15d1e6b25099fbf1ecd59e8566fce63a89d10e100e7540d47718be5753eed61c

Analysis

max time kernel
149s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
03-06-2024 09:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15d1e6b25099fbf1ecd59e8566fce63a89d10e100e7540d47718be5753eed61c.exe
Size

64KB
MD5

0a4ad8aa58382cdff5603c8ee09de9c5
SHA1

f5ab35d2e6365497a4c8b87100156dc30d80d2d7
SHA256

15d1e6b25099fbf1ecd59e8566fce63a89d10e100e7540d47718be5753eed61c
SHA512

f0d1f708393c6ee18a080f7481da47cf713a6e1358157e5d12b3e2ab5bcd1d968bf37c329cc754653baf8d7479e4de969994804a42d21f64bb1b9c314c1bf36d
SSDEEP

1536:F4Tncx1aeg1vye1MRSpomCEi1KqGCq2iW7z:FGf9qe1ISpomCP1dGCH

Score

7^/10

aspackv2 spyware stealer

Malware Config

Signatures

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x0008000000023412-18.dat	aspack_v212_v242

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation	lCOuvh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 3 IoCs

pid	Process
2272	Logo1_.exe
5072	15d1e6b25099fbf1ecd59e8566fce63a89d10e100e7540d47718be5753eed61c.exe
4704	lCOuvh.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\dc-annotations\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\nb-no\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\hrtfs\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\de-de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\it-it\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cy\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\it-it\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Google\Update\Install\{3B9828FA-6A18-4F1B-A570-1997BB7D5CB0}\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\kinit.exe	lCOuvh.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\keytool.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\audio_output\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sv-se\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\control\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\en-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Photo Viewer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ca-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\da-dk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\de-de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\IEContentService.exe	lCOuvh.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\it-it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ca-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\plugins\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\eu-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\Comprehensive\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-ae\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	15d1e6b25099fbf1ecd59e8566fce63a89d10e100e7540d47718be5753eed61c.exe
File created	C:\Windows\Logo1_.exe	15d1e6b25099fbf1ecd59e8566fce63a89d10e100e7540d47718be5753eed61c.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
640	15d1e6b25099fbf1ecd59e8566fce63a89d10e100e7540d47718be5753eed61c.exe
640	15d1e6b25099fbf1ecd59e8566fce63a89d10e100e7540d47718be5753eed61c.exe
640	15d1e6b25099fbf1ecd59e8566fce63a89d10e100e7540d47718be5753eed61c.exe
640	15d1e6b25099fbf1ecd59e8566fce63a89d10e100e7540d47718be5753eed61c.exe
640	15d1e6b25099fbf1ecd59e8566fce63a89d10e100e7540d47718be5753eed61c.exe
640	15d1e6b25099fbf1ecd59e8566fce63a89d10e100e7540d47718be5753eed61c.exe
640	15d1e6b25099fbf1ecd59e8566fce63a89d10e100e7540d47718be5753eed61c.exe
640	15d1e6b25099fbf1ecd59e8566fce63a89d10e100e7540d47718be5753eed61c.exe
640	15d1e6b25099fbf1ecd59e8566fce63a89d10e100e7540d47718be5753eed61c.exe
640	15d1e6b25099fbf1ecd59e8566fce63a89d10e100e7540d47718be5753eed61c.exe
640	15d1e6b25099fbf1ecd59e8566fce63a89d10e100e7540d47718be5753eed61c.exe
640	15d1e6b25099fbf1ecd59e8566fce63a89d10e100e7540d47718be5753eed61c.exe
640	15d1e6b25099fbf1ecd59e8566fce63a89d10e100e7540d47718be5753eed61c.exe
640	15d1e6b25099fbf1ecd59e8566fce63a89d10e100e7540d47718be5753eed61c.exe
640	15d1e6b25099fbf1ecd59e8566fce63a89d10e100e7540d47718be5753eed61c.exe
640	15d1e6b25099fbf1ecd59e8566fce63a89d10e100e7540d47718be5753eed61c.exe
640	15d1e6b25099fbf1ecd59e8566fce63a89d10e100e7540d47718be5753eed61c.exe
640	15d1e6b25099fbf1ecd59e8566fce63a89d10e100e7540d47718be5753eed61c.exe
640	15d1e6b25099fbf1ecd59e8566fce63a89d10e100e7540d47718be5753eed61c.exe
640	15d1e6b25099fbf1ecd59e8566fce63a89d10e100e7540d47718be5753eed61c.exe
640	15d1e6b25099fbf1ecd59e8566fce63a89d10e100e7540d47718be5753eed61c.exe
640	15d1e6b25099fbf1ecd59e8566fce63a89d10e100e7540d47718be5753eed61c.exe
640	15d1e6b25099fbf1ecd59e8566fce63a89d10e100e7540d47718be5753eed61c.exe
640	15d1e6b25099fbf1ecd59e8566fce63a89d10e100e7540d47718be5753eed61c.exe
640	15d1e6b25099fbf1ecd59e8566fce63a89d10e100e7540d47718be5753eed61c.exe
640	15d1e6b25099fbf1ecd59e8566fce63a89d10e100e7540d47718be5753eed61c.exe
2272	Logo1_.exe
2272	Logo1_.exe
2272	Logo1_.exe
2272	Logo1_.exe
2272	Logo1_.exe
2272	Logo1_.exe
2272	Logo1_.exe
2272	Logo1_.exe
2272	Logo1_.exe
2272	Logo1_.exe
2272	Logo1_.exe
2272	Logo1_.exe
2272	Logo1_.exe
2272	Logo1_.exe
2272	Logo1_.exe
2272	Logo1_.exe
2272	Logo1_.exe
2272	Logo1_.exe
2272	Logo1_.exe
2272	Logo1_.exe
2272	Logo1_.exe
2272	Logo1_.exe
2272	Logo1_.exe
2272	Logo1_.exe
2272	Logo1_.exe
2272	Logo1_.exe
2272	Logo1_.exe
2272	Logo1_.exe
2272	Logo1_.exe
2272	Logo1_.exe
2272	Logo1_.exe
2272	Logo1_.exe
2272	Logo1_.exe
2272	Logo1_.exe
2272	Logo1_.exe
2272	Logo1_.exe
2272	Logo1_.exe
2272	Logo1_.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 640 wrote to memory of 4384	640	15d1e6b25099fbf1ecd59e8566fce63a89d10e100e7540d47718be5753eed61c.exe	81
PID 640 wrote to memory of 4384	640	15d1e6b25099fbf1ecd59e8566fce63a89d10e100e7540d47718be5753eed61c.exe	81
PID 640 wrote to memory of 4384	640	15d1e6b25099fbf1ecd59e8566fce63a89d10e100e7540d47718be5753eed61c.exe	81
PID 4384 wrote to memory of 2288	4384	net.exe	83
PID 4384 wrote to memory of 2288	4384	net.exe	83
PID 4384 wrote to memory of 2288	4384	net.exe	83
PID 640 wrote to memory of 1104	640	15d1e6b25099fbf1ecd59e8566fce63a89d10e100e7540d47718be5753eed61c.exe	87
PID 640 wrote to memory of 1104	640	15d1e6b25099fbf1ecd59e8566fce63a89d10e100e7540d47718be5753eed61c.exe	87
PID 640 wrote to memory of 1104	640	15d1e6b25099fbf1ecd59e8566fce63a89d10e100e7540d47718be5753eed61c.exe	87
PID 640 wrote to memory of 2272	640	15d1e6b25099fbf1ecd59e8566fce63a89d10e100e7540d47718be5753eed61c.exe	89
PID 640 wrote to memory of 2272	640	15d1e6b25099fbf1ecd59e8566fce63a89d10e100e7540d47718be5753eed61c.exe	89
PID 640 wrote to memory of 2272	640	15d1e6b25099fbf1ecd59e8566fce63a89d10e100e7540d47718be5753eed61c.exe	89
PID 2272 wrote to memory of 3136	2272	Logo1_.exe	90
PID 2272 wrote to memory of 3136	2272	Logo1_.exe	90
PID 2272 wrote to memory of 3136	2272	Logo1_.exe	90
PID 3136 wrote to memory of 4424	3136	net.exe	92
PID 3136 wrote to memory of 4424	3136	net.exe	92
PID 3136 wrote to memory of 4424	3136	net.exe	92
PID 1104 wrote to memory of 5072	1104	cmd.exe	93
PID 1104 wrote to memory of 5072	1104	cmd.exe	93
PID 1104 wrote to memory of 5072	1104	cmd.exe	93
PID 5072 wrote to memory of 4704	5072	15d1e6b25099fbf1ecd59e8566fce63a89d10e100e7540d47718be5753eed61c.exe	94
PID 5072 wrote to memory of 4704	5072	15d1e6b25099fbf1ecd59e8566fce63a89d10e100e7540d47718be5753eed61c.exe	94
PID 5072 wrote to memory of 4704	5072	15d1e6b25099fbf1ecd59e8566fce63a89d10e100e7540d47718be5753eed61c.exe	94
PID 2272 wrote to memory of 4772	2272	Logo1_.exe	95
PID 2272 wrote to memory of 4772	2272	Logo1_.exe	95
PID 2272 wrote to memory of 4772	2272	Logo1_.exe	95
PID 4772 wrote to memory of 5056	4772	net.exe	97
PID 4772 wrote to memory of 5056	4772	net.exe	97
PID 4772 wrote to memory of 5056	4772	net.exe	97
PID 4704 wrote to memory of 4580	4704	lCOuvh.exe	100
PID 4704 wrote to memory of 4580	4704	lCOuvh.exe	100
PID 4704 wrote to memory of 4580	4704	lCOuvh.exe	100
PID 2272 wrote to memory of 3156	2272	Logo1_.exe	54
PID 2272 wrote to memory of 3156	2272	Logo1_.exe	54

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3156
- C:\Users\Admin\AppData\Local\Temp\15d1e6b25099fbf1ecd59e8566fce63a89d10e100e7540d47718be5753eed61c.exe
  "C:\Users\Admin\AppData\Local\Temp\15d1e6b25099fbf1ecd59e8566fce63a89d10e100e7540d47718be5753eed61c.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:640
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4384
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:2288
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a395F.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1104
  - - C:\Users\Admin\AppData\Local\Temp\15d1e6b25099fbf1ecd59e8566fce63a89d10e100e7540d47718be5753eed61c.exe
      "C:\Users\Admin\AppData\Local\Temp\15d1e6b25099fbf1ecd59e8566fce63a89d10e100e7540d47718be5753eed61c.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:5072
    - - C:\Users\Admin\AppData\Local\Temp\lCOuvh.exe
        
        C:\Users\Admin\AppData\Local\Temp\lCOuvh.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious use of WriteProcessMemory
        
        PID:4704
      - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0ac70d92.bat" "
        6⤵
        
        PID:4580
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2272
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3136
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:4424
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4772
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:5056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
258KB

MD5
faaa09cb2d9197da4a00a0df01ac2e5c

SHA1
ce497e70212da947764b054c161a468be867cf1b

SHA256
51d9d9203fddf941f10518b44fa657ea3a68c2156ba573b36cbec3c8959992c6

SHA512
98feb4b1927fe22b02fa5169dd77b774b8d467ff71ca6b5d6f5244723e6d4ce118d647821db2e1cbc8441316fdbec463bd1d06ce3a398b3ed43c7834ecbf43c6

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
577KB

MD5
e2b0c71bc062191d8e4fdb919bd6cd7f

SHA1
f69480fa56aacdafc545c7203792142cd3c8876a

SHA256
39933c9c0d5fed210466012f958805308634b9d94f66e9d88df7743a174b29a5

SHA512
80a3db4c57ea530e55ed6f13bf910af820930a31dff89058fe8ec4837837482331b2ab94e142b8d52cf53c8262b04e4f0bd024d9a3e67b720438399fb5dddd30

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
64KB

MD5
74260b7235567137c48fe5eee5b11212

SHA1
60234b7412d600005dec7e7ebfd8a3a5580f4fbe

SHA256
88220f9f2c1036a08b12252457a0566c93bd71fcad4270b74b86fe7a26f2cdd5

SHA512
340b9d6acc7a493b29680685230a92239684e505d98131eec469dbd89a40af5ab62fd989c1db24f842fb2d4eb3fbe6a7655f2acbf978aba439097e8ea7e7a527

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
643KB

MD5
9363a720e098b38389b25a7b18cfbcdd

SHA1
7b5e835b22262b47e6042e7aadecc67dac05f7db

SHA256
10579b661dade8697f252204f241952eb2029ea6978165f9336fd60a72b3205e

SHA512
564b873358ebe4d4d194b924e9934cb5c1666df901db2556e8cbab8276f8c4380a5bee157cc8eb2063fe0f48a1d0dc1cf339d3d3040d764c974e1c46b0870f88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\NCVVYLW7\k2[1].rar

Filesize
4B

MD5
d3b07384d113edec49eaa6238ad5ff00

SHA1
f1d2d2f924e986ac86fdf7b36c94bcdf32beec15

SHA256
b5bb9d8014a0f9b1d61e21e796d78dccdf1352f23cd32812f4850b878ae4944c

SHA512
0cf9180a764aba863a67b6d72f0918bc131c6772642cb2dce5a34f0a702f9470ddc2bf125c12198b1995c233c34b4afd346c54a2334c350a948a51b6e8b4e6b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a395F.bat

Filesize
722B

MD5
1b03d8d2a2a40df2e0ccb45fec676009

SHA1
405a234889d376a615e9c27a271b078b7f1c32f1

SHA256
536e8d61bc6ab513cb7d83789b06ed02f1eda51cdf45b11abf20f19193ee1dc2

SHA512
3ad72c7e4c2d6f249d8574d7e693bcc7b83fdb999c4c3cf365e5e7eed96cdd4d212a691871aa0921f2bdcf4c9c3666c048881fc2583ae07627fa4946e848c7be

Download Submit
C:\Users\Admin\AppData\Local\Temp\0ac70d92.bat

Filesize
187B

MD5
e206fd76b7fc94ee7b36488e51aedeb2

SHA1
4f4409a2da9bdfbb526adc0611ce33e79363b1aa

SHA256
594596c701e7136c31198329ce14d94e02be156173b61c85f1d64c2678e80d61

SHA512
de3174928d135543baa1fe76c1824cd517972889d26aae241292109155eb5c587036b4c5b47704a102d4ec260db83858daff7b347b261992f0c8790b6f32b4cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\15d1e6b25099fbf1ecd59e8566fce63a89d10e100e7540d47718be5753eed61c.exe.exe

Filesize
31KB

MD5
3d0f864f1bb6e3e4e4f6893e070115be

SHA1
f2661a0d22c47c897a5e8dd43a2b0775962eb37d

SHA256
62a170c5d2bc372f8bb7f7fc059ec6e4bcd372a01af00b5a3ce3c2e208e6ea00

SHA512
dde178b4ef7ed72d6319a46ca5948f964a00f7bb50dc9b9e47e8eff4ea78772d515f299e152fc7cc502b58503532de93e563467310897f8ade6383dde25217ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\1D0D7AF1.exe

Filesize
33KB

MD5
e2df2c847b727ab46536c89f46e959ea

SHA1
9aa70805b093134eb615cd8afc037ed5b7331b03

SHA256
8beb7cf4690399505ad0a2e994692e1251baf9c5b74ba9b123da405b1ddcb1b7

SHA512
18ea2561f00acb2fe94245dfb26cd592e75729168de06d319609d3367ac4c532c7566d68056785ab66f8d40cb4af08a3d04992aca3eb4c93fad5296535744997

Download Submit
C:\Users\Admin\AppData\Local\Temp\663F43DB.exe

Filesize
4B

MD5
20879c987e2f9a916e578386d499f629

SHA1
c7b33ddcc42361fdb847036fc07e880b81935d5d

SHA256
9f2981a7cc4d40a2a409dc895de64253acd819d7c0011c8e80b86fe899464e31

SHA512
bcdde1625364dd6dd143b45bdcec8d59cf8982aff33790d390b839f3869e0e815684568b14b555a596d616252aeeaa98dac2e6e551c9095ea11a575ff25ff84f

Download Submit
C:\Users\Admin\AppData\Local\Temp\lCOuvh.exe

Filesize
15KB

MD5
56b2c3810dba2e939a8bb9fa36d3cf96

SHA1
99ee31cd4b0d6a4b62779da36e0eeecdd80589fc

SHA256
4354970ccc7cd6bb16318f132c34f6a1b3d5c2ea7ff53e1c9271905527f2db07

SHA512
27812a9a034d7bd2ca73b337ae9e0b6dc79c38cfd1a2c6ac9d125d3cc8fa563c401a40d22155811d5054e5baa8cf8c8e7e03925f25fa856a9ba9dea708d15b4e

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
9331307acc6ea0119adac27759d11956

SHA1
10cc3b729963eaf37ece65bfb77e4baf37a47003

SHA256
335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d

SHA512
9da4e4b2a124a3d1f25e22efe0681edb9ca900b03ae907fca9f320ef64ff05cac5cf6598c8c3f3af7bba561d927158de2362d8100e62081482c19af40fa118a8

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3906287020-2915474608-1755617787-1000\_desktop.ini

Filesize
8B

MD5
a6f28952c332969f9e6d9f7d1a449737

SHA1
31c0826adb63cc03162fb9e88781f4b50da8f11b

SHA256
d9d875805581110dafdfb2ceb34c5e60f50fe720963f9813c287e4845248d208

SHA512
8187572ee8fbb9a42af34a3444be3a4309c5a798e7b1f27fce5b28b7168b72d015b1c10e611ccd3a9361af2aaeab831d2734017f77adff341c3fdb876c296eac

Download Submit
memory/640-10-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/640-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2272-66-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2272-3503-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2272-11-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2272-8715-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4704-19-0x0000000000650000-0x0000000000659000-memory.dmp

Filesize
36KB

Download
memory/4704-63-0x0000000000650000-0x0000000000659000-memory.dmp

Filesize
36KB

Download
memory/5072-68-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/5072-15-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download