55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd

Analysis

max time kernel
150s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19/07/2024, 05:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe
Size

1.1MB
MD5

4052774a9f7c6514ed83a76e091a9543
SHA1

6013d9d0d8e048e9b8bcce58ebb4c026ba63d6d4
SHA256

55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd
SHA512

2675bd5ed1a1dd4802ced7536db854fd61e926c0701f44f8a5e6e13348fae14b18b873d021c356894cb96f990456db8e77d59ec82ae2086eedd0cb638435889a
SSDEEP

24576:MbBRXT9T+w6zY8v5a2FZ7WDpk2Kvfd5nP6Wp8zrMBThYBjv:sBRZ6zY8/7WDaDvfd5iQ8zoBThojv

Score

7^/10

spyware stealer

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

pid	Process
4112	Logo1_.exe
4932	55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ko-kr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STUDIO\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\nb-no\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\de-de\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hr-hr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nb-no\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Defender\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\it-it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files-select\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SLATE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\de\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\it-it\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PIXEL\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\dc-annotations\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\da-dk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\uk-ua\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EXPEDITN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\wab.exe	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\control\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\root\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\sv-se\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-cn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection64.exe	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\de-de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\es-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\es-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sl-si\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sl-si\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.106\WidevineCdm\_platform_specific\win_x64\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\lib\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\sv-se\_desktop.ini	Logo1_.exe
File created	C:\Program Files\ModifiableWindowsApps\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe
File created	C:\Windows\Logo1_.exe	55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3792	55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe
3792	55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe
3792	55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe
3792	55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe
3792	55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe
3792	55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe
3792	55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe
3792	55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe
3792	55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe
3792	55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe
3792	55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe
3792	55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe
3792	55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe
3792	55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe
3792	55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe
3792	55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe
3792	55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe
3792	55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe
3792	55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe
3792	55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe
3792	55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe
3792	55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe
3792	55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe
3792	55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe
3792	55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe
3792	55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe
4112	Logo1_.exe
4112	Logo1_.exe
4112	Logo1_.exe
4112	Logo1_.exe
4112	Logo1_.exe
4112	Logo1_.exe
4112	Logo1_.exe
4112	Logo1_.exe
4112	Logo1_.exe
4112	Logo1_.exe
4112	Logo1_.exe
4112	Logo1_.exe
4112	Logo1_.exe
4112	Logo1_.exe
4112	Logo1_.exe
4112	Logo1_.exe
4112	Logo1_.exe
4112	Logo1_.exe
4112	Logo1_.exe
4112	Logo1_.exe
4112	Logo1_.exe
4112	Logo1_.exe
4112	Logo1_.exe
4112	Logo1_.exe
4112	Logo1_.exe
4112	Logo1_.exe
4112	Logo1_.exe
4112	Logo1_.exe
4112	Logo1_.exe
4112	Logo1_.exe
4112	Logo1_.exe
4112	Logo1_.exe
4112	Logo1_.exe
4112	Logo1_.exe
4112	Logo1_.exe
4112	Logo1_.exe
4112	Logo1_.exe
4112	Logo1_.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3792 wrote to memory of 368	3792	55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe	84
PID 3792 wrote to memory of 368	3792	55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe	84
PID 3792 wrote to memory of 368	3792	55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe	84
PID 368 wrote to memory of 2224	368	net.exe	86
PID 368 wrote to memory of 2224	368	net.exe	86
PID 368 wrote to memory of 2224	368	net.exe	86
PID 3792 wrote to memory of 2936	3792	55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe	90
PID 3792 wrote to memory of 2936	3792	55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe	90
PID 3792 wrote to memory of 2936	3792	55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe	90
PID 3792 wrote to memory of 4112	3792	55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe	91
PID 3792 wrote to memory of 4112	3792	55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe	91
PID 3792 wrote to memory of 4112	3792	55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe	91
PID 4112 wrote to memory of 4952	4112	Logo1_.exe	93
PID 4112 wrote to memory of 4952	4112	Logo1_.exe	93
PID 4112 wrote to memory of 4952	4112	Logo1_.exe	93
PID 4952 wrote to memory of 3692	4952	net.exe	95
PID 4952 wrote to memory of 3692	4952	net.exe	95
PID 4952 wrote to memory of 3692	4952	net.exe	95
PID 2936 wrote to memory of 4932	2936	cmd.exe	96
PID 2936 wrote to memory of 4932	2936	cmd.exe	96
PID 4112 wrote to memory of 4188	4112	Logo1_.exe	97
PID 4112 wrote to memory of 4188	4112	Logo1_.exe	97
PID 4112 wrote to memory of 4188	4112	Logo1_.exe	97
PID 4188 wrote to memory of 552	4188	net.exe	99
PID 4188 wrote to memory of 552	4188	net.exe	99
PID 4188 wrote to memory of 552	4188	net.exe	99
PID 4112 wrote to memory of 3504	4112	Logo1_.exe	56
PID 4112 wrote to memory of 3504	4112	Logo1_.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3504
- C:\Users\Admin\AppData\Local\Temp\55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe
  "C:\Users\Admin\AppData\Local\Temp\55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3792
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:368
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:2224
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBA86.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2936
  - - C:\Users\Admin\AppData\Local\Temp\55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe
      "C:\Users\Admin\AppData\Local\Temp\55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe"
      4⤵
      Executes dropped EXE
      PID:4932
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4112
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4952
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:3692
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4188
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe

Filesize
257KB

MD5
9650ed78debcd79b8f4e5437297bbd81

SHA1
0087f5d3fe8221d62addade22b600824f8818421

SHA256
4e8693622b732fdaf953b7ca5192466ac524201740945d849bd6afd0404817e3

SHA512
9c66a42d83f9e132d09db322c00ca7404b6f7285f5d6cf4848aa7c1b4b82d35e8a0ad319780c38aa3f504d091b918d89a5bd683c85d24724c079ba9d2e58f658

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
583KB

MD5
3ba4190218dc871fa2a4c0387d0d3a00

SHA1
a4d60147752e2d668583e2be441a228f72b80fa7

SHA256
2506e369572544475c9fb47de4280dcd91678c168936b1d0afebe7fd8acc0c78

SHA512
6142ef886894937dd7e95de25d28fc272c0fcccead142b8439958616877cd1cad9f86626ea51e7e73b6442d98f7d2006a7f5ec47bbb8a8683332f728584bc95d

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
649KB

MD5
1ad09ab121869e9bedf81b1e82331d05

SHA1
21270e52207071b7d304acb7d776c9abba38c15c

SHA256
834cd914a6bc7c3eadf3b23bacc01433aa6a32411ab547d958604a1c434518b7

SHA512
4b1f28d726ec031fd0350a21ea7091087ae2688818716f7add7524fdf06a07d5937a4aa53c6029d2fab093714b1b48b8032927b56e2c207158946f6c71e6646b

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aBA86.bat

Filesize
722B

MD5
b03f3ba65ca276663a81bbb62e6e708d

SHA1
90863f9b190db9b4e5ca94bc2f980286a7f4ba99

SHA256
3c7e8267339de3112841a206dd7043d631fb096ebf0e88e85b7b528dea27a81c

SHA512
b01c40139cd2a7b2169c2d654e58929a18b30e45fb0c759ba7edfbb3c52134f730a69b1e859334a922e0ae06b9a238c6a20ec8cb28c41b12f76aad730cb49f33

Download Submit
C:\Users\Admin\AppData\Local\Temp\55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe.exe

Filesize
1.1MB

MD5
f012ebe3b9f0c4d18b43076b68295667

SHA1
27ce582d305bf5ec574fd7edf39e1300783e9323

SHA256
bdff5163ff3787a7a8b6bb3f688e877c5fa10db2ad535bb9765c91e976fbcafe

SHA512
06ce3eceb42ca555511f55e85fe79441a4a8c70ad32c36a045560cb8449e44f08bcd9e938e9a11a0360c7363ba2fff4dd92b1a300e21e214a6d273009d8c2463

Download Submit
C:\Windows\Logo1_.exe

Filesize
39KB

MD5
dd45e175b084f3e7b3923cb8fcb3833b

SHA1
e44896aa2e3e4a8ba6677fd10c4eac8315b3939c

SHA256
cff2b960d67366aedaec8aaa4388a3537000a7253a3eeef378d24e1a171a4f13

SHA512
562284581292c3965df7e1f95bcffa2047d9a9e42e863e32b9cfc7b289270db24ca1ecb004f26d499d9901c49c11844cf3868b93b4b704f30a98ba4b52824fba

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1705699165-553239100-4129523827-1000\_desktop.ini

Filesize
9B

MD5
1368e4d784ef82633de86fa6bc6e37f9

SHA1
77c7384e886b27647bb4f2fd364e7947e7b6abc6

SHA256
57507bed6cf91d70e66bd4cc287634889ef30b648cb7c44a4edec0e2cb68b772

SHA512
3cb7168e776eb564768e30eba43174014a85108ab306a7c07a1522fb42173c381a5bff9ac10944fd345dd5308061cbe2878c60d1e878f8768281c1adcf5dd85b

Download Submit
memory/3792-9-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3792-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4112-21-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4112-5211-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4112-11-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4112-8893-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download