23036d793dd3964189d5926cdf15b7232a95dfd67a2f0a7abf4c07f2ffea2210

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/08/2024, 19:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

23036d793dd3964189d5926cdf15b7232a95dfd67a2f0a7abf4c07f2ffea2210.exe
Size

2.8MB
MD5

4d95c7318a511c1ec193b0b804998c35
SHA1

3ce7b715ab511a253db2fad0457441a7574949b2
SHA256

23036d793dd3964189d5926cdf15b7232a95dfd67a2f0a7abf4c07f2ffea2210
SHA512

5cf3d2abe4ceb26e5f9b33026254a3bce00df5dccbb1dffc6c5ef600b0de5f81fd6e2d7eaad32891cf8925eb954314cfe01275da6f024b25f7306fa16307673f
SSDEEP

49152:t6gLKJuMarhVnMFwTH8/giBiBcbk4ZxZ2DqFeVMhuxcPh:gd1XdhBiiMa7

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

pid	Process
3992	Logo1_.exe
1700	23036d793dd3964189d5926cdf15b7232a95dfd67a2f0a7abf4c07f2ffea2210.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Defender\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sk-sk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\Lang\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\Integration\Addons\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\VisualElements\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\de-de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\meta\reader\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\access_output\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\spu\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hr-hr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\pt-br\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ca-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\zh-cn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ug\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\de-de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\Diagnostics\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\cs-cz\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\root\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\Diagnostics\_desktop.ini	Logo1_.exe
File created	C:\Program Files\7-Zip\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\af\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sv-se\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\en-il\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	23036d793dd3964189d5926cdf15b7232a95dfd67a2f0a7abf4c07f2ffea2210.exe
File created	C:\Windows\Logo1_.exe	23036d793dd3964189d5926cdf15b7232a95dfd67a2f0a7abf4c07f2ffea2210.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	23036d793dd3964189d5926cdf15b7232a95dfd67a2f0a7abf4c07f2ffea2210.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4176	23036d793dd3964189d5926cdf15b7232a95dfd67a2f0a7abf4c07f2ffea2210.exe
4176	23036d793dd3964189d5926cdf15b7232a95dfd67a2f0a7abf4c07f2ffea2210.exe
4176	23036d793dd3964189d5926cdf15b7232a95dfd67a2f0a7abf4c07f2ffea2210.exe
4176	23036d793dd3964189d5926cdf15b7232a95dfd67a2f0a7abf4c07f2ffea2210.exe
4176	23036d793dd3964189d5926cdf15b7232a95dfd67a2f0a7abf4c07f2ffea2210.exe
4176	23036d793dd3964189d5926cdf15b7232a95dfd67a2f0a7abf4c07f2ffea2210.exe
4176	23036d793dd3964189d5926cdf15b7232a95dfd67a2f0a7abf4c07f2ffea2210.exe
4176	23036d793dd3964189d5926cdf15b7232a95dfd67a2f0a7abf4c07f2ffea2210.exe
4176	23036d793dd3964189d5926cdf15b7232a95dfd67a2f0a7abf4c07f2ffea2210.exe
4176	23036d793dd3964189d5926cdf15b7232a95dfd67a2f0a7abf4c07f2ffea2210.exe
4176	23036d793dd3964189d5926cdf15b7232a95dfd67a2f0a7abf4c07f2ffea2210.exe
4176	23036d793dd3964189d5926cdf15b7232a95dfd67a2f0a7abf4c07f2ffea2210.exe
4176	23036d793dd3964189d5926cdf15b7232a95dfd67a2f0a7abf4c07f2ffea2210.exe
4176	23036d793dd3964189d5926cdf15b7232a95dfd67a2f0a7abf4c07f2ffea2210.exe
4176	23036d793dd3964189d5926cdf15b7232a95dfd67a2f0a7abf4c07f2ffea2210.exe
4176	23036d793dd3964189d5926cdf15b7232a95dfd67a2f0a7abf4c07f2ffea2210.exe
4176	23036d793dd3964189d5926cdf15b7232a95dfd67a2f0a7abf4c07f2ffea2210.exe
4176	23036d793dd3964189d5926cdf15b7232a95dfd67a2f0a7abf4c07f2ffea2210.exe
4176	23036d793dd3964189d5926cdf15b7232a95dfd67a2f0a7abf4c07f2ffea2210.exe
4176	23036d793dd3964189d5926cdf15b7232a95dfd67a2f0a7abf4c07f2ffea2210.exe
4176	23036d793dd3964189d5926cdf15b7232a95dfd67a2f0a7abf4c07f2ffea2210.exe
4176	23036d793dd3964189d5926cdf15b7232a95dfd67a2f0a7abf4c07f2ffea2210.exe
4176	23036d793dd3964189d5926cdf15b7232a95dfd67a2f0a7abf4c07f2ffea2210.exe
4176	23036d793dd3964189d5926cdf15b7232a95dfd67a2f0a7abf4c07f2ffea2210.exe
4176	23036d793dd3964189d5926cdf15b7232a95dfd67a2f0a7abf4c07f2ffea2210.exe
4176	23036d793dd3964189d5926cdf15b7232a95dfd67a2f0a7abf4c07f2ffea2210.exe
3992	Logo1_.exe
3992	Logo1_.exe
3992	Logo1_.exe
3992	Logo1_.exe
3992	Logo1_.exe
3992	Logo1_.exe
3992	Logo1_.exe
3992	Logo1_.exe
3992	Logo1_.exe
3992	Logo1_.exe
3992	Logo1_.exe
3992	Logo1_.exe
3992	Logo1_.exe
3992	Logo1_.exe
3992	Logo1_.exe
3992	Logo1_.exe
3992	Logo1_.exe
3992	Logo1_.exe
3992	Logo1_.exe
3992	Logo1_.exe
3992	Logo1_.exe
3992	Logo1_.exe
3992	Logo1_.exe
3992	Logo1_.exe
3992	Logo1_.exe
3992	Logo1_.exe
3992	Logo1_.exe
3992	Logo1_.exe
3992	Logo1_.exe
3992	Logo1_.exe
3992	Logo1_.exe
3992	Logo1_.exe
3992	Logo1_.exe
3992	Logo1_.exe
3992	Logo1_.exe
3992	Logo1_.exe
3992	Logo1_.exe
3992	Logo1_.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 4176 wrote to memory of 4516	4176	23036d793dd3964189d5926cdf15b7232a95dfd67a2f0a7abf4c07f2ffea2210.exe	84
PID 4176 wrote to memory of 4516	4176	23036d793dd3964189d5926cdf15b7232a95dfd67a2f0a7abf4c07f2ffea2210.exe	84
PID 4176 wrote to memory of 4516	4176	23036d793dd3964189d5926cdf15b7232a95dfd67a2f0a7abf4c07f2ffea2210.exe	84
PID 4516 wrote to memory of 2808	4516	net.exe	86
PID 4516 wrote to memory of 2808	4516	net.exe	86
PID 4516 wrote to memory of 2808	4516	net.exe	86
PID 4176 wrote to memory of 1528	4176	23036d793dd3964189d5926cdf15b7232a95dfd67a2f0a7abf4c07f2ffea2210.exe	90
PID 4176 wrote to memory of 1528	4176	23036d793dd3964189d5926cdf15b7232a95dfd67a2f0a7abf4c07f2ffea2210.exe	90
PID 4176 wrote to memory of 1528	4176	23036d793dd3964189d5926cdf15b7232a95dfd67a2f0a7abf4c07f2ffea2210.exe	90
PID 4176 wrote to memory of 3992	4176	23036d793dd3964189d5926cdf15b7232a95dfd67a2f0a7abf4c07f2ffea2210.exe	91
PID 4176 wrote to memory of 3992	4176	23036d793dd3964189d5926cdf15b7232a95dfd67a2f0a7abf4c07f2ffea2210.exe	91
PID 4176 wrote to memory of 3992	4176	23036d793dd3964189d5926cdf15b7232a95dfd67a2f0a7abf4c07f2ffea2210.exe	91
PID 3992 wrote to memory of 4576	3992	Logo1_.exe	92
PID 3992 wrote to memory of 4576	3992	Logo1_.exe	92
PID 3992 wrote to memory of 4576	3992	Logo1_.exe	92
PID 4576 wrote to memory of 3144	4576	net.exe	95
PID 4576 wrote to memory of 3144	4576	net.exe	95
PID 4576 wrote to memory of 3144	4576	net.exe	95
PID 3992 wrote to memory of 4900	3992	Logo1_.exe	97
PID 3992 wrote to memory of 4900	3992	Logo1_.exe	97
PID 3992 wrote to memory of 4900	3992	Logo1_.exe	97
PID 4900 wrote to memory of 3656	4900	net.exe	99
PID 4900 wrote to memory of 3656	4900	net.exe	99
PID 4900 wrote to memory of 3656	4900	net.exe	99
PID 3992 wrote to memory of 3416	3992	Logo1_.exe	56
PID 3992 wrote to memory of 3416	3992	Logo1_.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3416
- C:\Users\Admin\AppData\Local\Temp\23036d793dd3964189d5926cdf15b7232a95dfd67a2f0a7abf4c07f2ffea2210.exe
  "C:\Users\Admin\AppData\Local\Temp\23036d793dd3964189d5926cdf15b7232a95dfd67a2f0a7abf4c07f2ffea2210.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4176
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4516
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2808
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a68EB.bat
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1528
  - - C:\Users\Admin\AppData\Local\Temp\23036d793dd3964189d5926cdf15b7232a95dfd67a2f0a7abf4c07f2ffea2210.exe
      "C:\Users\Admin\AppData\Local\Temp\23036d793dd3964189d5926cdf15b7232a95dfd67a2f0a7abf4c07f2ffea2210.exe"
      4⤵
      Executes dropped EXE
      PID:1700
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3992
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4576
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3144
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4900
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe

Filesize
251KB

MD5
e63b7023e3d3cf9a6ed9400267199e83

SHA1
3e684ae0fbb078dbb2a92fec3765caa534a3caaf

SHA256
3f3e79a518bbb6e27b812fb92732a3290b502efb225ba9a8cff60f9c10e98f26

SHA512
5c54c4f35cdc2810fcfacd32a60ccd601650b2890133a40cb877ce975beadd6c21c5ed13932431db75ad0c6e9d2d5fcfbeeb3489e30d6e9d5affa9b8e64096ac

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
577KB

MD5
8572d07c23974a9b03149fcff83f63c1

SHA1
e183b7103a6005ebb47a0422b4110901b17230c1

SHA256
1441e0ba461317c75e7feef5011531cd3079fb4d2dfc972da1f71e8a40400acb

SHA512
78f13410824633157bb058f04fc4df2c04920b2545fad7d1097d6db48d9b2725a9a152d260b8c627c420eab88473cbd6ec30401af69541bc09318ec9f5e871d5

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
643KB

MD5
c08994604c02bf7431e4c46295a779d5

SHA1
7f526582e292083589253bbc8b2cd093b2229ff2

SHA256
218bfecab8804a634b05ebcedc30eab7aa8fa8ed5775495ba9545517c311f00e

SHA512
13d9b746d0fe6922ecff9b5bf0ac896a63da11610341d4a7701e2a8d8fc5c0511d7bd9f4f54d3756b770998601b4f7b39b7e5c36d824dd42470fb0b499065c34

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a68EB.bat

Filesize
722B

MD5
c2df8e6207d313a1e65d65c7409303c6

SHA1
873667b497b1f46974c2d427a55eca33b2c4ad68

SHA256
bd48eab69d1a48d818f41b346d0450448b115e789913027674e9eb1d6bb02010

SHA512
41d398f8ae89cd801561390569833aa094822098513a6d24f3159a4c188927c0bb48b27711d45a7f52e3b29d45f8a85c075bc756c9079be5ec72876e18353da5

Download Submit
C:\Users\Admin\AppData\Local\Temp\23036d793dd3964189d5926cdf15b7232a95dfd67a2f0a7abf4c07f2ffea2210.exe.exe

Filesize
2.8MB

MD5
095092f4e746810c5829038d48afd55a

SHA1
246eb3d41194dddc826049bbafeb6fc522ec044a

SHA256
2f606012843d144610dc7be55d1716d5d106cbc6acbce57561dc0e62c38b8588

SHA512
7f36fc03bfed0f3cf6ac3406c819993bf995e4f8c26a7589e9032c14b5a9c7048f5567f77b3b15f946c5282fc0be6308a92eab7879332d74c400d0c139ce8400

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
eab77796242e6170e5d0127a39943097

SHA1
61d9438be926a40cfeaf993e586a1b530a3447a1

SHA256
810da0fd36a6de1d2d644daab89eab16893ff207d3b59dee7d63a69922795ab1

SHA512
abd8de6bedcd6e50492add733517d2b674e152df4a5454bc0e8edd59984df255a8082780d864b5652c6701118b93289022a836e732ed0114984aecf74f1a1faf

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2412658365-3084825385-3340777666-1000\_desktop.ini

Filesize
8B

MD5
fcbaf0a2c3988ef775359f94d545ab42

SHA1
174ccd98ff87b8e6f46eebc493f379beafeb3b08

SHA256
895aaa8dac57f2bb76ddc8c2681e0480bf57dbf3f62cda3840cb448b8615612f

SHA512
7c81b6445708b1c482599bfb808e90462d6111e885691dd947d9cdf95ba028d580b20027575814a310a81f310261b649792b65153ce43063da063b5005561d20

Download Submit
memory/3992-3334-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3992-18-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3992-9-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3992-8575-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4176-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4176-11-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download