8f7967e4b73e56a8609d191ed2e6581f5f243f5edd86f3c75400f6ada196aab8

Analysis

max time kernel
150s
max time network
107s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
29-05-2024 06:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8f7967e4b73e56a8609d191ed2e6581f5f243f5edd86f3c75400f6ada196aab8.exe
Size

264KB
MD5

f04c8356290aad179786b1bb41589a32
SHA1

269a5d344179defe75053675a77d5c13e2de6099
SHA256

8f7967e4b73e56a8609d191ed2e6581f5f243f5edd86f3c75400f6ada196aab8
SHA512

68f6c81ba09c4aa51a8daaa54adddd0b5f59b1640087c7ce97a88531b96bb2b168dd2e3d310575a9704c0ffe0f05030653f2f3b28c86f2d3104e0414084c1124
SSDEEP

3072:F/ee+aEjb3ObLRkgUA1nQZwFGVO4Mqg+WDY:pH+aE/oLRp1nQ4QLd

Score

7^/10

spyware stealer

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

pid	Process
1884	Logo1_.exe
3984	8f7967e4b73e56a8609d191ed2e6581f5f243f5edd86f3c75400f6ada196aab8.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\INDUST\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\collect_feedback\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\eu-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Playstore\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre-1.8\lib\ext\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BREEZE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\pt-br\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\cs-cz\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\en-gb\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ja-jp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\meta\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\hi_contrast\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\root\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\en-gb\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ca@valencia\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\plugins\rhp\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fur\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\it-it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\pt-br\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sv-se\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\3C3AE237-9CF6-4A14-8B70-0116E1CE63C6\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tt\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\es-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ky\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	8f7967e4b73e56a8609d191ed2e6581f5f243f5edd86f3c75400f6ada196aab8.exe
File created	C:\Windows\Logo1_.exe	8f7967e4b73e56a8609d191ed2e6581f5f243f5edd86f3c75400f6ada196aab8.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3708	8f7967e4b73e56a8609d191ed2e6581f5f243f5edd86f3c75400f6ada196aab8.exe
3708	8f7967e4b73e56a8609d191ed2e6581f5f243f5edd86f3c75400f6ada196aab8.exe
3708	8f7967e4b73e56a8609d191ed2e6581f5f243f5edd86f3c75400f6ada196aab8.exe
3708	8f7967e4b73e56a8609d191ed2e6581f5f243f5edd86f3c75400f6ada196aab8.exe
3708	8f7967e4b73e56a8609d191ed2e6581f5f243f5edd86f3c75400f6ada196aab8.exe
3708	8f7967e4b73e56a8609d191ed2e6581f5f243f5edd86f3c75400f6ada196aab8.exe
3708	8f7967e4b73e56a8609d191ed2e6581f5f243f5edd86f3c75400f6ada196aab8.exe
3708	8f7967e4b73e56a8609d191ed2e6581f5f243f5edd86f3c75400f6ada196aab8.exe
3708	8f7967e4b73e56a8609d191ed2e6581f5f243f5edd86f3c75400f6ada196aab8.exe
3708	8f7967e4b73e56a8609d191ed2e6581f5f243f5edd86f3c75400f6ada196aab8.exe
3708	8f7967e4b73e56a8609d191ed2e6581f5f243f5edd86f3c75400f6ada196aab8.exe
3708	8f7967e4b73e56a8609d191ed2e6581f5f243f5edd86f3c75400f6ada196aab8.exe
3708	8f7967e4b73e56a8609d191ed2e6581f5f243f5edd86f3c75400f6ada196aab8.exe
3708	8f7967e4b73e56a8609d191ed2e6581f5f243f5edd86f3c75400f6ada196aab8.exe
3708	8f7967e4b73e56a8609d191ed2e6581f5f243f5edd86f3c75400f6ada196aab8.exe
3708	8f7967e4b73e56a8609d191ed2e6581f5f243f5edd86f3c75400f6ada196aab8.exe
3708	8f7967e4b73e56a8609d191ed2e6581f5f243f5edd86f3c75400f6ada196aab8.exe
3708	8f7967e4b73e56a8609d191ed2e6581f5f243f5edd86f3c75400f6ada196aab8.exe
3708	8f7967e4b73e56a8609d191ed2e6581f5f243f5edd86f3c75400f6ada196aab8.exe
3708	8f7967e4b73e56a8609d191ed2e6581f5f243f5edd86f3c75400f6ada196aab8.exe
3708	8f7967e4b73e56a8609d191ed2e6581f5f243f5edd86f3c75400f6ada196aab8.exe
3708	8f7967e4b73e56a8609d191ed2e6581f5f243f5edd86f3c75400f6ada196aab8.exe
3708	8f7967e4b73e56a8609d191ed2e6581f5f243f5edd86f3c75400f6ada196aab8.exe
3708	8f7967e4b73e56a8609d191ed2e6581f5f243f5edd86f3c75400f6ada196aab8.exe
3708	8f7967e4b73e56a8609d191ed2e6581f5f243f5edd86f3c75400f6ada196aab8.exe
3708	8f7967e4b73e56a8609d191ed2e6581f5f243f5edd86f3c75400f6ada196aab8.exe
1884	Logo1_.exe
1884	Logo1_.exe
1884	Logo1_.exe
1884	Logo1_.exe
1884	Logo1_.exe
1884	Logo1_.exe
1884	Logo1_.exe
1884	Logo1_.exe
1884	Logo1_.exe
1884	Logo1_.exe
1884	Logo1_.exe
1884	Logo1_.exe
1884	Logo1_.exe
1884	Logo1_.exe
1884	Logo1_.exe
1884	Logo1_.exe
1884	Logo1_.exe
1884	Logo1_.exe
1884	Logo1_.exe
1884	Logo1_.exe
1884	Logo1_.exe
1884	Logo1_.exe
1884	Logo1_.exe
1884	Logo1_.exe
1884	Logo1_.exe
1884	Logo1_.exe
1884	Logo1_.exe
1884	Logo1_.exe
1884	Logo1_.exe
1884	Logo1_.exe
1884	Logo1_.exe
1884	Logo1_.exe
1884	Logo1_.exe
1884	Logo1_.exe
1884	Logo1_.exe
1884	Logo1_.exe
1884	Logo1_.exe
1884	Logo1_.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 3708 wrote to memory of 1192	3708	8f7967e4b73e56a8609d191ed2e6581f5f243f5edd86f3c75400f6ada196aab8.exe	85
PID 3708 wrote to memory of 1192	3708	8f7967e4b73e56a8609d191ed2e6581f5f243f5edd86f3c75400f6ada196aab8.exe	85
PID 3708 wrote to memory of 1192	3708	8f7967e4b73e56a8609d191ed2e6581f5f243f5edd86f3c75400f6ada196aab8.exe	85
PID 1192 wrote to memory of 2960	1192	net.exe	87
PID 1192 wrote to memory of 2960	1192	net.exe	87
PID 1192 wrote to memory of 2960	1192	net.exe	87
PID 3708 wrote to memory of 2492	3708	8f7967e4b73e56a8609d191ed2e6581f5f243f5edd86f3c75400f6ada196aab8.exe	91
PID 3708 wrote to memory of 2492	3708	8f7967e4b73e56a8609d191ed2e6581f5f243f5edd86f3c75400f6ada196aab8.exe	91
PID 3708 wrote to memory of 2492	3708	8f7967e4b73e56a8609d191ed2e6581f5f243f5edd86f3c75400f6ada196aab8.exe	91
PID 3708 wrote to memory of 1884	3708	8f7967e4b73e56a8609d191ed2e6581f5f243f5edd86f3c75400f6ada196aab8.exe	92
PID 3708 wrote to memory of 1884	3708	8f7967e4b73e56a8609d191ed2e6581f5f243f5edd86f3c75400f6ada196aab8.exe	92
PID 3708 wrote to memory of 1884	3708	8f7967e4b73e56a8609d191ed2e6581f5f243f5edd86f3c75400f6ada196aab8.exe	92
PID 1884 wrote to memory of 2984	1884	Logo1_.exe	94
PID 1884 wrote to memory of 2984	1884	Logo1_.exe	94
PID 1884 wrote to memory of 2984	1884	Logo1_.exe	94
PID 2984 wrote to memory of 1944	2984	net.exe	96
PID 2984 wrote to memory of 1944	2984	net.exe	96
PID 2984 wrote to memory of 1944	2984	net.exe	96
PID 2492 wrote to memory of 3984	2492	cmd.exe	98
PID 2492 wrote to memory of 3984	2492	cmd.exe	98
PID 2492 wrote to memory of 3984	2492	cmd.exe	98
PID 1884 wrote to memory of 4816	1884	Logo1_.exe	99
PID 1884 wrote to memory of 4816	1884	Logo1_.exe	99
PID 1884 wrote to memory of 4816	1884	Logo1_.exe	99
PID 4816 wrote to memory of 1164	4816	net.exe	101
PID 4816 wrote to memory of 1164	4816	net.exe	101
PID 4816 wrote to memory of 1164	4816	net.exe	101
PID 1884 wrote to memory of 3436	1884	Logo1_.exe	57
PID 1884 wrote to memory of 3436	1884	Logo1_.exe	57

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3436
- C:\Users\Admin\AppData\Local\Temp\8f7967e4b73e56a8609d191ed2e6581f5f243f5edd86f3c75400f6ada196aab8.exe
  "C:\Users\Admin\AppData\Local\Temp\8f7967e4b73e56a8609d191ed2e6581f5f243f5edd86f3c75400f6ada196aab8.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3708
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1192
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:2960
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a495D.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2492
  - - C:\Users\Admin\AppData\Local\Temp\8f7967e4b73e56a8609d191ed2e6581f5f243f5edd86f3c75400f6ada196aab8.exe
      "C:\Users\Admin\AppData\Local\Temp\8f7967e4b73e56a8609d191ed2e6581f5f243f5edd86f3c75400f6ada196aab8.exe"
      4⤵
      Executes dropped EXE
      PID:3984
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1884
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2984
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:1944
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4816
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:1164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
258KB

MD5
5be1a57d5fe22c6f8163c2a252aeff1c

SHA1
f81e90464a240e4d010a0b5cd9a8545e4079e2e5

SHA256
b30ca3e7cf439d94b28706bc400e5cd683da5e167db1beaa2e2665a70d2bb35f

SHA512
97200d822b2987d0ad051b9d8d93013d5872ed2203d4a8fbdaf85d9a67ac7b3289ff17ea155442f0919bbe7f00c4f80c6d906c75335a60ff4e59c88991cae5fa

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
577KB

MD5
ff8d24ee31f6ec4be5e58e5780536478

SHA1
fbb92f8a0fc2c9583f74dcfeaf61402115fe3f9c

SHA256
faaa7fc6289ca74e5b44f03ce3c72ece945c12f43510ea80e382b1016e588d5a

SHA512
55715c9b036d1561adb4d2bf10c8d4b77fd39f8a25e4a8d345d7731b3e3b10e1ef24815053a129334e5b54afd69a9fa00f6897c2b66388d9467f3f3ef9af13cc

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
643KB

MD5
a819ddb079d1415d5f3e1e270b4b15a7

SHA1
bd1448e78fe7ac3e3edd1499336ea0729265f62c

SHA256
cb5f707c238845f2dd4adf94f640353746db18ec01001b750a7bc28e1b7155bb

SHA512
87b72d4b32352ff020c51e7c14f9e77f76fd6cc372724f373b8ea60c7d70034cb7cc590f3584bbfb7a2a78e1dcdf1f493f333ddd12b70b6b9750a7aa94583af7

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a495D.bat

Filesize
722B

MD5
00080f890dd783fb3648fd34b6a32bcc

SHA1
61a0e6f0957974c0aeb80c863a1e520f97c7e277

SHA256
ed53ffec01f9705d236f873e8a74baf5b1b78a391a430a65e1d44f1f49d0d88d

SHA512
0e44959f0be0bcd6bed43e3a48691627baa096635a0a2597176b8f7268999dcd6c724f05e9fcf591447e5984a1ef1dbd2ebb25078344a87e7dafecf0cc090bfd

Download Submit
C:\Users\Admin\AppData\Local\Temp\8f7967e4b73e56a8609d191ed2e6581f5f243f5edd86f3c75400f6ada196aab8.exe.exe

Filesize
231KB

MD5
6f581a41167d2d484fcba20e6fc3c39a

SHA1
d48de48d24101b9baaa24f674066577e38e6b75c

SHA256
3eb8d53778eab9fb13b4c97aeab56e4bad2a6ea3748d342f22eaf4d7aa3185a7

SHA512
e1177b6cea89445d58307b3327c78909adff225497f9abb8de571cdd114b547a8f515ec3ab038b583bf752a085b231f6329d6ca82fbe6be8a58cd97a1dbaf0f6

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
043e948e522cb48ab23f8d6d6b427a70

SHA1
02f710820234d0123bb483ef99c12dd18b850fe5

SHA256
8a60fd8455b44d550cbea3eb327672b4783ba7e4042d885b260b214d7466a7bb

SHA512
f1940880eb749c4a5f4f42723feb86a06ab118144fefdb5e6b9732dbca661a41ce7a0ef3256df6ae95cd7a39dc35b2128bef28a6f7cdf3eedaaea2a160f02019

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3558294865-3673844354-2255444939-1000\_desktop.ini

Filesize
9B

MD5
4b2b75605a65a6762ec4715de0a70902

SHA1
3b85993ef06d2d814abc405188fdd19a1bffea0c

SHA256
77072cc5a7b394508cf5d819ff8cf4385a9b3cb15d8715a59845ccfa235ea34e

SHA512
888361e75afd4308bdad817af543704a42ffdf2d798acef619459e9978ac68f1cf4d468c6e0b146ab738b0109fdf331c4380471aa83f637b0f6ab06164840c65

Download Submit
memory/1884-18-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1884-4818-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1884-8-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1884-8686-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3708-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3708-11-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download