4dd41e40abb0a60974d851efdbbd8c0e9f3a189da27f0ba0da85728511c6d1a2

Analysis

max time kernel
151s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
03/06/2024, 05:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4dd41e40abb0a60974d851efdbbd8c0e9f3a189da27f0ba0da85728511c6d1a2.exe
Size

963KB
MD5

8908d6c8557aaffd0570a23338de4634
SHA1

e0804947d3156e9ce9814bfd6ecb58111808284c
SHA256

4dd41e40abb0a60974d851efdbbd8c0e9f3a189da27f0ba0da85728511c6d1a2
SHA512

e9f59343321ebca763a64e640d0f336ebd765f509cc47fa7505ae5bafe3f4f7abbb94b1adc9489db09d2014992b101a134c2d0e9b8d46df092a68ee40bc6a979
SSDEEP

12288:n1quIoRKcv8Nh7py6Rmi78gkPH3aPI9vyVg/0paQuj3IdD02fKBjtp/:n1qfBpDRmi78gkPXlyo0G/jr

Score

7^/10

spyware stealer

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

pid	Process
1572	Logo1_.exe
4712	4dd41e40abb0a60974d851efdbbd8c0e9f3a189da27f0ba0da85728511c6d1a2.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\host\fxr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\16\BIN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Uninstall Information\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\pt-br\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ko-kr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\si\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\de-de\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-cn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\uk-UA\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\pt-br\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\pt-br\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sv-se\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\zh-cn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ca-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\he-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\nb-no\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\BHO\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\it-it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\es-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\root\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\nb-no\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\et\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\zh-cn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\nb-no\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nb-no\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\uk-UA\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\Diagnostics\Simple\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pt-br\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Dll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	4dd41e40abb0a60974d851efdbbd8c0e9f3a189da27f0ba0da85728511c6d1a2.exe
File created	C:\Windows\Logo1_.exe	4dd41e40abb0a60974d851efdbbd8c0e9f3a189da27f0ba0da85728511c6d1a2.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1972	4dd41e40abb0a60974d851efdbbd8c0e9f3a189da27f0ba0da85728511c6d1a2.exe
1972	4dd41e40abb0a60974d851efdbbd8c0e9f3a189da27f0ba0da85728511c6d1a2.exe
1972	4dd41e40abb0a60974d851efdbbd8c0e9f3a189da27f0ba0da85728511c6d1a2.exe
1972	4dd41e40abb0a60974d851efdbbd8c0e9f3a189da27f0ba0da85728511c6d1a2.exe
1972	4dd41e40abb0a60974d851efdbbd8c0e9f3a189da27f0ba0da85728511c6d1a2.exe
1972	4dd41e40abb0a60974d851efdbbd8c0e9f3a189da27f0ba0da85728511c6d1a2.exe
1972	4dd41e40abb0a60974d851efdbbd8c0e9f3a189da27f0ba0da85728511c6d1a2.exe
1972	4dd41e40abb0a60974d851efdbbd8c0e9f3a189da27f0ba0da85728511c6d1a2.exe
1972	4dd41e40abb0a60974d851efdbbd8c0e9f3a189da27f0ba0da85728511c6d1a2.exe
1972	4dd41e40abb0a60974d851efdbbd8c0e9f3a189da27f0ba0da85728511c6d1a2.exe
1972	4dd41e40abb0a60974d851efdbbd8c0e9f3a189da27f0ba0da85728511c6d1a2.exe
1972	4dd41e40abb0a60974d851efdbbd8c0e9f3a189da27f0ba0da85728511c6d1a2.exe
1972	4dd41e40abb0a60974d851efdbbd8c0e9f3a189da27f0ba0da85728511c6d1a2.exe
1972	4dd41e40abb0a60974d851efdbbd8c0e9f3a189da27f0ba0da85728511c6d1a2.exe
1972	4dd41e40abb0a60974d851efdbbd8c0e9f3a189da27f0ba0da85728511c6d1a2.exe
1972	4dd41e40abb0a60974d851efdbbd8c0e9f3a189da27f0ba0da85728511c6d1a2.exe
1972	4dd41e40abb0a60974d851efdbbd8c0e9f3a189da27f0ba0da85728511c6d1a2.exe
1972	4dd41e40abb0a60974d851efdbbd8c0e9f3a189da27f0ba0da85728511c6d1a2.exe
1972	4dd41e40abb0a60974d851efdbbd8c0e9f3a189da27f0ba0da85728511c6d1a2.exe
1972	4dd41e40abb0a60974d851efdbbd8c0e9f3a189da27f0ba0da85728511c6d1a2.exe
1972	4dd41e40abb0a60974d851efdbbd8c0e9f3a189da27f0ba0da85728511c6d1a2.exe
1972	4dd41e40abb0a60974d851efdbbd8c0e9f3a189da27f0ba0da85728511c6d1a2.exe
1972	4dd41e40abb0a60974d851efdbbd8c0e9f3a189da27f0ba0da85728511c6d1a2.exe
1972	4dd41e40abb0a60974d851efdbbd8c0e9f3a189da27f0ba0da85728511c6d1a2.exe
1972	4dd41e40abb0a60974d851efdbbd8c0e9f3a189da27f0ba0da85728511c6d1a2.exe
1972	4dd41e40abb0a60974d851efdbbd8c0e9f3a189da27f0ba0da85728511c6d1a2.exe
1572	Logo1_.exe
1572	Logo1_.exe
1572	Logo1_.exe
1572	Logo1_.exe
1572	Logo1_.exe
1572	Logo1_.exe
1572	Logo1_.exe
1572	Logo1_.exe
1572	Logo1_.exe
1572	Logo1_.exe
1572	Logo1_.exe
1572	Logo1_.exe
1572	Logo1_.exe
1572	Logo1_.exe
1572	Logo1_.exe
1572	Logo1_.exe
1572	Logo1_.exe
1572	Logo1_.exe
1572	Logo1_.exe
1572	Logo1_.exe
1572	Logo1_.exe
1572	Logo1_.exe
1572	Logo1_.exe
1572	Logo1_.exe
1572	Logo1_.exe
1572	Logo1_.exe
1572	Logo1_.exe
1572	Logo1_.exe
1572	Logo1_.exe
1572	Logo1_.exe
1572	Logo1_.exe
1572	Logo1_.exe
1572	Logo1_.exe
1572	Logo1_.exe
1572	Logo1_.exe
1572	Logo1_.exe
1572	Logo1_.exe
1572	Logo1_.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	4712	4dd41e40abb0a60974d851efdbbd8c0e9f3a189da27f0ba0da85728511c6d1a2.exe
Token: 35	4712	4dd41e40abb0a60974d851efdbbd8c0e9f3a189da27f0ba0da85728511c6d1a2.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 5028	1972	4dd41e40abb0a60974d851efdbbd8c0e9f3a189da27f0ba0da85728511c6d1a2.exe	91
PID 1972 wrote to memory of 5028	1972	4dd41e40abb0a60974d851efdbbd8c0e9f3a189da27f0ba0da85728511c6d1a2.exe	91
PID 1972 wrote to memory of 5028	1972	4dd41e40abb0a60974d851efdbbd8c0e9f3a189da27f0ba0da85728511c6d1a2.exe	91
PID 5028 wrote to memory of 2756	5028	net.exe	93
PID 5028 wrote to memory of 2756	5028	net.exe	93
PID 5028 wrote to memory of 2756	5028	net.exe	93
PID 1972 wrote to memory of 4936	1972	4dd41e40abb0a60974d851efdbbd8c0e9f3a189da27f0ba0da85728511c6d1a2.exe	94
PID 1972 wrote to memory of 4936	1972	4dd41e40abb0a60974d851efdbbd8c0e9f3a189da27f0ba0da85728511c6d1a2.exe	94
PID 1972 wrote to memory of 4936	1972	4dd41e40abb0a60974d851efdbbd8c0e9f3a189da27f0ba0da85728511c6d1a2.exe	94
PID 1972 wrote to memory of 1572	1972	4dd41e40abb0a60974d851efdbbd8c0e9f3a189da27f0ba0da85728511c6d1a2.exe	96
PID 1972 wrote to memory of 1572	1972	4dd41e40abb0a60974d851efdbbd8c0e9f3a189da27f0ba0da85728511c6d1a2.exe	96
PID 1972 wrote to memory of 1572	1972	4dd41e40abb0a60974d851efdbbd8c0e9f3a189da27f0ba0da85728511c6d1a2.exe	96
PID 1572 wrote to memory of 3356	1572	Logo1_.exe	97
PID 1572 wrote to memory of 3356	1572	Logo1_.exe	97
PID 1572 wrote to memory of 3356	1572	Logo1_.exe	97
PID 3356 wrote to memory of 3312	3356	net.exe	99
PID 3356 wrote to memory of 3312	3356	net.exe	99
PID 3356 wrote to memory of 3312	3356	net.exe	99
PID 4936 wrote to memory of 4712	4936	cmd.exe	100
PID 4936 wrote to memory of 4712	4936	cmd.exe	100
PID 1572 wrote to memory of 2076	1572	Logo1_.exe	101
PID 1572 wrote to memory of 2076	1572	Logo1_.exe	101
PID 1572 wrote to memory of 2076	1572	Logo1_.exe	101
PID 2076 wrote to memory of 1712	2076	net.exe	103
PID 2076 wrote to memory of 1712	2076	net.exe	103
PID 2076 wrote to memory of 1712	2076	net.exe	103
PID 1572 wrote to memory of 3360	1572	Logo1_.exe	57
PID 1572 wrote to memory of 3360	1572	Logo1_.exe	57

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3360
- C:\Users\Admin\AppData\Local\Temp\4dd41e40abb0a60974d851efdbbd8c0e9f3a189da27f0ba0da85728511c6d1a2.exe
  "C:\Users\Admin\AppData\Local\Temp\4dd41e40abb0a60974d851efdbbd8c0e9f3a189da27f0ba0da85728511c6d1a2.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5028
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:2756
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a13B2.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4936
  - - C:\Users\Admin\AppData\Local\Temp\4dd41e40abb0a60974d851efdbbd8c0e9f3a189da27f0ba0da85728511c6d1a2.exe
      "C:\Users\Admin\AppData\Local\Temp\4dd41e40abb0a60974d851efdbbd8c0e9f3a189da27f0ba0da85728511c6d1a2.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:4712
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1572
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3356
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:3312
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2076
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:1712

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4040 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
1⤵
PID:3444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.exe

Filesize
577KB

MD5
447c2cc1d1c31d3beda8c37c6ea8fb29

SHA1
9aee3aeb7b734fcbce6483f0c127897a34229a21

SHA256
9f1cf772de334ec803a4d6da70c9ae0a2b5028f75ee2e3cdc52a10b09ad1b854

SHA512
31cb45cbeb908247e1de671de35363e032cd40276d564bed3fd305fd8c87c9f4476bdd39563978cb1854e28f180499654d5ab5b98aa6c6762674b0df8ac4f05d

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

Filesize
488KB

MD5
17f0a9c5ff33c9c8e5894e7812749afe

SHA1
b4e39750687a539fd7f3c8eb63330514f9c504d6

SHA256
f7a6c5521fd2b8f422e3716092ed384697c775a6f02f47f512bffce687643d0e

SHA512
0500cbb556be1a8ccbe91f7ccbeef3d8769d3f6ab1de838e8093ae609a2014aac97b80d8dc8b9037ae3b053fd597b25644f8b7a1168ceae2ad7c01aee7a4a481

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a13B2.bat

Filesize
722B

MD5
654fc8e39e5ed9b99d56b8eb218c60ed

SHA1
2241090b3b803ac746013f36b645028c41d4dbce

SHA256
09e2178f8072fba8874420ba30e7244fb9871ceaf622642f41dbfb7ff001486f

SHA512
317065e7b49729c6bb12022bcc4acc5463ea7b5ae91c5d3f02ea49520095ab5830bdf1918c0b59add4e6de4a2fc822980775778f5a54435aed0c32680b66a69e

Download Submit
C:\Users\Admin\AppData\Local\Temp\4dd41e40abb0a60974d851efdbbd8c0e9f3a189da27f0ba0da85728511c6d1a2.exe.exe

Filesize
930KB

MD5
30ac0b832d75598fb3ec37b6f2a8c86a

SHA1
6f47dbfd6ff36df7ba581a4cef024da527dc3046

SHA256
1ea0839c8dc95ad2c060af7d042c40c0daed58ce8e4524c0fba12fd73e4afb74

SHA512
505870601a4389b7ed2c8fecf85835adfd2944cbc10801f74bc4e08f5a0d6ecc9a52052fc37e216304cd1655129021862294a698ed36b3b43d428698f7263057

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
005782dec3941236334d871c5153fbf3

SHA1
c973a6811e47002ccb7c48911cf58d9b0f15c990

SHA256
def563a72f35ff1bd5d55bb4d8db6b098975b14f9f0a1e6c099415dda5887103

SHA512
235604f421d5596f55f22ce59116a6975c527b433c26630c8a0aed7089710a9b4a781db2eae71eb93e7917ed4cf154554bbf37fa2ea4c7c0aaaa7737d96f2933

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\_desktop.ini

Filesize
8B

MD5
a6f28952c332969f9e6d9f7d1a449737

SHA1
31c0826adb63cc03162fb9e88781f4b50da8f11b

SHA256
d9d875805581110dafdfb2ceb34c5e60f50fe720963f9813c287e4845248d208

SHA512
8187572ee8fbb9a42af34a3444be3a4309c5a798e7b1f27fce5b28b7168b72d015b1c10e611ccd3a9361af2aaeab831d2734017f77adff341c3fdb876c296eac

Download Submit
memory/1572-5223-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1572-17-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1572-216-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1572-1345-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1572-1947-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1572-9-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1572-7306-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1572-8597-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1572-8773-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1972-11-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1972-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download