53c896e76187e2617f89da3049b3ed25280e8e115da78a0cfd094c575a1b7d58

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
01/09/2024, 06:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

53c896e76187e2617f89da3049b3ed25280e8e115da78a0cfd094c575a1b7d58.exe
Size

97KB
MD5

fdd5885d7022316875e54f458abab2b8
SHA1

f1b0e292376d201aa2b60a6408c1365287565d3f
SHA256

53c896e76187e2617f89da3049b3ed25280e8e115da78a0cfd094c575a1b7d58
SHA512

6993e58076b645a3c1b9698686996410e6e2af4b96267a4b4f6ba5a1bd5b6b77041d1abb82d3c21808d0b34d225be698753df71970c7ce7b8604528b2ca9a78a
SSDEEP

1536:Iche+Zk77RNzLiTOQf88qP2CsRdxgwGGCIOunToIfiWdN:Ise+aX3zvQf8l2CHRGgKTBfik

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

pid	Process
2976	Logo1_.exe
3036	53c896e76187e2617f89da3049b3ed25280e8e115da78a0cfd094c575a1b7d58.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-si\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ml\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\d3d11\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\packetizer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\amd64\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\it-it\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fr-fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\sv-se\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Mail\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lt\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\wa\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\root\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\include\win32\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EDGE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.195.15\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\it-it\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Media Player\Media Renderer\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\hr-hr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\zh-cn\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ca-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\da-dk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\FREN\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\da-dk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\dc-annotations\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\0.2.2\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaws.exe	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AXIS\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sl-si\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RIPPLE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tt\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	53c896e76187e2617f89da3049b3ed25280e8e115da78a0cfd094c575a1b7d58.exe
File created	C:\Windows\Logo1_.exe	53c896e76187e2617f89da3049b3ed25280e8e115da78a0cfd094c575a1b7d58.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	53c896e76187e2617f89da3049b3ed25280e8e115da78a0cfd094c575a1b7d58.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4644	53c896e76187e2617f89da3049b3ed25280e8e115da78a0cfd094c575a1b7d58.exe
4644	53c896e76187e2617f89da3049b3ed25280e8e115da78a0cfd094c575a1b7d58.exe
4644	53c896e76187e2617f89da3049b3ed25280e8e115da78a0cfd094c575a1b7d58.exe
4644	53c896e76187e2617f89da3049b3ed25280e8e115da78a0cfd094c575a1b7d58.exe
4644	53c896e76187e2617f89da3049b3ed25280e8e115da78a0cfd094c575a1b7d58.exe
4644	53c896e76187e2617f89da3049b3ed25280e8e115da78a0cfd094c575a1b7d58.exe
4644	53c896e76187e2617f89da3049b3ed25280e8e115da78a0cfd094c575a1b7d58.exe
4644	53c896e76187e2617f89da3049b3ed25280e8e115da78a0cfd094c575a1b7d58.exe
4644	53c896e76187e2617f89da3049b3ed25280e8e115da78a0cfd094c575a1b7d58.exe
4644	53c896e76187e2617f89da3049b3ed25280e8e115da78a0cfd094c575a1b7d58.exe
4644	53c896e76187e2617f89da3049b3ed25280e8e115da78a0cfd094c575a1b7d58.exe
4644	53c896e76187e2617f89da3049b3ed25280e8e115da78a0cfd094c575a1b7d58.exe
4644	53c896e76187e2617f89da3049b3ed25280e8e115da78a0cfd094c575a1b7d58.exe
4644	53c896e76187e2617f89da3049b3ed25280e8e115da78a0cfd094c575a1b7d58.exe
4644	53c896e76187e2617f89da3049b3ed25280e8e115da78a0cfd094c575a1b7d58.exe
4644	53c896e76187e2617f89da3049b3ed25280e8e115da78a0cfd094c575a1b7d58.exe
4644	53c896e76187e2617f89da3049b3ed25280e8e115da78a0cfd094c575a1b7d58.exe
4644	53c896e76187e2617f89da3049b3ed25280e8e115da78a0cfd094c575a1b7d58.exe
4644	53c896e76187e2617f89da3049b3ed25280e8e115da78a0cfd094c575a1b7d58.exe
4644	53c896e76187e2617f89da3049b3ed25280e8e115da78a0cfd094c575a1b7d58.exe
4644	53c896e76187e2617f89da3049b3ed25280e8e115da78a0cfd094c575a1b7d58.exe
4644	53c896e76187e2617f89da3049b3ed25280e8e115da78a0cfd094c575a1b7d58.exe
4644	53c896e76187e2617f89da3049b3ed25280e8e115da78a0cfd094c575a1b7d58.exe
4644	53c896e76187e2617f89da3049b3ed25280e8e115da78a0cfd094c575a1b7d58.exe
4644	53c896e76187e2617f89da3049b3ed25280e8e115da78a0cfd094c575a1b7d58.exe
4644	53c896e76187e2617f89da3049b3ed25280e8e115da78a0cfd094c575a1b7d58.exe
2976	Logo1_.exe
2976	Logo1_.exe
2976	Logo1_.exe
2976	Logo1_.exe
2976	Logo1_.exe
2976	Logo1_.exe
2976	Logo1_.exe
2976	Logo1_.exe
2976	Logo1_.exe
2976	Logo1_.exe
2976	Logo1_.exe
2976	Logo1_.exe
2976	Logo1_.exe
2976	Logo1_.exe
2976	Logo1_.exe
2976	Logo1_.exe
2976	Logo1_.exe
2976	Logo1_.exe
2976	Logo1_.exe
2976	Logo1_.exe
2976	Logo1_.exe
2976	Logo1_.exe
2976	Logo1_.exe
2976	Logo1_.exe
2976	Logo1_.exe
2976	Logo1_.exe
2976	Logo1_.exe
2976	Logo1_.exe
2976	Logo1_.exe
2976	Logo1_.exe
2976	Logo1_.exe
2976	Logo1_.exe
2976	Logo1_.exe
2976	Logo1_.exe
2976	Logo1_.exe
2976	Logo1_.exe
2976	Logo1_.exe
2976	Logo1_.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4644 wrote to memory of 4620	4644	53c896e76187e2617f89da3049b3ed25280e8e115da78a0cfd094c575a1b7d58.exe	84
PID 4644 wrote to memory of 4620	4644	53c896e76187e2617f89da3049b3ed25280e8e115da78a0cfd094c575a1b7d58.exe	84
PID 4644 wrote to memory of 4620	4644	53c896e76187e2617f89da3049b3ed25280e8e115da78a0cfd094c575a1b7d58.exe	84
PID 4620 wrote to memory of 2596	4620	net.exe	86
PID 4620 wrote to memory of 2596	4620	net.exe	86
PID 4620 wrote to memory of 2596	4620	net.exe	86
PID 4644 wrote to memory of 5112	4644	53c896e76187e2617f89da3049b3ed25280e8e115da78a0cfd094c575a1b7d58.exe	90
PID 4644 wrote to memory of 5112	4644	53c896e76187e2617f89da3049b3ed25280e8e115da78a0cfd094c575a1b7d58.exe	90
PID 4644 wrote to memory of 5112	4644	53c896e76187e2617f89da3049b3ed25280e8e115da78a0cfd094c575a1b7d58.exe	90
PID 4644 wrote to memory of 2976	4644	53c896e76187e2617f89da3049b3ed25280e8e115da78a0cfd094c575a1b7d58.exe	92
PID 4644 wrote to memory of 2976	4644	53c896e76187e2617f89da3049b3ed25280e8e115da78a0cfd094c575a1b7d58.exe	92
PID 4644 wrote to memory of 2976	4644	53c896e76187e2617f89da3049b3ed25280e8e115da78a0cfd094c575a1b7d58.exe	92
PID 2976 wrote to memory of 1032	2976	Logo1_.exe	93
PID 2976 wrote to memory of 1032	2976	Logo1_.exe	93
PID 2976 wrote to memory of 1032	2976	Logo1_.exe	93
PID 1032 wrote to memory of 3032	1032	net.exe	95
PID 1032 wrote to memory of 3032	1032	net.exe	95
PID 1032 wrote to memory of 3032	1032	net.exe	95
PID 5112 wrote to memory of 3036	5112	cmd.exe	96
PID 5112 wrote to memory of 3036	5112	cmd.exe	96
PID 5112 wrote to memory of 3036	5112	cmd.exe	96
PID 2976 wrote to memory of 1084	2976	Logo1_.exe	100
PID 2976 wrote to memory of 1084	2976	Logo1_.exe	100
PID 2976 wrote to memory of 1084	2976	Logo1_.exe	100
PID 1084 wrote to memory of 1676	1084	net.exe	102
PID 1084 wrote to memory of 1676	1084	net.exe	102
PID 1084 wrote to memory of 1676	1084	net.exe	102
PID 2976 wrote to memory of 3384	2976	Logo1_.exe	55
PID 2976 wrote to memory of 3384	2976	Logo1_.exe	55

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3384
- C:\Users\Admin\AppData\Local\Temp\53c896e76187e2617f89da3049b3ed25280e8e115da78a0cfd094c575a1b7d58.exe
  "C:\Users\Admin\AppData\Local\Temp\53c896e76187e2617f89da3049b3ed25280e8e115da78a0cfd094c575a1b7d58.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4644
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4620
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2596
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB7D6.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5112
  - - C:\Users\Admin\AppData\Local\Temp\53c896e76187e2617f89da3049b3ed25280e8e115da78a0cfd094c575a1b7d58.exe
      "C:\Users\Admin\AppData\Local\Temp\53c896e76187e2617f89da3049b3ed25280e8e115da78a0cfd094c575a1b7d58.exe"
      4⤵
      Executes dropped EXE
      PID:3036
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2976
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1032
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3032
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1084
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe

Filesize
250KB

MD5
71ba7af50c95582d5533b66cb35dd83a

SHA1
e04b58f7ee8b0ca9ef148ec1e10d088047f867ab

SHA256
1ea29a665f9812577876ba26bd78ba674c2db7f4595a40d75b1dd8cd822a936b

SHA512
031a9dffc539f40f0fe328c92b5a1610411f60dab96929d5eeb32018bbc754940cfb844d55becf9647a038dbf6fa885aecf6dcab8604434ae7cab5396cc1df15

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
577KB

MD5
5ac4056f9d0b3bd588671434ead1c17f

SHA1
9d3e0e6c41fe202d78ac7adc0c26c0a5d27b5d9c

SHA256
ed3ad6c04b7778bf946fe1a0cea7b00a82542c7cb9687e562741248ea7657411

SHA512
12955c0c491b2f4b5343ba8d64ac9c08eaa77cb5b84929b36fd9efde7e241dd1553d3175fb39d1f4f9a9cb9e1242f501df3943788977fb06b0d30871ba5330d2

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
643KB

MD5
a5d877ddb05e13f657da9a470f10bd7c

SHA1
0e06863bb66b72b01d0120f89a176a13ffccc6cc

SHA256
5fba16468f3e99ea99a8b3007a6d4a34ddcbedcf757c192f0eaf707297414777

SHA512
aa28dca40bbc144f40dec11b83cbb4ed746f3f74c831318c2eea0d5d4108ed6452485f30ab7f697114e19b48d4b256580042a542ebd65dacacea5e5384f600ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aB7D6.bat

Filesize
722B

MD5
c4e677c8394242fabeb71cde17ec3b1f

SHA1
c7d03eec5eeefb74aa4d14caefc00e72b10456c7

SHA256
030c5526354d3be2dc7944af0b7b983d6dbb56141c7b69775d87c3c05ca83908

SHA512
cbd8f3b08d3b685ed11a4def55e3e2fe2aed95006f5fd0a8c0e0c61f481f846f3e7c8fbda1e374eb90c38a1c8b2de4f9a42d4bf425ac4bbc141cd11a42e84257

Download Submit
C:\Users\Admin\AppData\Local\Temp\53c896e76187e2617f89da3049b3ed25280e8e115da78a0cfd094c575a1b7d58.exe.exe

Filesize
64KB

MD5
ae6ce17005c63b7e9bf15a2a21abb315

SHA1
9b6bdfb9d648fa422f54ec07b8c8ea70389c09eb

SHA256
4a3387a54eeca83f3a8ff1f5f282f7966c9e7bfe159c8eb45444cab01b3e167e

SHA512
c883a5f599540d636efc8c0abc05aab7bad0aa1b10ab507f43f18e0fba905a10b94ff2f1ba10ae0fee15cc1b90a165a768dc078fda0ac27474f0eef66f6a11af

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
c4ec2631f0913b349423b6d2bd687a6b

SHA1
9b9ae1664a063db7e1bd53073f6f1c3a62fa0e55

SHA256
cdaed7acb956972ce40a95412620150fcf1428c34a8ddbd0e9f0742df0d885bb

SHA512
a8ba683aa3c9d607d7ef9c3ec28a924b23be85a90e5334eb2a9f6edb8117442a818608c44f010b2bdaec052319fcc6436b5628408f4ebb82d207196df1729e86

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1194130065-3471212556-1656947724-1000\_desktop.ini

Filesize
8B

MD5
4b4a61d6d446a36ccde31e7ebd6e7aeb

SHA1
6abcca1983b34a570385eb5b421b92449c851dfc

SHA256
d685543d9800644339454e98bc6c2f9ccea646fd51fdb5181583ca60fcdef8e9

SHA512
c25ac03153db7beb8b163c82e5ef75e916346047a00202825b79797b6259f877eea6fac6ea333743d7e423d5fc65d713e9e0cafc0631321beab8ae01ede9ee65

Download Submit
memory/2976-18-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2976-2720-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2976-8-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2976-8897-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4644-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4644-11-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download