b3f331

SHA512
669dde3ea8628704d40681a7f8974cf52985385c92a61a540c97c18c13eb4d451207ae171b2a56cd061cadbc90e672a84eb55111b1f5016846918d73fb075c99

Download Submit
memory/2040-8-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2040-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2196-17-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2196-5364-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2196-9-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2196-8693-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download