ea5e80a68a59faed3241149926a06473544a057c31c9eca9caec3a0317d0f5eb

Analysis

max time kernel
149s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
26/08/2024, 07:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ea5e80a68a59faed3241149926a06473544a057c31c9eca9caec3a0317d0f5eb.exe
Size

394KB
MD5

b0e144308626d22f6e6c734f959f0306
SHA1

d2b24e07f30084f40e178d18a76d594d03d4cb78
SHA256

ea5e80a68a59faed3241149926a06473544a057c31c9eca9caec3a0317d0f5eb
SHA512

6d4b57b15a7b507fabd557d898942a07f0d0cad432c1f304bd805192d125bae17cfe4438a4d24d761fb47b45a0c69e26b062dd38328fba54837ad5adfc40dbd0
SSDEEP

6144:7B46tGdye412P2zPVz7jUBs8hqcBCi6dbfra4erJlt9A+xX1oOAisEIWmGeNkfGY:7B3NbZahVy41

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	ea5e80a68a59faed3241149926a06473544a057c31c9eca9caec3a0317d0f5eb.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Logo1_.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

pid	Process
4536	Logo1_.exe
4380	ea5e80a68a59faed3241149926a06473544a057c31c9eca9caec3a0317d0f5eb.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\it-it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sv-se\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\host\fxr\6.0.27\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Defender\uk-UA\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Licenses16\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sv-se\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\sv-se\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\en-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\themes\dark\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\Diagnostics\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sv-se\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\es-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\oc\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\root\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\cs-cz\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gl\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\visualization\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\sl-sl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sl-si\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\eqnedt32.exe	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft.NET\ADOMD.NET\130\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lo\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\de-de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Java\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Validator\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\de-de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\root\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ko-kr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\pl-pl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\themes\dark\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ca-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sv-se\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ca-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\da-dk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\de-de\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ro-ro\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	ea5e80a68a59faed3241149926a06473544a057c31c9eca9caec3a0317d0f5eb.exe
File created	C:\Windows\Logo1_.exe	ea5e80a68a59faed3241149926a06473544a057c31c9eca9caec3a0317d0f5eb.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ea5e80a68a59faed3241149926a06473544a057c31c9eca9caec3a0317d0f5eb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3228	ea5e80a68a59faed3241149926a06473544a057c31c9eca9caec3a0317d0f5eb.exe
3228	ea5e80a68a59faed3241149926a06473544a057c31c9eca9caec3a0317d0f5eb.exe
3228	ea5e80a68a59faed3241149926a06473544a057c31c9eca9caec3a0317d0f5eb.exe
3228	ea5e80a68a59faed3241149926a06473544a057c31c9eca9caec3a0317d0f5eb.exe
3228	ea5e80a68a59faed3241149926a06473544a057c31c9eca9caec3a0317d0f5eb.exe
3228	ea5e80a68a59faed3241149926a06473544a057c31c9eca9caec3a0317d0f5eb.exe
3228	ea5e80a68a59faed3241149926a06473544a057c31c9eca9caec3a0317d0f5eb.exe
3228	ea5e80a68a59faed3241149926a06473544a057c31c9eca9caec3a0317d0f5eb.exe
3228	ea5e80a68a59faed3241149926a06473544a057c31c9eca9caec3a0317d0f5eb.exe
3228	ea5e80a68a59faed3241149926a06473544a057c31c9eca9caec3a0317d0f5eb.exe
3228	ea5e80a68a59faed3241149926a06473544a057c31c9eca9caec3a0317d0f5eb.exe
3228	ea5e80a68a59faed3241149926a06473544a057c31c9eca9caec3a0317d0f5eb.exe
3228	ea5e80a68a59faed3241149926a06473544a057c31c9eca9caec3a0317d0f5eb.exe
3228	ea5e80a68a59faed3241149926a06473544a057c31c9eca9caec3a0317d0f5eb.exe
3228	ea5e80a68a59faed3241149926a06473544a057c31c9eca9caec3a0317d0f5eb.exe
3228	ea5e80a68a59faed3241149926a06473544a057c31c9eca9caec3a0317d0f5eb.exe
3228	ea5e80a68a59faed3241149926a06473544a057c31c9eca9caec3a0317d0f5eb.exe
3228	ea5e80a68a59faed3241149926a06473544a057c31c9eca9caec3a0317d0f5eb.exe
3228	ea5e80a68a59faed3241149926a06473544a057c31c9eca9caec3a0317d0f5eb.exe
3228	ea5e80a68a59faed3241149926a06473544a057c31c9eca9caec3a0317d0f5eb.exe
3228	ea5e80a68a59faed3241149926a06473544a057c31c9eca9caec3a0317d0f5eb.exe
3228	ea5e80a68a59faed3241149926a06473544a057c31c9eca9caec3a0317d0f5eb.exe
3228	ea5e80a68a59faed3241149926a06473544a057c31c9eca9caec3a0317d0f5eb.exe
3228	ea5e80a68a59faed3241149926a06473544a057c31c9eca9caec3a0317d0f5eb.exe
3228	ea5e80a68a59faed3241149926a06473544a057c31c9eca9caec3a0317d0f5eb.exe
3228	ea5e80a68a59faed3241149926a06473544a057c31c9eca9caec3a0317d0f5eb.exe
4536	Logo1_.exe
4536	Logo1_.exe
4536	Logo1_.exe
4536	Logo1_.exe
4536	Logo1_.exe
4536	Logo1_.exe
4536	Logo1_.exe
4536	Logo1_.exe
4536	Logo1_.exe
4536	Logo1_.exe
4536	Logo1_.exe
4536	Logo1_.exe
4536	Logo1_.exe
4536	Logo1_.exe
4536	Logo1_.exe
4536	Logo1_.exe
4536	Logo1_.exe
4536	Logo1_.exe
4536	Logo1_.exe
4536	Logo1_.exe
4536	Logo1_.exe
4536	Logo1_.exe
4536	Logo1_.exe
4536	Logo1_.exe
4536	Logo1_.exe
4536	Logo1_.exe
4536	Logo1_.exe
4536	Logo1_.exe
4536	Logo1_.exe
4536	Logo1_.exe
4536	Logo1_.exe
4536	Logo1_.exe
4536	Logo1_.exe
4536	Logo1_.exe
4536	Logo1_.exe
4536	Logo1_.exe
4536	Logo1_.exe
4536	Logo1_.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 3228 wrote to memory of 2132	3228	ea5e80a68a59faed3241149926a06473544a057c31c9eca9caec3a0317d0f5eb.exe	83
PID 3228 wrote to memory of 2132	3228	ea5e80a68a59faed3241149926a06473544a057c31c9eca9caec3a0317d0f5eb.exe	83
PID 3228 wrote to memory of 2132	3228	ea5e80a68a59faed3241149926a06473544a057c31c9eca9caec3a0317d0f5eb.exe	83
PID 2132 wrote to memory of 3968	2132	net.exe	85
PID 2132 wrote to memory of 3968	2132	net.exe	85
PID 2132 wrote to memory of 3968	2132	net.exe	85
PID 3228 wrote to memory of 3044	3228	ea5e80a68a59faed3241149926a06473544a057c31c9eca9caec3a0317d0f5eb.exe	89
PID 3228 wrote to memory of 3044	3228	ea5e80a68a59faed3241149926a06473544a057c31c9eca9caec3a0317d0f5eb.exe	89
PID 3228 wrote to memory of 3044	3228	ea5e80a68a59faed3241149926a06473544a057c31c9eca9caec3a0317d0f5eb.exe	89
PID 3228 wrote to memory of 4536	3228	ea5e80a68a59faed3241149926a06473544a057c31c9eca9caec3a0317d0f5eb.exe	91
PID 3228 wrote to memory of 4536	3228	ea5e80a68a59faed3241149926a06473544a057c31c9eca9caec3a0317d0f5eb.exe	91
PID 3228 wrote to memory of 4536	3228	ea5e80a68a59faed3241149926a06473544a057c31c9eca9caec3a0317d0f5eb.exe	91
PID 4536 wrote to memory of 4596	4536	Logo1_.exe	92
PID 4536 wrote to memory of 4596	4536	Logo1_.exe	92
PID 4536 wrote to memory of 4596	4536	Logo1_.exe	92
PID 3044 wrote to memory of 4380	3044	cmd.exe	94
PID 3044 wrote to memory of 4380	3044	cmd.exe	94
PID 4596 wrote to memory of 4908	4596	net.exe	95
PID 4596 wrote to memory of 4908	4596	net.exe	95
PID 4596 wrote to memory of 4908	4596	net.exe	95
PID 4536 wrote to memory of 1464	4536	Logo1_.exe	99
PID 4536 wrote to memory of 1464	4536	Logo1_.exe	99
PID 4536 wrote to memory of 1464	4536	Logo1_.exe	99
PID 1464 wrote to memory of 1172	1464	net.exe	101
PID 1464 wrote to memory of 1172	1464	net.exe	101
PID 1464 wrote to memory of 1172	1464	net.exe	101
PID 4536 wrote to memory of 3444	4536	Logo1_.exe	56
PID 4536 wrote to memory of 3444	4536	Logo1_.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3444
- C:\Users\Admin\AppData\Local\Temp\ea5e80a68a59faed3241149926a06473544a057c31c9eca9caec3a0317d0f5eb.exe
  "C:\Users\Admin\AppData\Local\Temp\ea5e80a68a59faed3241149926a06473544a057c31c9eca9caec3a0317d0f5eb.exe"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3228
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2132
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3968
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBA76.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3044
  - - C:\Users\Admin\AppData\Local\Temp\ea5e80a68a59faed3241149926a06473544a057c31c9eca9caec3a0317d0f5eb.exe
      "C:\Users\Admin\AppData\Local\Temp\ea5e80a68a59faed3241149926a06473544a057c31c9eca9caec3a0317d0f5eb.exe"
      4⤵
      Executes dropped EXE
      PID:4380
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops file in Drivers directory
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4536
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4596
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4908
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1464
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe

Filesize
251KB

MD5
eb5b071171c5694c1c9c2d7ef6768c8d

SHA1
b16df3546a9f5e84c30cfe02a9e609b838d10edc

SHA256
c3da4f206a61ef61412511852479c3ce56cd521451511202cde840c5305192ac

SHA512
8071032de56f84eba40b8a42127d14a91bf8b3bd003ca23199f9267ab7f69f71076e2b8f0f4f3377b061b8d3b4cf7d1fa4139efd4cb1655226b2baea47f58625

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
577KB

MD5
97bda8e6220d0c6b1dbfedbfdbc9d1b1

SHA1
6e684d8467657f4c65525ab6266ebf05d7cd303c

SHA256
7cc20610d929f9d12a1ca9172080af36cd85065454faae2cef452c182f30d271

SHA512
c1ab5caabfd0105bd56b31fb68290df15b9e1867407aa2c8b910bfe170dffc2fe94bd9c3d652dd8b1cdc7ff09f26bc1bfeea48a97b3cbf1377fd419a86061df7

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
644KB

MD5
74f614352141ac4f78c3e59955ed2258

SHA1
179465d798ce029d20b16601530037ca9d87563f

SHA256
e33cff13b2b5307aaa06fc8f6d15ebe31eeb5ac6ad8d12b4b5c877eb34cca70c

SHA512
af736346b2a298b653dccc43a44d852001584bc22c5e00cb959246a0544044587e27ae3af6c253bf68b3dbe24a0badbe0bf55784f704d8e2f703afaed49ae6ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aBA76.bat

Filesize
722B

MD5
bc490f61264b977ba43cdcee424f9ee7

SHA1
6670a1364630756875565ae5f66045807d57cdea

SHA256
ce48a3bbb6b3a5d64c20242e82c3f98dc86fd0468c2eabd3793838963fb2c82a

SHA512
9ff9f42e48b13efc5dfde25b8718f9a0af3181c504fdb99c35df02fdf3ee7564f824168a0d329f4ed14cab87902e71e5a511fcb9c37b82a2ac89df3e0046a7c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\ea5e80a68a59faed3241149926a06473544a057c31c9eca9caec3a0317d0f5eb.exe.exe

Filesize
360KB

MD5
5fbd45261a2de3bb42f489e825a9a935

SHA1
ff388f6e9efe651ec62c4152c1739783e7899293

SHA256
9e63701598199d5c47217e23b44d0e3ec5d53f5419166b1b6c68a7e9e8fc47a4

SHA512
7f22b1995a07016adb342c551454d602bfbe511525139aee8581b62116608e9e278fd81c26382f1333c7eccded4474196e73c093bb5cbf8e8f203e865024c058

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
d174561b1e0967157623e8537bd11a4d

SHA1
da02823d07860f3ff38f606de019522ea1ce8232

SHA256
a79d16f1e4478b2943fcca2f4b6128a104159274e0cc6e085cad2b8c7068fdf4

SHA512
2856b27271613a752515e7043f54f5367a743c623cacdc6a507961641da8318023baeeaa4307cf815888542e30e218d30aef38a66effa90db545adc562254756

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
842B

MD5
6f4adf207ef402d9ef40c6aa52ffd245

SHA1
4b05b495619c643f02e278dede8f5b1392555a57

SHA256
d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e

SHA512
a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-945322488-2060912225-3527527000-1000\_desktop.ini

Filesize
9B

MD5
4a3bb7dd20666e6acdbbb0a30534552a

SHA1
9734039e7de3c663de70f65e731dc3426e73940c

SHA256
44b303f424240fd96e60c63ce757a0011734fd320fe031942712f1a1a083fd47

SHA512
8b20f7e731d617da7c6d7c1fe1b50424ce3edc58cbc7598b662f0db6e0a31dc92e2d1ecd56021fe43e035bd36e4edd9d3cb80f22afc224096cc3974396076f07

Download Submit
memory/3228-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3228-10-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4536-19-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4536-2783-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4536-9-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4536-8709-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download