c077728a0c290ba8f96b81ea0d915cd5d77d89990435d332747dbd67d2aa5f6e

Analysis

max time kernel
150s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
28/05/2024, 08:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c077728a0c290ba8f96b81ea0d915cd5d77d89990435d332747dbd67d2aa5f6e.exe
Size

50KB
MD5

7a5b7ffa724719d0192866634464c040
SHA1

fa0a62aa6282576858285ee5396b16bd807c719b
SHA256

c077728a0c290ba8f96b81ea0d915cd5d77d89990435d332747dbd67d2aa5f6e
SHA512

3759b3f41f997a1f0a5d90adf1404c6f4af45e5d6cead213633661d9e6a6c6e657ec949d3f821d87c132e9136f0eb6c8633314b72686ac3796cbf1624843af0c
SSDEEP

768:PLpnGnElOIEvzMXqtwp/lttaL7HP4wIncLRdR5kP78a0RJW/a9IOOlT+P9zLLpKE:PhUaYzMXqtGNttyUn01Q78a4RCoH3WW

Score

8^/10

spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	c077728a0c290ba8f96b81ea0d915cd5d77d89990435d332747dbd67d2aa5f6e.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Logo1_.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

pid	Process
2028	Logo1_.exe
4176	c077728a0c290ba8f96b81ea0d915cd5d77d89990435d332747dbd67d2aa5f6e.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\_desktop.ini	Logo1_.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\plugins\rhp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\en-gb\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ru-ru\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BOLDSTRI\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pt_PT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\root\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\Locales\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ktab.exe	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\BIN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\nb-no\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\de-de\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\nb-no\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ca-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\libs\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\nb-no\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Media Player\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Media Player\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\or_IN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\meta\reader\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\en\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\zh-Hant\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\images\themes\dark\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-ma\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ca-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\PlatformCapabilities\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\da-dk\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	c077728a0c290ba8f96b81ea0d915cd5d77d89990435d332747dbd67d2aa5f6e.exe
File created	C:\Windows\Logo1_.exe	c077728a0c290ba8f96b81ea0d915cd5d77d89990435d332747dbd67d2aa5f6e.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4012	c077728a0c290ba8f96b81ea0d915cd5d77d89990435d332747dbd67d2aa5f6e.exe
4012	c077728a0c290ba8f96b81ea0d915cd5d77d89990435d332747dbd67d2aa5f6e.exe
4012	c077728a0c290ba8f96b81ea0d915cd5d77d89990435d332747dbd67d2aa5f6e.exe
4012	c077728a0c290ba8f96b81ea0d915cd5d77d89990435d332747dbd67d2aa5f6e.exe
4012	c077728a0c290ba8f96b81ea0d915cd5d77d89990435d332747dbd67d2aa5f6e.exe
4012	c077728a0c290ba8f96b81ea0d915cd5d77d89990435d332747dbd67d2aa5f6e.exe
4012	c077728a0c290ba8f96b81ea0d915cd5d77d89990435d332747dbd67d2aa5f6e.exe
4012	c077728a0c290ba8f96b81ea0d915cd5d77d89990435d332747dbd67d2aa5f6e.exe
4012	c077728a0c290ba8f96b81ea0d915cd5d77d89990435d332747dbd67d2aa5f6e.exe
4012	c077728a0c290ba8f96b81ea0d915cd5d77d89990435d332747dbd67d2aa5f6e.exe
4012	c077728a0c290ba8f96b81ea0d915cd5d77d89990435d332747dbd67d2aa5f6e.exe
4012	c077728a0c290ba8f96b81ea0d915cd5d77d89990435d332747dbd67d2aa5f6e.exe
4012	c077728a0c290ba8f96b81ea0d915cd5d77d89990435d332747dbd67d2aa5f6e.exe
4012	c077728a0c290ba8f96b81ea0d915cd5d77d89990435d332747dbd67d2aa5f6e.exe
4012	c077728a0c290ba8f96b81ea0d915cd5d77d89990435d332747dbd67d2aa5f6e.exe
4012	c077728a0c290ba8f96b81ea0d915cd5d77d89990435d332747dbd67d2aa5f6e.exe
4012	c077728a0c290ba8f96b81ea0d915cd5d77d89990435d332747dbd67d2aa5f6e.exe
4012	c077728a0c290ba8f96b81ea0d915cd5d77d89990435d332747dbd67d2aa5f6e.exe
4012	c077728a0c290ba8f96b81ea0d915cd5d77d89990435d332747dbd67d2aa5f6e.exe
4012	c077728a0c290ba8f96b81ea0d915cd5d77d89990435d332747dbd67d2aa5f6e.exe
4012	c077728a0c290ba8f96b81ea0d915cd5d77d89990435d332747dbd67d2aa5f6e.exe
4012	c077728a0c290ba8f96b81ea0d915cd5d77d89990435d332747dbd67d2aa5f6e.exe
4012	c077728a0c290ba8f96b81ea0d915cd5d77d89990435d332747dbd67d2aa5f6e.exe
4012	c077728a0c290ba8f96b81ea0d915cd5d77d89990435d332747dbd67d2aa5f6e.exe
4012	c077728a0c290ba8f96b81ea0d915cd5d77d89990435d332747dbd67d2aa5f6e.exe
4012	c077728a0c290ba8f96b81ea0d915cd5d77d89990435d332747dbd67d2aa5f6e.exe
2028	Logo1_.exe
2028	Logo1_.exe
2028	Logo1_.exe
2028	Logo1_.exe
2028	Logo1_.exe
2028	Logo1_.exe
2028	Logo1_.exe
2028	Logo1_.exe
2028	Logo1_.exe
2028	Logo1_.exe
2028	Logo1_.exe
2028	Logo1_.exe
2028	Logo1_.exe
2028	Logo1_.exe
2028	Logo1_.exe
2028	Logo1_.exe
2028	Logo1_.exe
2028	Logo1_.exe
2028	Logo1_.exe
2028	Logo1_.exe
2028	Logo1_.exe
2028	Logo1_.exe
2028	Logo1_.exe
2028	Logo1_.exe
2028	Logo1_.exe
2028	Logo1_.exe
2028	Logo1_.exe
2028	Logo1_.exe
2028	Logo1_.exe
2028	Logo1_.exe
2028	Logo1_.exe
2028	Logo1_.exe
2028	Logo1_.exe
2028	Logo1_.exe
2028	Logo1_.exe
2028	Logo1_.exe
2028	Logo1_.exe
2028	Logo1_.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4012 wrote to memory of 1100	4012	c077728a0c290ba8f96b81ea0d915cd5d77d89990435d332747dbd67d2aa5f6e.exe	81
PID 4012 wrote to memory of 1100	4012	c077728a0c290ba8f96b81ea0d915cd5d77d89990435d332747dbd67d2aa5f6e.exe	81
PID 4012 wrote to memory of 1100	4012	c077728a0c290ba8f96b81ea0d915cd5d77d89990435d332747dbd67d2aa5f6e.exe	81
PID 1100 wrote to memory of 3068	1100	net.exe	83
PID 1100 wrote to memory of 3068	1100	net.exe	83
PID 1100 wrote to memory of 3068	1100	net.exe	83
PID 4012 wrote to memory of 2928	4012	c077728a0c290ba8f96b81ea0d915cd5d77d89990435d332747dbd67d2aa5f6e.exe	88
PID 4012 wrote to memory of 2928	4012	c077728a0c290ba8f96b81ea0d915cd5d77d89990435d332747dbd67d2aa5f6e.exe	88
PID 4012 wrote to memory of 2928	4012	c077728a0c290ba8f96b81ea0d915cd5d77d89990435d332747dbd67d2aa5f6e.exe	88
PID 4012 wrote to memory of 2028	4012	c077728a0c290ba8f96b81ea0d915cd5d77d89990435d332747dbd67d2aa5f6e.exe	90
PID 4012 wrote to memory of 2028	4012	c077728a0c290ba8f96b81ea0d915cd5d77d89990435d332747dbd67d2aa5f6e.exe	90
PID 4012 wrote to memory of 2028	4012	c077728a0c290ba8f96b81ea0d915cd5d77d89990435d332747dbd67d2aa5f6e.exe	90
PID 2028 wrote to memory of 3004	2028	Logo1_.exe	91
PID 2028 wrote to memory of 3004	2028	Logo1_.exe	91
PID 2028 wrote to memory of 3004	2028	Logo1_.exe	91
PID 3004 wrote to memory of 1852	3004	net.exe	93
PID 3004 wrote to memory of 1852	3004	net.exe	93
PID 3004 wrote to memory of 1852	3004	net.exe	93
PID 2928 wrote to memory of 4176	2928	cmd.exe	94
PID 2928 wrote to memory of 4176	2928	cmd.exe	94
PID 2928 wrote to memory of 4176	2928	cmd.exe	94
PID 2028 wrote to memory of 1540	2028	Logo1_.exe	97
PID 2028 wrote to memory of 1540	2028	Logo1_.exe	97
PID 2028 wrote to memory of 1540	2028	Logo1_.exe	97
PID 1540 wrote to memory of 2116	1540	net.exe	99
PID 1540 wrote to memory of 2116	1540	net.exe	99
PID 1540 wrote to memory of 2116	1540	net.exe	99
PID 2028 wrote to memory of 3476	2028	Logo1_.exe	55
PID 2028 wrote to memory of 3476	2028	Logo1_.exe	55

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3476
- C:\Users\Admin\AppData\Local\Temp\c077728a0c290ba8f96b81ea0d915cd5d77d89990435d332747dbd67d2aa5f6e.exe
  "C:\Users\Admin\AppData\Local\Temp\c077728a0c290ba8f96b81ea0d915cd5d77d89990435d332747dbd67d2aa5f6e.exe"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4012
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1100
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:3068
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3B44.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2928
  - - C:\Users\Admin\AppData\Local\Temp\c077728a0c290ba8f96b81ea0d915cd5d77d89990435d332747dbd67d2aa5f6e.exe
      "C:\Users\Admin\AppData\Local\Temp\c077728a0c290ba8f96b81ea0d915cd5d77d89990435d332747dbd67d2aa5f6e.exe"
      4⤵
      Executes dropped EXE
      PID:4176
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops file in Drivers directory
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2028
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3004
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:1852
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1540
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
258KB

MD5
ebb1acf3749aab2799316e438dfdbdf4

SHA1
704fe023ab74891eeff0ba9779303aff0b0da5aa

SHA256
2f7d16cda5245419705eeff7f92014c5d80e91d8a2d04beff74d79f832f7e77f

SHA512
ff93751e380f95501d316a68f459a42e116d3ca10a1d609f4f48ca679e5b9c820021ab2c1869a8d13c5a47a291a3f81e6e22966f41ed55f0f4d64a65902bacb4

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
577KB

MD5
ee6d14491d3255f801199b612664b479

SHA1
b56d2b1b62695a40ac4251977b32a3fc24decb3f

SHA256
d02d67be4e0fcfe6447e2b256b1866b0a976400bf7a5fb610bda2dc617ef7179

SHA512
d73530d0ec59f83068f5b5f7ecc2a2f7551d19e69bc5a5d938ee62957ea1baceb181bccee81cbd802a85e9ba1d0aba037da6dd96710691c7f387e0c59524f73c

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
643KB

MD5
c68e034d324260384602839c6e3295de

SHA1
add6ebe18274a2afd7756fcb2b5be590125eff7f

SHA256
8317babad7376315f76f48454d7f4057d60f2a13f0e469a7c877473b220af74f

SHA512
7c956a76088bae2a425fc13f8484027ae04bc9995b7ca85a92125801e0676ff660c2a1fcb4640424883455bc10a84d39788032d884e7b64178693b1a2a0885cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a3B44.bat

Filesize
722B

MD5
24300831a477db32758d149693db700a

SHA1
862b8196c0186f462d32f5619d1779887d4bf7b6

SHA256
392c55de4a10dadc9135ebc11445a62b79839e3def5c3da246f1ece95013bb46

SHA512
342ecbc0b59736c3b718a08bca92d9461da1d626f5280b5d2e95c8e10aafb225b7b17194872fee691d722e0deb213bda7b92af578af009428edd40bf99ed06ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\c077728a0c290ba8f96b81ea0d915cd5d77d89990435d332747dbd67d2aa5f6e.exe.exe

Filesize
16KB

MD5
5587c5663414e345518f8b6dac344877

SHA1
882f53d66d9fa78340a9b8d892fd3216ff6ab99d

SHA256
cc1f45cb2173797fcc43c4193c27547a55cc3469e65f4f8189db311c8ef08e9c

SHA512
3e6ad3830362433143485261c8673cc7daa41a9cab81a8e7ed9b67a687b688ec4c36eaefd46ecb796e69f6c148933ae51a78190865a3f2f631f4254c7d3f4c73

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
b889976a7791068af99766aca8f357d8

SHA1
146247c065098fb7f98f6cc1094825486b77d65c

SHA256
2d86f486401387ff3dcf30a8ffca900063a26c269b2e44bc1b925cbfafc30e92

SHA512
bad98a62f1e63adf7fef79f14ea027179ad4255a862f30114918046d14c89256cd2f5dcc3044941ecde471d9ede8d18a4ee040ca300cd1a9b9243aabbeee9558

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
842B

MD5
6f4adf207ef402d9ef40c6aa52ffd245

SHA1
4b05b495619c643f02e278dede8f5b1392555a57

SHA256
d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e

SHA512
a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-4018855536-2201274732-320770143-1000\_desktop.ini

Filesize
9B

MD5
e850d9ceb7ebcc619d731dc2f1377b2b

SHA1
a45553c9057075c02e28f90d5e8ea57a0dddbacc

SHA256
b682a6e85069777ca22f84b99607acd09640eaa80029d74363c0a5aabddead4c

SHA512
be92bd8393d0fe69559ec55e1068fcd77ccc699361a9cb98d467bd51a029c371852b7a1196ad53fa8865e956582e6a4d35f6ac6fea3832058b7a427133b0048c

Download Submit
memory/2028-13-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2028-20-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2028-2842-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2028-8661-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4012-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4012-10-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download