1d4be60d5ac22ad4d5feb70ae1e771c8350fdc37ffbd3381b38cdab72721b90a

Analysis

max time kernel
151s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
07-06-2024 10:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1d4be60d5ac22ad4d5feb70ae1e771c8350fdc37ffbd3381b38cdab72721b90a.exe
Size

99KB
MD5

f01763aab0b11e87bbdb86cc5a8e6d4c
SHA1

a724eb296ea9d3e1c0132b789c3af8a3aede8fb2
SHA256

1d4be60d5ac22ad4d5feb70ae1e771c8350fdc37ffbd3381b38cdab72721b90a
SHA512

eb769d11cd6345143d1b766ba3d3311a6d02c962c307af6efe1761335ce9862bc7f4adb5ba8816b161c6e5d36b9e837287938a5b0ca4db3966c5db22f7940c94
SSDEEP

1536:Hje+Zk7qzUJBeLkbiT29dXkyapmebn4ddJZeY86iLflLJYEIs67rxo:Hje+aezUDbHXlLK4ddJMY86ipmns6S

Score

7^/10

spyware stealer

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

pid	Process
4544	Logo1_.exe
4980	1d4be60d5ac22ad4d5feb70ae1e771c8350fdc37ffbd3381b38cdab72721b90a.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\sl-si\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{56EB18F8-B008-4CBD-B6D2-8C97FE7E9062}\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\cs-cz\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Media Player\wmlaunch.exe	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\da-dk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lt\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\pt-br\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}\122.0.2365.52\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files-select\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\eu-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lt\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\root\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\QUAD\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\ODBC\Data Sources\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\Locales\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\pt-br\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\sl-si\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\pt-br\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themes\dark\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\th\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sl-si\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\fre\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sl-sl\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	1d4be60d5ac22ad4d5feb70ae1e771c8350fdc37ffbd3381b38cdab72721b90a.exe
File created	C:\Windows\Logo1_.exe	1d4be60d5ac22ad4d5feb70ae1e771c8350fdc37ffbd3381b38cdab72721b90a.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2388	1d4be60d5ac22ad4d5feb70ae1e771c8350fdc37ffbd3381b38cdab72721b90a.exe
2388	1d4be60d5ac22ad4d5feb70ae1e771c8350fdc37ffbd3381b38cdab72721b90a.exe
2388	1d4be60d5ac22ad4d5feb70ae1e771c8350fdc37ffbd3381b38cdab72721b90a.exe
2388	1d4be60d5ac22ad4d5feb70ae1e771c8350fdc37ffbd3381b38cdab72721b90a.exe
2388	1d4be60d5ac22ad4d5feb70ae1e771c8350fdc37ffbd3381b38cdab72721b90a.exe
2388	1d4be60d5ac22ad4d5feb70ae1e771c8350fdc37ffbd3381b38cdab72721b90a.exe
2388	1d4be60d5ac22ad4d5feb70ae1e771c8350fdc37ffbd3381b38cdab72721b90a.exe
2388	1d4be60d5ac22ad4d5feb70ae1e771c8350fdc37ffbd3381b38cdab72721b90a.exe
2388	1d4be60d5ac22ad4d5feb70ae1e771c8350fdc37ffbd3381b38cdab72721b90a.exe
2388	1d4be60d5ac22ad4d5feb70ae1e771c8350fdc37ffbd3381b38cdab72721b90a.exe
2388	1d4be60d5ac22ad4d5feb70ae1e771c8350fdc37ffbd3381b38cdab72721b90a.exe
2388	1d4be60d5ac22ad4d5feb70ae1e771c8350fdc37ffbd3381b38cdab72721b90a.exe
2388	1d4be60d5ac22ad4d5feb70ae1e771c8350fdc37ffbd3381b38cdab72721b90a.exe
2388	1d4be60d5ac22ad4d5feb70ae1e771c8350fdc37ffbd3381b38cdab72721b90a.exe
2388	1d4be60d5ac22ad4d5feb70ae1e771c8350fdc37ffbd3381b38cdab72721b90a.exe
2388	1d4be60d5ac22ad4d5feb70ae1e771c8350fdc37ffbd3381b38cdab72721b90a.exe
2388	1d4be60d5ac22ad4d5feb70ae1e771c8350fdc37ffbd3381b38cdab72721b90a.exe
2388	1d4be60d5ac22ad4d5feb70ae1e771c8350fdc37ffbd3381b38cdab72721b90a.exe
2388	1d4be60d5ac22ad4d5feb70ae1e771c8350fdc37ffbd3381b38cdab72721b90a.exe
2388	1d4be60d5ac22ad4d5feb70ae1e771c8350fdc37ffbd3381b38cdab72721b90a.exe
2388	1d4be60d5ac22ad4d5feb70ae1e771c8350fdc37ffbd3381b38cdab72721b90a.exe
2388	1d4be60d5ac22ad4d5feb70ae1e771c8350fdc37ffbd3381b38cdab72721b90a.exe
2388	1d4be60d5ac22ad4d5feb70ae1e771c8350fdc37ffbd3381b38cdab72721b90a.exe
2388	1d4be60d5ac22ad4d5feb70ae1e771c8350fdc37ffbd3381b38cdab72721b90a.exe
2388	1d4be60d5ac22ad4d5feb70ae1e771c8350fdc37ffbd3381b38cdab72721b90a.exe
2388	1d4be60d5ac22ad4d5feb70ae1e771c8350fdc37ffbd3381b38cdab72721b90a.exe
4544	Logo1_.exe
4544	Logo1_.exe
4544	Logo1_.exe
4544	Logo1_.exe
4544	Logo1_.exe
4544	Logo1_.exe
4544	Logo1_.exe
4544	Logo1_.exe
4544	Logo1_.exe
4544	Logo1_.exe
4544	Logo1_.exe
4544	Logo1_.exe
4544	Logo1_.exe
4544	Logo1_.exe
4544	Logo1_.exe
4544	Logo1_.exe
4544	Logo1_.exe
4544	Logo1_.exe
4544	Logo1_.exe
4544	Logo1_.exe
4544	Logo1_.exe
4544	Logo1_.exe
4544	Logo1_.exe
4544	Logo1_.exe
4544	Logo1_.exe
4544	Logo1_.exe
4544	Logo1_.exe
4544	Logo1_.exe
4544	Logo1_.exe
4544	Logo1_.exe
4544	Logo1_.exe
4544	Logo1_.exe
4544	Logo1_.exe
4544	Logo1_.exe
4544	Logo1_.exe
4544	Logo1_.exe
4544	Logo1_.exe
4544	Logo1_.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2388 wrote to memory of 3560	2388	1d4be60d5ac22ad4d5feb70ae1e771c8350fdc37ffbd3381b38cdab72721b90a.exe	89
PID 2388 wrote to memory of 3560	2388	1d4be60d5ac22ad4d5feb70ae1e771c8350fdc37ffbd3381b38cdab72721b90a.exe	89
PID 2388 wrote to memory of 3560	2388	1d4be60d5ac22ad4d5feb70ae1e771c8350fdc37ffbd3381b38cdab72721b90a.exe	89
PID 3560 wrote to memory of 1592	3560	net.exe	91
PID 3560 wrote to memory of 1592	3560	net.exe	91
PID 3560 wrote to memory of 1592	3560	net.exe	91
PID 2388 wrote to memory of 3288	2388	1d4be60d5ac22ad4d5feb70ae1e771c8350fdc37ffbd3381b38cdab72721b90a.exe	92
PID 2388 wrote to memory of 3288	2388	1d4be60d5ac22ad4d5feb70ae1e771c8350fdc37ffbd3381b38cdab72721b90a.exe	92
PID 2388 wrote to memory of 3288	2388	1d4be60d5ac22ad4d5feb70ae1e771c8350fdc37ffbd3381b38cdab72721b90a.exe	92
PID 2388 wrote to memory of 4544	2388	1d4be60d5ac22ad4d5feb70ae1e771c8350fdc37ffbd3381b38cdab72721b90a.exe	94
PID 2388 wrote to memory of 4544	2388	1d4be60d5ac22ad4d5feb70ae1e771c8350fdc37ffbd3381b38cdab72721b90a.exe	94
PID 2388 wrote to memory of 4544	2388	1d4be60d5ac22ad4d5feb70ae1e771c8350fdc37ffbd3381b38cdab72721b90a.exe	94
PID 4544 wrote to memory of 4456	4544	Logo1_.exe	95
PID 4544 wrote to memory of 4456	4544	Logo1_.exe	95
PID 4544 wrote to memory of 4456	4544	Logo1_.exe	95
PID 4456 wrote to memory of 1608	4456	net.exe	97
PID 4456 wrote to memory of 1608	4456	net.exe	97
PID 4456 wrote to memory of 1608	4456	net.exe	97
PID 3288 wrote to memory of 4980	3288	cmd.exe	98
PID 3288 wrote to memory of 4980	3288	cmd.exe	98
PID 4544 wrote to memory of 2916	4544	Logo1_.exe	99
PID 4544 wrote to memory of 2916	4544	Logo1_.exe	99
PID 4544 wrote to memory of 2916	4544	Logo1_.exe	99
PID 2916 wrote to memory of 740	2916	net.exe	101
PID 2916 wrote to memory of 740	2916	net.exe	101
PID 2916 wrote to memory of 740	2916	net.exe	101
PID 4544 wrote to memory of 3332	4544	Logo1_.exe	56
PID 4544 wrote to memory of 3332	4544	Logo1_.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3332
- C:\Users\Admin\AppData\Local\Temp\1d4be60d5ac22ad4d5feb70ae1e771c8350fdc37ffbd3381b38cdab72721b90a.exe
  "C:\Users\Admin\AppData\Local\Temp\1d4be60d5ac22ad4d5feb70ae1e771c8350fdc37ffbd3381b38cdab72721b90a.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3560
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:1592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aFE74.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3288
  - - C:\Users\Admin\AppData\Local\Temp\1d4be60d5ac22ad4d5feb70ae1e771c8350fdc37ffbd3381b38cdab72721b90a.exe
      "C:\Users\Admin\AppData\Local\Temp\1d4be60d5ac22ad4d5feb70ae1e771c8350fdc37ffbd3381b38cdab72721b90a.exe"
      4⤵
      Executes dropped EXE
      PID:4980
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4544
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4456
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:1608
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2916
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4140 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
1⤵
PID:1932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\7-Zip\7z.exe

Filesize
583KB

MD5
80b4ed875f0b2d49bc5ad056ea34e86e

SHA1
8b6cfd1956a55cc22cbdddc8799d571974d1f274

SHA256
622c928a4cada8ca1f49b08c72266e229a183ca5ffed94f06b4ccfc6558624a0

SHA512
d75ee42a91eff1c955cb3f41f944de6cacf25adc3079de910ec6fcfa949a7a6687a0c5091cf544fc0e7ee79151d47fa56f76186e06a08edf703ad8b19f78e883

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

Filesize
494KB

MD5
73b8afa9c3c287b59a05eccad6bc1d60

SHA1
6ae108be5c05fd882c422c37995c3eba370c41e5

SHA256
b189f4bac49bd3e9d501b009ae20db1a60a6a3fa931118ce3fa918b3cfd4811d

SHA512
685cdbf70d4829048d2f908f41c0de3edcc4eeb53b4852616983ca41d4428c787504e94c65329292370d355fdd90bad02a60834903279a917e0bbb814c17c53b

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aFE74.bat

Filesize
722B

MD5
b7717241f76f64c26363079c85a45c49

SHA1
aa0d2a3ec9ce3d652250b6be9b33b34d0e267e7b

SHA256
c6d632c763d881ff402f7cc53ddd166e4d2032c6dcb199066b32d2212da12244

SHA512
05cc7fd91a631eae171aff462311b9497137c42f6f279560b55b488d2f46dcfc33bb79b2092673339ca5e78b3c43c5ef85efa06af4409f92bade4b9fae07aa4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1d4be60d5ac22ad4d5feb70ae1e771c8350fdc37ffbd3381b38cdab72721b90a.exe.exe

Filesize
59KB

MD5
dfc18f7068913dde25742b856788d7ca

SHA1
cbaa23f782c2ddcd7c9ff024fd0b096952a2b387

SHA256
ff4ac75c02247000da084de006c214d3dd3583867bd3533ba788e22734c7a2bf

SHA512
d0c7ec1dae41a803325b51c12490c355ed779d297daa35247889950491e52427810132f0829fc7ffa3022f1a106f4e4ba78ed612223395313a6f267e9ab24945

Download Submit
C:\Windows\Logo1_.exe

Filesize
39KB

MD5
3119e880ce5d6d029185f7ed591e11d0

SHA1
3ab197daedf94e992062faa4eda18905b87c75bb

SHA256
b1eada5fd013195853bb65ee2b9fa55eb97840d20077d7a2fd43167800608eda

SHA512
18cafd3a73312811037cb0e44a578670498b09350d72febd262d62528094b9ba738357ef861bb9cb7704097b9c930b9aa38ee5823520e22cf71d4ebb453bf4d7

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\_desktop.ini

Filesize
8B

MD5
5db3a6182cd872eaab6e2e7df1096b6c

SHA1
3e324dd00c5b4aa1e4bc5176310a642cefbc8c2a

SHA256
734417b13fb0508f286fe107625febab857319f967d8c512786c7a45f8c575bf

SHA512
2216f82eee3214ae8bcca36317dada5873b818cd0fb23ebab360998fe0a1d1108172a7ea274bd56606f632cea033f347c0913dff9f0538e99edb4641c92d8149

Download Submit
memory/2388-11-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2388-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4544-228-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4544-9-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4544-1606-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4544-3886-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4544-18-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4544-5766-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4544-8772-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4544-8824-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download