a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db

Analysis

max time kernel
149s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
16-06-2024 14:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe
Size

1.5MB
MD5

66081074e23d7ac3c78c0985f6a24c5c
SHA1

4b6bf640b697f6a4b2e62913ede6891a2e2de202
SHA256

a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db
SHA512

03c9f2367cadb83934cc23ca22222375e4b3adfb8624767752bb769b8513ec6825f4e4b71dbd05bc4f9ae34bacd12d1e056cffb1de1a1628ae04075a4ecad671
SSDEEP

24576:IBAQC7HmUDDPC803QpIY46xNIxuzP2e+2RJXlhO1DrA/1EZ8J/6Q4xUEisz2T:IBAQCXDPCT3QCYroEb2e+2RJO1Ds/1E4

Score

7^/10

spyware stealer

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 3 IoCs

pid	Process
2040	Logo1_.exe
4164	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe
4824	update.exe

Loads dropped DLL 3 IoCs

pid	Process
4164	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe
4824	update.exe
4824	update.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\he-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\keystore\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-sl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\eu-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler64.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\pt-br\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ca-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\en-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\el\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ku_IQ\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\de-de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\eu-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-gb\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\root\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Common AppData\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sv\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ar-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\msedge_proxy.exe	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\125.0.2535.92\EBWebView\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\Office15\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\he-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\zh-cn\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\server\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\pingsender.exe	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\nb-no\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\root\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\PlatformCapabilities\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\demux\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\zh-cn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\plugins\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\it-it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\fi-fi\_desktop.ini	Logo1_.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe
File created	C:\Windows\Logo1_.exe	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe
File opened for modification	C:\Windows\setupapi.log	update.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe
File opened for modification	\??\c:\windows\KB898715.log	update.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3684	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe
3684	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe
3684	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe
3684	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe
3684	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe
3684	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe
3684	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe
3684	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe
3684	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe
3684	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe
3684	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe
3684	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe
3684	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe
3684	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe
3684	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe
3684	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe
3684	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe
3684	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe
3684	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe
3684	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe
3684	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe
3684	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe
3684	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe
3684	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe
3684	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe
3684	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe
2040	Logo1_.exe
2040	Logo1_.exe
2040	Logo1_.exe
2040	Logo1_.exe
2040	Logo1_.exe
2040	Logo1_.exe
2040	Logo1_.exe
2040	Logo1_.exe
2040	Logo1_.exe
2040	Logo1_.exe
2040	Logo1_.exe
2040	Logo1_.exe
2040	Logo1_.exe
2040	Logo1_.exe
2040	Logo1_.exe
2040	Logo1_.exe
2040	Logo1_.exe
2040	Logo1_.exe
2040	Logo1_.exe
2040	Logo1_.exe
2040	Logo1_.exe
2040	Logo1_.exe
2040	Logo1_.exe
2040	Logo1_.exe
2040	Logo1_.exe
2040	Logo1_.exe
2040	Logo1_.exe
2040	Logo1_.exe
2040	Logo1_.exe
2040	Logo1_.exe
2040	Logo1_.exe
2040	Logo1_.exe
2040	Logo1_.exe
2040	Logo1_.exe
2040	Logo1_.exe
2040	Logo1_.exe
2040	Logo1_.exe
2040	Logo1_.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 3684 wrote to memory of 868	3684	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe	81
PID 3684 wrote to memory of 868	3684	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe	81
PID 3684 wrote to memory of 868	3684	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe	81
PID 868 wrote to memory of 4400	868	net.exe	83
PID 868 wrote to memory of 4400	868	net.exe	83
PID 868 wrote to memory of 4400	868	net.exe	83
PID 3684 wrote to memory of 4296	3684	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe	87
PID 3684 wrote to memory of 4296	3684	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe	87
PID 3684 wrote to memory of 4296	3684	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe	87
PID 3684 wrote to memory of 2040	3684	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe	88
PID 3684 wrote to memory of 2040	3684	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe	88
PID 3684 wrote to memory of 2040	3684	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe	88
PID 2040 wrote to memory of 1452	2040	Logo1_.exe	90
PID 2040 wrote to memory of 1452	2040	Logo1_.exe	90
PID 2040 wrote to memory of 1452	2040	Logo1_.exe	90
PID 4296 wrote to memory of 4164	4296	cmd.exe	92
PID 4296 wrote to memory of 4164	4296	cmd.exe	92
PID 4296 wrote to memory of 4164	4296	cmd.exe	92
PID 1452 wrote to memory of 712	1452	net.exe	93
PID 1452 wrote to memory of 712	1452	net.exe	93
PID 1452 wrote to memory of 712	1452	net.exe	93
PID 4164 wrote to memory of 4824	4164	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe	94
PID 4164 wrote to memory of 4824	4164	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe	94
PID 4164 wrote to memory of 4824	4164	a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe	94
PID 2040 wrote to memory of 2200	2040	Logo1_.exe	95
PID 2040 wrote to memory of 2200	2040	Logo1_.exe	95
PID 2040 wrote to memory of 2200	2040	Logo1_.exe	95
PID 2200 wrote to memory of 4920	2200	net.exe	97
PID 2200 wrote to memory of 4920	2200	net.exe	97
PID 2200 wrote to memory of 4920	2200	net.exe	97
PID 2040 wrote to memory of 3420	2040	Logo1_.exe	55
PID 2040 wrote to memory of 3420	2040	Logo1_.exe	55

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3420
- C:\Users\Admin\AppData\Local\Temp\a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe
  "C:\Users\Admin\AppData\Local\Temp\a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3684
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:868
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:4400
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a33E1.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4296
  - - C:\Users\Admin\AppData\Local\Temp\a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe
      "C:\Users\Admin\AppData\Local\Temp\a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:4164
    - - \??\c:\e793473c7316e77ded80593693662661\update\update.exe
        
        c:\e793473c7316e77ded80593693662661\update\update.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Windows directory
        
        PID:4824
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2040
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1452
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:712
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2200
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:4920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
258KB

MD5
27edd294cced0fdf1261a2be12beb18c

SHA1
bcb1909b19a8e6df284ef6d2cbcea01da6198bb7

SHA256
e5e2debb02812311f440ad7689bb8db46367a31e240a22011b5ee0d4e4c918cd

SHA512
d8f46bc13adb794714bb2e95bb77cdda534f4e842e65888f859aafa4fa6072912ab94960fc2e922afd9758595c4891d9ebb94ffcfce5cd573d6dcb3f67617ce9

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
577KB

MD5
0900a56bec7cf5f775caadbc87084840

SHA1
a695a01cf14919ae65508de4bcb6fac337302e70

SHA256
53846306feeea8fc6cdc5eeb63bd0458a1774f02306aac786edf6626e9e39e50

SHA512
a15bd7ed752213af678b0b078856a5577404bc01110cab3126dd3dd7fa848b282d536c5d99ef23448a294d3a1b188b4e4ad71ed177a469629ad47315c62a2896

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
643KB

MD5
ee6237a8da92a5b1aa43c2cd1d39c4e0

SHA1
0888063540246785ccb7257f4b4e281e423065ae

SHA256
5dd6dbe42874d0ddcd999df9348be22cbe48dfb5104dc6783eee6aa3cb382659

SHA512
d92c1b544ca273462b1cd8423f65398b0398dcbbe126b1d86b6d4392b32e03b7849cddf8f0925c8975228c3255bff70c4327dfaa9b46d489da80635f0c49c31e

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a33E1.bat

Filesize
722B

MD5
ca303022359796e5df2a17955182bc17

SHA1
5ca794c1ab7edbc5df7d4c8f9de364ee1abc18b2

SHA256
38e62c1ad4e30361fe08897d400cd334a6fdf3f54c7dbc32911125e120805501

SHA512
24c28cc2770533940feda308aa251025e8219e651a5d7372d577ef6ced7c49836781961daea3d776e87c56b6df6f1a04fa37269d184eb1d1709bcb777db82845

Download Submit
C:\Users\Admin\AppData\Local\Temp\a3c6340b171de28c88d2c9ada271fca0588c5b99933add613ce334a42044e7db.exe.exe

Filesize
1.5MB

MD5
8b44f267d215f5ab372a65fc071c42c2

SHA1
66682ed84d2e7d1d2ad19d99d886173a14e307c3

SHA256
cf4591b63d920fc1c4787a5b674cf4f1abe2fef245b19b14970a0f127924841a

SHA512
fa70edee34704e8dbe6dfff921f36c91ca356141bcd0d6d788040b2f4d57abebbaee74bbc8be2988d9c1f42462bc0050c0d7627b6d0d0044cf1b352ed6f37e16

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
d9d56e898f9fe3e52f62c443b4066874

SHA1
3dd496210187e236bf545e128e21dd5c53d44a83

SHA256
dfd87b3c1dcf2125f58bf86d1773bfaf2744355ed369f00ea44c72a287c9f72d

SHA512
fe0eaf0c95cd52c8a5c4ce50ae63fd85c7d67ba824b87ab6d9c702ccbde5923e1d6a3cd45aa636b5475494e330fc866e00df8e4fc6e1a2115cef7f7861eaff26

Download Submit
C:\e793473c7316e77ded80593693662661\_sfx_.dll

Filesize
30KB

MD5
b9b02d97007953e74caaa38497e7278a

SHA1
3954391efec4615a597594b02ad755f539d2fa42

SHA256
e4ecf14cf98b855642505802a04be2035db6e13600112c01632e2e600c8184cc

SHA512
78f39f6c6167ba61f52501912b3c5fa6d8c0d594be9f9a5b888b2cb4e19c1d499328fe28a90cc1457e15b14f78ce5a3591b8ed1468afb8d5e944df07a7ae2c6e

Download Submit
C:\e793473c7316e77ded80593693662661\update\update.exe

Filesize
701KB

MD5
3b5eaaedb8a9d3f98debbdb0cfd214d5

SHA1
c9e09f6f6026f928d3d6d9056af868df83bd44ef

SHA256
2e2e9f1ea41d8673bcf69c8c97fc16c22932e2b7807fc87c556516261ea33d99

SHA512
26dbaefdedf9ba0094714f65d78b7c68fefc6afbd937cb0322ac698cbf3d104c4ccfbfb671314d6ea98bce2b0c090e2d4a19441d1abc2acb6b143e05818c2b75

Download Submit
C:\e793473c7316e77ded80593693662661\update\updspapi.dll

Filesize
363KB

MD5
ebdb17c673b090a949f17c9e6486aaf3

SHA1
2231731f56f803662e0f1d537b22cba7625ef433

SHA256
f484cf06e20996e1887b4304b33444f3ee1c03fb912f5ec8d5327c4074a97abb

SHA512
b05b2e548c507c2bce556acd43174c2a2743d46ba816896e97a475089237020208c710e25aa204aee40be36cc3c8480da0dc6c383cadf2c619268b48f5e8fe40

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-200405930-3877336739-3533750831-1000\_desktop.ini

Filesize
9B

MD5
1884bfdeea71ff22db39c196f4447c9c

SHA1
3eafc7e6e17ba6ce7a087a3588fb1efb596da038

SHA256
163167bc5a01ad6b3ed4406c2a9a1baaf2c0ef4620ab7d5b39aeddf976ca776d

SHA512
b22124aa3a912462e6face7f71ad3dfec4b27dab16b2e20e3a0adc277f89f631ec889c91b185ac4b9b670933d881b8fd26c25d6f405e465aa8148cdbb7f7c3e2

Download Submit
memory/2040-67-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2040-9-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2040-2713-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2040-8918-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3684-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3684-10-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4824-66-0x0000000000F80000-0x0000000000FDC000-memory.dmp

Filesize
368KB

Download