e41fba9bd3a1fd51df82b24fbb90831877e373f177256d7a2b7c4e8c76e915e5

Analysis

max time kernel
149s
max time network
95s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2024, 03:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e41fba9bd3a1fd51df82b24fbb90831877e373f177256d7a2b7c4e8c76e915e5.exe
Size

6.5MB
MD5

701d0e0c9d2ff5afd46062d441629e31
SHA1

b3c6ca84ae058c7a27695d36e3715f7268129671
SHA256

e41fba9bd3a1fd51df82b24fbb90831877e373f177256d7a2b7c4e8c76e915e5
SHA512

cfc09be40c82568f56464bc6a0054a743b31532eefe419dfd2cb2378752d3f4368dccb907057a3e7e42a52f51eed1d91ec20584808e10df43018e8283e5eaa9c
SSDEEP

196608:mBCzNA7rlvRz1rrFBV6tpjuj6gYPKHCKsg:8jUtYj6gYPYp

Score

7^/10

spyware stealer

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

pid	Process
2100	Logo1_.exe
1284	e41fba9bd3a1fd51df82b24fbb90831877e373f177256d7a2b7c4e8c76e915e5.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sl-si\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Media Player\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example1.Diagnostics\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-sl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\eu-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cy\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ca-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\es-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\br\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pt-br\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\pt-br\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\he-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\root\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sv-se\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ca-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\de-de\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\da-dk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\hr-hr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ICE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zu\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\control\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\dev\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ja-jp\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EURO\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\root\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\plugin2\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Media Player\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\Diagnostics\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	e41fba9bd3a1fd51df82b24fbb90831877e373f177256d7a2b7c4e8c76e915e5.exe
File created	C:\Windows\Logo1_.exe	e41fba9bd3a1fd51df82b24fbb90831877e373f177256d7a2b7c4e8c76e915e5.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2372	e41fba9bd3a1fd51df82b24fbb90831877e373f177256d7a2b7c4e8c76e915e5.exe
2372	e41fba9bd3a1fd51df82b24fbb90831877e373f177256d7a2b7c4e8c76e915e5.exe
2372	e41fba9bd3a1fd51df82b24fbb90831877e373f177256d7a2b7c4e8c76e915e5.exe
2372	e41fba9bd3a1fd51df82b24fbb90831877e373f177256d7a2b7c4e8c76e915e5.exe
2372	e41fba9bd3a1fd51df82b24fbb90831877e373f177256d7a2b7c4e8c76e915e5.exe
2372	e41fba9bd3a1fd51df82b24fbb90831877e373f177256d7a2b7c4e8c76e915e5.exe
2372	e41fba9bd3a1fd51df82b24fbb90831877e373f177256d7a2b7c4e8c76e915e5.exe
2372	e41fba9bd3a1fd51df82b24fbb90831877e373f177256d7a2b7c4e8c76e915e5.exe
2372	e41fba9bd3a1fd51df82b24fbb90831877e373f177256d7a2b7c4e8c76e915e5.exe
2372	e41fba9bd3a1fd51df82b24fbb90831877e373f177256d7a2b7c4e8c76e915e5.exe
2372	e41fba9bd3a1fd51df82b24fbb90831877e373f177256d7a2b7c4e8c76e915e5.exe
2372	e41fba9bd3a1fd51df82b24fbb90831877e373f177256d7a2b7c4e8c76e915e5.exe
2372	e41fba9bd3a1fd51df82b24fbb90831877e373f177256d7a2b7c4e8c76e915e5.exe
2372	e41fba9bd3a1fd51df82b24fbb90831877e373f177256d7a2b7c4e8c76e915e5.exe
2372	e41fba9bd3a1fd51df82b24fbb90831877e373f177256d7a2b7c4e8c76e915e5.exe
2372	e41fba9bd3a1fd51df82b24fbb90831877e373f177256d7a2b7c4e8c76e915e5.exe
2372	e41fba9bd3a1fd51df82b24fbb90831877e373f177256d7a2b7c4e8c76e915e5.exe
2372	e41fba9bd3a1fd51df82b24fbb90831877e373f177256d7a2b7c4e8c76e915e5.exe
2372	e41fba9bd3a1fd51df82b24fbb90831877e373f177256d7a2b7c4e8c76e915e5.exe
2372	e41fba9bd3a1fd51df82b24fbb90831877e373f177256d7a2b7c4e8c76e915e5.exe
2372	e41fba9bd3a1fd51df82b24fbb90831877e373f177256d7a2b7c4e8c76e915e5.exe
2372	e41fba9bd3a1fd51df82b24fbb90831877e373f177256d7a2b7c4e8c76e915e5.exe
2372	e41fba9bd3a1fd51df82b24fbb90831877e373f177256d7a2b7c4e8c76e915e5.exe
2372	e41fba9bd3a1fd51df82b24fbb90831877e373f177256d7a2b7c4e8c76e915e5.exe
2372	e41fba9bd3a1fd51df82b24fbb90831877e373f177256d7a2b7c4e8c76e915e5.exe
2372	e41fba9bd3a1fd51df82b24fbb90831877e373f177256d7a2b7c4e8c76e915e5.exe
2100	Logo1_.exe
2100	Logo1_.exe
2100	Logo1_.exe
2100	Logo1_.exe
2100	Logo1_.exe
2100	Logo1_.exe
2100	Logo1_.exe
2100	Logo1_.exe
2100	Logo1_.exe
2100	Logo1_.exe
2100	Logo1_.exe
2100	Logo1_.exe
2100	Logo1_.exe
2100	Logo1_.exe
2100	Logo1_.exe
2100	Logo1_.exe
2100	Logo1_.exe
2100	Logo1_.exe
2100	Logo1_.exe
2100	Logo1_.exe
2100	Logo1_.exe
2100	Logo1_.exe
2100	Logo1_.exe
2100	Logo1_.exe
2100	Logo1_.exe
2100	Logo1_.exe
2100	Logo1_.exe
2100	Logo1_.exe
2100	Logo1_.exe
2100	Logo1_.exe
2100	Logo1_.exe
2100	Logo1_.exe
2100	Logo1_.exe
2100	Logo1_.exe
2100	Logo1_.exe
2100	Logo1_.exe
2100	Logo1_.exe
2100	Logo1_.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1284	e41fba9bd3a1fd51df82b24fbb90831877e373f177256d7a2b7c4e8c76e915e5.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 1876	2372	e41fba9bd3a1fd51df82b24fbb90831877e373f177256d7a2b7c4e8c76e915e5.exe	80
PID 2372 wrote to memory of 1876	2372	e41fba9bd3a1fd51df82b24fbb90831877e373f177256d7a2b7c4e8c76e915e5.exe	80
PID 2372 wrote to memory of 1876	2372	e41fba9bd3a1fd51df82b24fbb90831877e373f177256d7a2b7c4e8c76e915e5.exe	80
PID 1876 wrote to memory of 5088	1876	net.exe	82
PID 1876 wrote to memory of 5088	1876	net.exe	82
PID 1876 wrote to memory of 5088	1876	net.exe	82
PID 2372 wrote to memory of 1260	2372	e41fba9bd3a1fd51df82b24fbb90831877e373f177256d7a2b7c4e8c76e915e5.exe	83
PID 2372 wrote to memory of 1260	2372	e41fba9bd3a1fd51df82b24fbb90831877e373f177256d7a2b7c4e8c76e915e5.exe	83
PID 2372 wrote to memory of 1260	2372	e41fba9bd3a1fd51df82b24fbb90831877e373f177256d7a2b7c4e8c76e915e5.exe	83
PID 2372 wrote to memory of 2100	2372	e41fba9bd3a1fd51df82b24fbb90831877e373f177256d7a2b7c4e8c76e915e5.exe	85
PID 2372 wrote to memory of 2100	2372	e41fba9bd3a1fd51df82b24fbb90831877e373f177256d7a2b7c4e8c76e915e5.exe	85
PID 2372 wrote to memory of 2100	2372	e41fba9bd3a1fd51df82b24fbb90831877e373f177256d7a2b7c4e8c76e915e5.exe	85
PID 2100 wrote to memory of 1568	2100	Logo1_.exe	86
PID 2100 wrote to memory of 1568	2100	Logo1_.exe	86
PID 2100 wrote to memory of 1568	2100	Logo1_.exe	86
PID 1260 wrote to memory of 1284	1260	cmd.exe	88
PID 1260 wrote to memory of 1284	1260	cmd.exe	88
PID 1568 wrote to memory of 4780	1568	net.exe	89
PID 1568 wrote to memory of 4780	1568	net.exe	89
PID 1568 wrote to memory of 4780	1568	net.exe	89
PID 2100 wrote to memory of 4864	2100	Logo1_.exe	90
PID 2100 wrote to memory of 4864	2100	Logo1_.exe	90
PID 2100 wrote to memory of 4864	2100	Logo1_.exe	90
PID 4864 wrote to memory of 4020	4864	net.exe	92
PID 4864 wrote to memory of 4020	4864	net.exe	92
PID 4864 wrote to memory of 4020	4864	net.exe	92
PID 2100 wrote to memory of 3416	2100	Logo1_.exe	56
PID 2100 wrote to memory of 3416	2100	Logo1_.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3416
- C:\Users\Admin\AppData\Local\Temp\e41fba9bd3a1fd51df82b24fbb90831877e373f177256d7a2b7c4e8c76e915e5.exe
  "C:\Users\Admin\AppData\Local\Temp\e41fba9bd3a1fd51df82b24fbb90831877e373f177256d7a2b7c4e8c76e915e5.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2372
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1876
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:5088
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a53FC.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1260
  - - C:\Users\Admin\AppData\Local\Temp\e41fba9bd3a1fd51df82b24fbb90831877e373f177256d7a2b7c4e8c76e915e5.exe
      "C:\Users\Admin\AppData\Local\Temp\e41fba9bd3a1fd51df82b24fbb90831877e373f177256d7a2b7c4e8c76e915e5.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:1284
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2100
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1568
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:4780
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4864
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:4020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
258KB

MD5
4c15a1329088ff77b5479df438370ffd

SHA1
591de2b5b117bd70cefebc1b13a1ea595a63495c

SHA256
c6268df7f49f01b090ac4c8c1b50335d45d826f41d8d2bbb0979472f02eaa20b

SHA512
ad29663a5ec1f50dd06d9eb9a2a372e0cd4026dbdc63a315dcc0729c0d11666de703c3410eebe195bd25043b7bb5542734f58726a320f26c384ce34600b687ad

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
577KB

MD5
d5d3dc28863cae736a7e7ec4e849d398

SHA1
b8dbd217c4787911f0ea5418b09f68e4f8e49deb

SHA256
ef4f7bbf0f526605447529e2bdec39d49ea1ded67d9aaa3322c4b22108d0f9d3

SHA512
97d13dda95fd406dc118778132e045a98596dc43d49eea49be65d649fd7a287c398d1f270401ccf706a4982baa6c35cf0cffb09b1e88050b0c0e13291044724d

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
643KB

MD5
c13829dbc1ac12f05d12e1dbad982e30

SHA1
960baf69ff0079d77cd7f7a9e69d6fd806d20783

SHA256
86d5ce82c71e2c3c86b994d4e0ed1ba15106dbf9b1319d3d8270794346c63d5d

SHA512
73bc97687a97d6ca378c2b0b76d3a1443f761ebdb603e373ead6a2b979ce416a329509261e89707afb3cca6fd8dbc27a07ee7ee28ef1936d47aa12d9e434a11b

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a53FC.bat

Filesize
722B

MD5
63fb6b9bebcedafc5b705b3d53b94d34

SHA1
995e8d3141d4152f320239f19ab7c5a7aa2851ea

SHA256
d97cfb55f36fd3342ce06cb53930a72ec427141df529da6d515c45fdd85fdfdf

SHA512
17302dd829801067f9aa586353bc0ea51e1197f56ad134caef6092a501a34633176857619e9af1ffdbe683aec47319485ab8a2a68dbb9fc7a7389644654b24d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\config\chocolatey.config.1284.update

Filesize
9KB

MD5
78e591860832608ebc49dddd9fc0e1db

SHA1
d927f135f15190f95805dd8bfe6df0de20dfff53

SHA256
ccb5f71ce184e151412a8f04144011ba4da50371c20ef12778d276577f691f9a

SHA512
57f334f57f0aaba4238e7ce834784dece8e81cceae248999f1a45aa8fed0b86fe20f3d6ac6fb3649cf653e9f65f3b35695e203f1d6ed1e54e073df10fe008fc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\e41fba9bd3a1fd51df82b24fbb90831877e373f177256d7a2b7c4e8c76e915e5.exe.exe

Filesize
6.4MB

MD5
f24affc10132405930282aaeb206b7b7

SHA1
462d7a447a7d6f06bf3083c2af2f00b615c6a1a0

SHA256
abcca6f158b94303d92197bf8e6db545fe4929161e3767619176c4574ccb70fc

SHA512
c7729e3a050797b7d2c6ee07cc432c6dca56ffdb6b7e2662b1a70c90e287bbb2480a3752f262a896110f60f9ce18f884452f3cae3a06c80bef5eec476fba8cfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\redirects\choco.exe

Filesize
166KB

MD5
107b5b7cb20d320ad19fc3c6bbe887a8

SHA1
e0eb03a0d7fc80bc4907457738c8a015f04cb614

SHA256
fdf9fe960774a32f5ec6a4024d4e1cb8703d9b4c5d5b2c753686008d87e428ef

SHA512
ac0bd3d434161da2445cc989c2d4ea10494b272a7a84bc25b74ea3a89e4a84909fb6b53285e100a4e5cbf7f15365728e0d19401f9748174ca6bebc73c55a3f50

Download Submit
C:\Users\Admin\AppData\Local\Temp\redirects\chocolatey.exe

Filesize
166KB

MD5
d4dc2658a635c38cc1f8a3bbdc85878b

SHA1
5d258030841fc4abc81ed91290aad0f2e8af0a75

SHA256
b4b667463f62c561e3aca334aa8ee416277358015af199b5baf18e50dd4a46e4

SHA512
34ce7cdfa50ad0e195b983d23a8b8dab7322f83c177e6f9c3a32fffdfd26f0f60ad3d59d5423d66886e1a14514e7f8c72f3652b5bcf0baa5b38bae77595415af

Download Submit
C:\Users\Admin\AppData\Local\Temp\redirects\cinst.exe

Filesize
166KB

MD5
ea5eac1fa7770d794703be27c6ab9509

SHA1
7e225583b5a9071b4be91a92e888b53e03e7ce4e

SHA256
030ad9e1b558fe30e9652258d550926fc1e3a8d3f3425878208c4da0a2230f73

SHA512
b97ce9a42071531a22d67ba5e166b6c5956212073eb299c9284d97427271a758e1bd54447ffa9e867ee108b89fbab230ec776c0b5f309282fe93666a29d0e436

Download Submit
C:\Users\Admin\AppData\Local\Temp\redirects\clist.exe

Filesize
166KB

MD5
431f632d063e2ce0b02cb58f76a6f4db

SHA1
f0fd6a8032cf0b64a719af211f17c29cbbd71867

SHA256
d3c1537db3bd1291d8f3d02f2b5b389e617e1c3f5db6f2d6b2b65b5e3c62f782

SHA512
e1412b9b572f2b42b841061d7407c62f026f93f3f9d2b3f9cf6cd8c1cffc42fcdf3c1d533fc146940b8fa750964ff6817bce97d5b832f5c46ec0ce03abe8c9a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\redirects\cpack.exe

Filesize
166KB

MD5
5c0fd4573ea96cb6a09e3a643bac9baa

SHA1
5642248440f2bafe5ba2b808cacb672ca0a2b48d

SHA256
20484f76e423bef81f972a20687699c16c768bb8c4e2545cdedf29048f09cb2b

SHA512
0bbbf3745f71d5a4a55189172a48d16ec8de74f0eb2f42ec60ac551a6fc9ed2e2541b080bc037aa4800f32ed8b184ee713442146bf3fb07fe731554e4b813ad0

Download Submit
C:\Users\Admin\AppData\Local\Temp\redirects\cpush.exe

Filesize
166KB

MD5
8d0778398d7a7682874f981ff4e777d6

SHA1
f562294b4f09bdcc894c56bd7fe4a20fca200830

SHA256
8676f37ed98a5d39bcabc7a0cff8acb66d7f2ab3ef9e63c22f209a42b27b9f39

SHA512
3b5e3c22538b59810dbdfb5304074a55b430bbea43591da90dab2fd39458e5409cb2f546baf157531e24dc403a0aeff7427e7258c48dcfca9029698bdf2c02d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\redirects\cuninst.exe

Filesize
166KB

MD5
74672659dbb15463745ac1cf53b2719b

SHA1
2db8fa5baef7aefe88751ea7316310976cb6b3a0

SHA256
2c876cb70d69a564ba55a84108418929469080f5d69edb12c4b86590311fab4b

SHA512
021e9a5a4350fd50a1d8cabcaa236609dfe11ce81755751440e05713c732c27900dcbd42679da633eabb7d49e6ef6110af433b5301fc1043e3ff7313949cb892

Download Submit
C:\Users\Admin\AppData\Local\Temp\redirects\cup.exe

Filesize
166KB

MD5
dd422690472faa641a8631774da02c91

SHA1
ceebcbd95467b7f08ddb8a09e0db20c51f067620

SHA256
15ea4d439951f7849ed1cf04fe6d66eaeb8d34c262723de0c417686578b44e35

SHA512
eeecdaaef72085e35964c4f95c74ebdf2dcdaaca6aee83c0277ff8530500d45a92dca89a58ddc61a728fb988a86f427d533113d2b38918d3d2b3d2cb71f3ab1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\redirects\cver.exe

Filesize
166KB

MD5
426d14a16575347dc4721f1677007929

SHA1
33060825185ebb33297d002c6fb7205bf5306bff

SHA256
17f9b520086be45509b44f1630aa51ff80cb257697344b052fc71909e69cf954

SHA512
6ad827ad1bd9c1f3d91157138952c4dbabcee2813d481a74fbe951a3490ed5c4ef69a9abb01eae574e88511a339bfe60feb97c0e972b29f94f067c91aeb227ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\tools\7z.exe

Filesize
317KB

MD5
009e2d29ac4ed4332f533c255e12b5cc

SHA1
04fc4fb77336578ca136e8678e3108679da38e50

SHA256
d3b3541f1f502fe76d2fd7d020599cbfefa940181ce8df6da17727f8ee198cff

SHA512
34c3886910820018805da6c9e869ccc3b243101e42983fc7f64619aad388783d50ade7e8cd6b776fae985156bdf794fc021a3fa602c3a958972dff9e2e529693

Download Submit
C:\Users\Admin\AppData\Local\Temp\tools\checksum.exe

Filesize
61KB

MD5
53f11ba47b02c57626d9c5284f0f7123

SHA1
aef3f4169eb8ccd098fbbd9dec1bc9dabfe3f8f3

SHA256
6c4105af0532f80ee6589683bb4ccb208564416847dd038b830901f4db20715c

SHA512
50782d9f415dbcc8e9ad055e2f76c75c637d044388aba2042c00555f9ceecd3a8bdb31d619be9ca02c95ddf19da648e914939411e45e44d6652e089dbc0149c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tools\shimgen.exe

Filesize
228KB

MD5
72631261aab204534c06415e65ddafdd

SHA1
996a700395860108c39cf1719cbb62b87dfc8cb2

SHA256
ea4f246e9ccb90f753f0648f6ad155a459915ba396ef318865154cacb9f98420

SHA512
6f8531218971a5ae2290a0f0e97f262bed97481ac11145c2720888c97b2daf50abde730592a4798b1403857a5af5a1670b7606d1194fbad986d13ffd58adc056

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
9b7334d808b965b2b0dfd26f684a4632

SHA1
0bba0aa953c9e68f0d4bd4a33fd6fb52bc32866d

SHA256
6daa784e747e00acbba8d08b4f0b58c98b6d784b5c210ecaa6e7c2c130f14598

SHA512
860646ec685aeb185e3bd308e103408f6f95327282463d36d00b7c6abf0a87fe82fa7e78c6e488dcda5b8023534084b40d21c9767646aef91826f436fa8f967f

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2539840389-1261165778-1087677076-1000\_desktop.ini

Filesize
9B

MD5
4d28283e4d415600ffc2f8fda6d8c91e

SHA1
053dcb8d5d84b75459bc82d8740ee4684d680016

SHA256
b855effeaf01610130d3f38de35bc7f98bfc6643d98d4198af18534f048e8df7

SHA512
73a758cd5e5ac48d62dd89719be604214895e0cc9a10ff7464a6cf9161a37fd27d15dd2d2565f18198b381ac6442bcb36f38614df7b1176061a83616517a7edb

Download Submit
memory/1284-15-0x0000000000E10000-0x0000000001484000-memory.dmp

Filesize
6.5MB

Download
memory/1284-51-0x00007FFE23A13000-0x00007FFE23A15000-memory.dmp

Filesize
8KB

Download
memory/1284-129-0x00007FFE23A10000-0x00007FFE244D1000-memory.dmp

Filesize
10.8MB

Download
memory/1284-130-0x00007FFE23A10000-0x00007FFE244D1000-memory.dmp

Filesize
10.8MB

Download
memory/1284-23-0x00000000036A0000-0x00000000036BE000-memory.dmp

Filesize
120KB

Download
memory/1284-22-0x000000001C220000-0x000000001C296000-memory.dmp

Filesize
472KB

Download
memory/1284-21-0x00000000036F0000-0x0000000003740000-memory.dmp

Filesize
320KB

Download
memory/2100-5100-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2100-11-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2100-132-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2100-8818-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2372-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2372-10-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download