91e9d2fe382eeb04e4085647f8390084ff067dfaedbc4ace478988eaf4499576

Analysis

max time kernel
149s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 22:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

91e9d2fe382eeb04e4085647f8390084ff067dfaedbc4ace478988eaf4499576.exe
Size

761KB
MD5

84f9126f32fe7eea82f75c4fac951ce4
SHA1

7b05ea3c20f193de5966b1872c7fd1059fffcdc6
SHA256

91e9d2fe382eeb04e4085647f8390084ff067dfaedbc4ace478988eaf4499576
SHA512

0d2b62178916351ccfd618670c33a3287a2b316b5635d14f111265cab882023951990c1a8fd4dc0a77df2564f82f3c36f7073582c1b166a755c863f183cb273c
SSDEEP

12288:A+ayGboup+VHKBX3jbgS/Wg0MIn7ou8XBKsHKZycUQUfXJvA:ABy2kHKlzcS/0MInsu8uZycUfvA

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

pid	Process
1940	Logo1_.exe
5024	91e9d2fe382eeb04e4085647f8390084ff067dfaedbc4ace478988eaf4499576.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\jre\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\sv-se\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\nb-no\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\da-dk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\wa\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\misc\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\he-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\sv-se\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\zh-cn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\0855871B-A2C6-4F79-BA33-4BE43A9B6A02\root\vfs\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-cn\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-cn\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\it-it\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\el\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\en-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hu-hu\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\wabmig.exe	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\uk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\pt-br\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-cn\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Resources\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\it\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\de-de\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\uk-ua\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\de-de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Resources\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\packetizer\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Logo1_.exe	91e9d2fe382eeb04e4085647f8390084ff067dfaedbc4ace478988eaf4499576.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	91e9d2fe382eeb04e4085647f8390084ff067dfaedbc4ace478988eaf4499576.exe

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	91e9d2fe382eeb04e4085647f8390084ff067dfaedbc4ace478988eaf4499576.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	91e9d2fe382eeb04e4085647f8390084ff067dfaedbc4ace478988eaf4499576.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4876	91e9d2fe382eeb04e4085647f8390084ff067dfaedbc4ace478988eaf4499576.exe
4876	91e9d2fe382eeb04e4085647f8390084ff067dfaedbc4ace478988eaf4499576.exe
4876	91e9d2fe382eeb04e4085647f8390084ff067dfaedbc4ace478988eaf4499576.exe
4876	91e9d2fe382eeb04e4085647f8390084ff067dfaedbc4ace478988eaf4499576.exe
4876	91e9d2fe382eeb04e4085647f8390084ff067dfaedbc4ace478988eaf4499576.exe
4876	91e9d2fe382eeb04e4085647f8390084ff067dfaedbc4ace478988eaf4499576.exe
4876	91e9d2fe382eeb04e4085647f8390084ff067dfaedbc4ace478988eaf4499576.exe
4876	91e9d2fe382eeb04e4085647f8390084ff067dfaedbc4ace478988eaf4499576.exe
4876	91e9d2fe382eeb04e4085647f8390084ff067dfaedbc4ace478988eaf4499576.exe
4876	91e9d2fe382eeb04e4085647f8390084ff067dfaedbc4ace478988eaf4499576.exe
4876	91e9d2fe382eeb04e4085647f8390084ff067dfaedbc4ace478988eaf4499576.exe
4876	91e9d2fe382eeb04e4085647f8390084ff067dfaedbc4ace478988eaf4499576.exe
4876	91e9d2fe382eeb04e4085647f8390084ff067dfaedbc4ace478988eaf4499576.exe
4876	91e9d2fe382eeb04e4085647f8390084ff067dfaedbc4ace478988eaf4499576.exe
4876	91e9d2fe382eeb04e4085647f8390084ff067dfaedbc4ace478988eaf4499576.exe
4876	91e9d2fe382eeb04e4085647f8390084ff067dfaedbc4ace478988eaf4499576.exe
4876	91e9d2fe382eeb04e4085647f8390084ff067dfaedbc4ace478988eaf4499576.exe
4876	91e9d2fe382eeb04e4085647f8390084ff067dfaedbc4ace478988eaf4499576.exe
4876	91e9d2fe382eeb04e4085647f8390084ff067dfaedbc4ace478988eaf4499576.exe
4876	91e9d2fe382eeb04e4085647f8390084ff067dfaedbc4ace478988eaf4499576.exe
4876	91e9d2fe382eeb04e4085647f8390084ff067dfaedbc4ace478988eaf4499576.exe
4876	91e9d2fe382eeb04e4085647f8390084ff067dfaedbc4ace478988eaf4499576.exe
4876	91e9d2fe382eeb04e4085647f8390084ff067dfaedbc4ace478988eaf4499576.exe
4876	91e9d2fe382eeb04e4085647f8390084ff067dfaedbc4ace478988eaf4499576.exe
4876	91e9d2fe382eeb04e4085647f8390084ff067dfaedbc4ace478988eaf4499576.exe
4876	91e9d2fe382eeb04e4085647f8390084ff067dfaedbc4ace478988eaf4499576.exe
1940	Logo1_.exe
1940	Logo1_.exe
1940	Logo1_.exe
1940	Logo1_.exe
1940	Logo1_.exe
1940	Logo1_.exe
1940	Logo1_.exe
1940	Logo1_.exe
1940	Logo1_.exe
1940	Logo1_.exe
1940	Logo1_.exe
1940	Logo1_.exe
1940	Logo1_.exe
1940	Logo1_.exe
1940	Logo1_.exe
1940	Logo1_.exe
1940	Logo1_.exe
1940	Logo1_.exe
1940	Logo1_.exe
1940	Logo1_.exe
1940	Logo1_.exe
1940	Logo1_.exe
1940	Logo1_.exe
1940	Logo1_.exe
1940	Logo1_.exe
1940	Logo1_.exe
1940	Logo1_.exe
1940	Logo1_.exe
1940	Logo1_.exe
1940	Logo1_.exe
1940	Logo1_.exe
1940	Logo1_.exe
1940	Logo1_.exe
1940	Logo1_.exe
1940	Logo1_.exe
1940	Logo1_.exe
1940	Logo1_.exe
1940	Logo1_.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 4876 wrote to memory of 4456	4876	91e9d2fe382eeb04e4085647f8390084ff067dfaedbc4ace478988eaf4499576.exe	83
PID 4876 wrote to memory of 4456	4876	91e9d2fe382eeb04e4085647f8390084ff067dfaedbc4ace478988eaf4499576.exe	83
PID 4876 wrote to memory of 4456	4876	91e9d2fe382eeb04e4085647f8390084ff067dfaedbc4ace478988eaf4499576.exe	83
PID 4456 wrote to memory of 2004	4456	net.exe	85
PID 4456 wrote to memory of 2004	4456	net.exe	85
PID 4456 wrote to memory of 2004	4456	net.exe	85
PID 4876 wrote to memory of 1576	4876	91e9d2fe382eeb04e4085647f8390084ff067dfaedbc4ace478988eaf4499576.exe	89
PID 4876 wrote to memory of 1576	4876	91e9d2fe382eeb04e4085647f8390084ff067dfaedbc4ace478988eaf4499576.exe	89
PID 4876 wrote to memory of 1576	4876	91e9d2fe382eeb04e4085647f8390084ff067dfaedbc4ace478988eaf4499576.exe	89
PID 4876 wrote to memory of 1940	4876	91e9d2fe382eeb04e4085647f8390084ff067dfaedbc4ace478988eaf4499576.exe	90
PID 4876 wrote to memory of 1940	4876	91e9d2fe382eeb04e4085647f8390084ff067dfaedbc4ace478988eaf4499576.exe	90
PID 4876 wrote to memory of 1940	4876	91e9d2fe382eeb04e4085647f8390084ff067dfaedbc4ace478988eaf4499576.exe	90
PID 1940 wrote to memory of 3140	1940	Logo1_.exe	92
PID 1940 wrote to memory of 3140	1940	Logo1_.exe	92
PID 1940 wrote to memory of 3140	1940	Logo1_.exe	92
PID 1576 wrote to memory of 5024	1576	cmd.exe	94
PID 1576 wrote to memory of 5024	1576	cmd.exe	94
PID 1576 wrote to memory of 5024	1576	cmd.exe	94
PID 3140 wrote to memory of 3444	3140	net.exe	95
PID 3140 wrote to memory of 3444	3140	net.exe	95
PID 3140 wrote to memory of 3444	3140	net.exe	95
PID 1940 wrote to memory of 4440	1940	Logo1_.exe	97
PID 1940 wrote to memory of 4440	1940	Logo1_.exe	97
PID 1940 wrote to memory of 4440	1940	Logo1_.exe	97
PID 4440 wrote to memory of 4576	4440	net.exe	99
PID 4440 wrote to memory of 4576	4440	net.exe	99
PID 4440 wrote to memory of 4576	4440	net.exe	99
PID 1940 wrote to memory of 3552	1940	Logo1_.exe	56
PID 1940 wrote to memory of 3552	1940	Logo1_.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3552
- C:\Users\Admin\AppData\Local\Temp\91e9d2fe382eeb04e4085647f8390084ff067dfaedbc4ace478988eaf4499576.exe
  "C:\Users\Admin\AppData\Local\Temp\91e9d2fe382eeb04e4085647f8390084ff067dfaedbc4ace478988eaf4499576.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4876
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4456
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2004
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a77C0.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1576
  - - C:\Users\Admin\AppData\Local\Temp\91e9d2fe382eeb04e4085647f8390084ff067dfaedbc4ace478988eaf4499576.exe
      "C:\Users\Admin\AppData\Local\Temp\91e9d2fe382eeb04e4085647f8390084ff067dfaedbc4ace478988eaf4499576.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:5024
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1940
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3140
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3444
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4440
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe

Filesize
250KB

MD5
71ba7af50c95582d5533b66cb35dd83a

SHA1
e04b58f7ee8b0ca9ef148ec1e10d088047f867ab

SHA256
1ea29a665f9812577876ba26bd78ba674c2db7f4595a40d75b1dd8cd822a936b

SHA512
031a9dffc539f40f0fe328c92b5a1610411f60dab96929d5eeb32018bbc754940cfb844d55becf9647a038dbf6fa885aecf6dcab8604434ae7cab5396cc1df15

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
577KB

MD5
5ac4056f9d0b3bd588671434ead1c17f

SHA1
9d3e0e6c41fe202d78ac7adc0c26c0a5d27b5d9c

SHA256
ed3ad6c04b7778bf946fe1a0cea7b00a82542c7cb9687e562741248ea7657411

SHA512
12955c0c491b2f4b5343ba8d64ac9c08eaa77cb5b84929b36fd9efde7e241dd1553d3175fb39d1f4f9a9cb9e1242f501df3943788977fb06b0d30871ba5330d2

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
643KB

MD5
a5d877ddb05e13f657da9a470f10bd7c

SHA1
0e06863bb66b72b01d0120f89a176a13ffccc6cc

SHA256
5fba16468f3e99ea99a8b3007a6d4a34ddcbedcf757c192f0eaf707297414777

SHA512
aa28dca40bbc144f40dec11b83cbb4ed746f3f74c831318c2eea0d5d4108ed6452485f30ab7f697114e19b48d4b256580042a542ebd65dacacea5e5384f600ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a77C0.bat

Filesize
722B

MD5
9557c410c21621f765ccca0aa788b8b9

SHA1
e84e91d6201d21a74814593514780813b788607c

SHA256
63f3976d0588ce9add9d6eb1a3e4c787a7788e14384a67659a47a8bd25267e41

SHA512
70cbf0df173ac3d940a351044e3ef4c0320607a455010356f1d67ca0a6c72931e268483d3387a1de5b608c0bf093fb364178ed03a9301a4c3c01ea8deaa517f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\91e9d2fe382eeb04e4085647f8390084ff067dfaedbc4ace478988eaf4499576.exe.exe

Filesize
728KB

MD5
23e2fc0497edd8195bcae45a1389bf85

SHA1
28d2f99739a49cb707f9348cd3195e234c853b1e

SHA256
92d70a8fc07cee881009026759a8aaa5debfb64069038f610988719ed3630107

SHA512
5ae4c17363aa70cd17532fcf76bdff86d2634956f6e0483e88a14b22ce3e6dd01ad233943409302ab3a858d9d9eddb1a5d6d376f48908b64ed655554abfb2b4c

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
c4ec2631f0913b349423b6d2bd687a6b

SHA1
9b9ae1664a063db7e1bd53073f6f1c3a62fa0e55

SHA256
cdaed7acb956972ce40a95412620150fcf1428c34a8ddbd0e9f0742df0d885bb

SHA512
a8ba683aa3c9d607d7ef9c3ec28a924b23be85a90e5334eb2a9f6edb8117442a818608c44f010b2bdaec052319fcc6436b5628408f4ebb82d207196df1729e86

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1302416131-1437503476-2806442725-1000\_desktop.ini

Filesize
8B

MD5
24cfb7e9169e3ecbcdf34395dff5aed0

SHA1
64061d8b0afd788fb3d2990e90e61f14010896dd

SHA256
e11477f26e6139dabba6ad5dab927732c6a3785db78f82194ad7ae20323c6578

SHA512
a315d4ab14f15f8df115e35134f0a1eff8018b0c35c5a0283928f2d3f3014215d683973b9aeba1bc74c49437cc929ea4e2fb847b4305da6d5abca235c750e299

Download Submit
memory/1940-2782-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1940-18-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1940-9-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1940-8745-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4876-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4876-11-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download