58cb016e86578542b1b7283ef0f41c0c63e6419a50e4f888006deab9493611fe

Analysis

max time kernel
149s
max time network
136s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
08/09/2024, 19:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

58cb016e86578542b1b7283ef0f41c0c63e6419a50e4f888006deab9493611fe.exe
Size

155KB
MD5

45cfe8f7bc5dcaf0dccd63c1d753d0d5
SHA1

123237716fa02674809acef409eca39b97728ab7
SHA256

58cb016e86578542b1b7283ef0f41c0c63e6419a50e4f888006deab9493611fe
SHA512

9f891127ff027ee6ceb54e60ff0f83705d04df59d26745b58ddc92a7900f98b3e4cfd1aa5c1b4fe0d667b79ff2000e8494d12fab876393092aff0638f0a7095c
SSDEEP

3072:JUaY46tGNFC0VFHYGx2SYg+b/Q+y1s+kvQ4gXIRSG+7IJqC3CJyoDjpBnjkP01:W46tGfC0jHY62SYdb4fnGZLknnj11

Score

8^/10

discovery spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	58cb016e86578542b1b7283ef0f41c0c63e6419a50e4f888006deab9493611fe.exe
File opened for modification	C:\Windows\system32\drivers\etc\hosts	Logo1_.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

pid	Process
4544	Logo1_.exe
696	58cb016e86578542b1b7283ef0f41c0c63e6419a50e4f888006deab9493611fe.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ps\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Temp\EU99A0.tmp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\Cultures\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account-select\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ca-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\root\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ARCTIC\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\cs-cz\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\en-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sl-si\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\127.0.2651.86\ResiliencyLinks\copilot_provider_msix\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-tw\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\he-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\127.0.2651.86\identity_proxy\win10\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\Diagnostics\Simple\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\fr-ma\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\da-dk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\plugins\rhp\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\loc\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\zh-cn\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	Logo1_.exe
File created	C:\Program Files\MsEdgeCrashpad\reports\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PSReadline\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\pl-pl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\PlatformCapabilities\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ca-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	58cb016e86578542b1b7283ef0f41c0c63e6419a50e4f888006deab9493611fe.exe
File created	C:\Windows\Logo1_.exe	58cb016e86578542b1b7283ef0f41c0c63e6419a50e4f888006deab9493611fe.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	58cb016e86578542b1b7283ef0f41c0c63e6419a50e4f888006deab9493611fe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	58cb016e86578542b1b7283ef0f41c0c63e6419a50e4f888006deab9493611fe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
636	58cb016e86578542b1b7283ef0f41c0c63e6419a50e4f888006deab9493611fe.exe
636	58cb016e86578542b1b7283ef0f41c0c63e6419a50e4f888006deab9493611fe.exe
636	58cb016e86578542b1b7283ef0f41c0c63e6419a50e4f888006deab9493611fe.exe
636	58cb016e86578542b1b7283ef0f41c0c63e6419a50e4f888006deab9493611fe.exe
636	58cb016e86578542b1b7283ef0f41c0c63e6419a50e4f888006deab9493611fe.exe
636	58cb016e86578542b1b7283ef0f41c0c63e6419a50e4f888006deab9493611fe.exe
636	58cb016e86578542b1b7283ef0f41c0c63e6419a50e4f888006deab9493611fe.exe
636	58cb016e86578542b1b7283ef0f41c0c63e6419a50e4f888006deab9493611fe.exe
636	58cb016e86578542b1b7283ef0f41c0c63e6419a50e4f888006deab9493611fe.exe
636	58cb016e86578542b1b7283ef0f41c0c63e6419a50e4f888006deab9493611fe.exe
636	58cb016e86578542b1b7283ef0f41c0c63e6419a50e4f888006deab9493611fe.exe
636	58cb016e86578542b1b7283ef0f41c0c63e6419a50e4f888006deab9493611fe.exe
636	58cb016e86578542b1b7283ef0f41c0c63e6419a50e4f888006deab9493611fe.exe
636	58cb016e86578542b1b7283ef0f41c0c63e6419a50e4f888006deab9493611fe.exe
636	58cb016e86578542b1b7283ef0f41c0c63e6419a50e4f888006deab9493611fe.exe
636	58cb016e86578542b1b7283ef0f41c0c63e6419a50e4f888006deab9493611fe.exe
636	58cb016e86578542b1b7283ef0f41c0c63e6419a50e4f888006deab9493611fe.exe
636	58cb016e86578542b1b7283ef0f41c0c63e6419a50e4f888006deab9493611fe.exe
636	58cb016e86578542b1b7283ef0f41c0c63e6419a50e4f888006deab9493611fe.exe
636	58cb016e86578542b1b7283ef0f41c0c63e6419a50e4f888006deab9493611fe.exe
636	58cb016e86578542b1b7283ef0f41c0c63e6419a50e4f888006deab9493611fe.exe
636	58cb016e86578542b1b7283ef0f41c0c63e6419a50e4f888006deab9493611fe.exe
636	58cb016e86578542b1b7283ef0f41c0c63e6419a50e4f888006deab9493611fe.exe
636	58cb016e86578542b1b7283ef0f41c0c63e6419a50e4f888006deab9493611fe.exe
636	58cb016e86578542b1b7283ef0f41c0c63e6419a50e4f888006deab9493611fe.exe
636	58cb016e86578542b1b7283ef0f41c0c63e6419a50e4f888006deab9493611fe.exe
4544	Logo1_.exe
4544	Logo1_.exe
4544	Logo1_.exe
4544	Logo1_.exe
4544	Logo1_.exe
4544	Logo1_.exe
4544	Logo1_.exe
4544	Logo1_.exe
4544	Logo1_.exe
4544	Logo1_.exe
4544	Logo1_.exe
4544	Logo1_.exe
4544	Logo1_.exe
4544	Logo1_.exe
4544	Logo1_.exe
4544	Logo1_.exe
4544	Logo1_.exe
4544	Logo1_.exe
4544	Logo1_.exe
4544	Logo1_.exe
4544	Logo1_.exe
4544	Logo1_.exe
4544	Logo1_.exe
4544	Logo1_.exe
4544	Logo1_.exe
4544	Logo1_.exe
4544	Logo1_.exe
4544	Logo1_.exe
4544	Logo1_.exe
4544	Logo1_.exe
4544	Logo1_.exe
4544	Logo1_.exe
4544	Logo1_.exe
4544	Logo1_.exe
4544	Logo1_.exe
4544	Logo1_.exe
4544	Logo1_.exe
4544	Logo1_.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 636 wrote to memory of 4048	636	58cb016e86578542b1b7283ef0f41c0c63e6419a50e4f888006deab9493611fe.exe	90
PID 636 wrote to memory of 4048	636	58cb016e86578542b1b7283ef0f41c0c63e6419a50e4f888006deab9493611fe.exe	90
PID 636 wrote to memory of 4048	636	58cb016e86578542b1b7283ef0f41c0c63e6419a50e4f888006deab9493611fe.exe	90
PID 4048 wrote to memory of 2268	4048	net.exe	92
PID 4048 wrote to memory of 2268	4048	net.exe	92
PID 4048 wrote to memory of 2268	4048	net.exe	92
PID 636 wrote to memory of 3108	636	58cb016e86578542b1b7283ef0f41c0c63e6419a50e4f888006deab9493611fe.exe	96
PID 636 wrote to memory of 3108	636	58cb016e86578542b1b7283ef0f41c0c63e6419a50e4f888006deab9493611fe.exe	96
PID 636 wrote to memory of 3108	636	58cb016e86578542b1b7283ef0f41c0c63e6419a50e4f888006deab9493611fe.exe	96
PID 636 wrote to memory of 4544	636	58cb016e86578542b1b7283ef0f41c0c63e6419a50e4f888006deab9493611fe.exe	98
PID 636 wrote to memory of 4544	636	58cb016e86578542b1b7283ef0f41c0c63e6419a50e4f888006deab9493611fe.exe	98
PID 636 wrote to memory of 4544	636	58cb016e86578542b1b7283ef0f41c0c63e6419a50e4f888006deab9493611fe.exe	98
PID 4544 wrote to memory of 548	4544	Logo1_.exe	99
PID 4544 wrote to memory of 548	4544	Logo1_.exe	99
PID 4544 wrote to memory of 548	4544	Logo1_.exe	99
PID 3108 wrote to memory of 696	3108	cmd.exe	101
PID 3108 wrote to memory of 696	3108	cmd.exe	101
PID 3108 wrote to memory of 696	3108	cmd.exe	101
PID 548 wrote to memory of 4748	548	net.exe	102
PID 548 wrote to memory of 4748	548	net.exe	102
PID 548 wrote to memory of 4748	548	net.exe	102
PID 4544 wrote to memory of 2984	4544	Logo1_.exe	104
PID 4544 wrote to memory of 2984	4544	Logo1_.exe	104
PID 4544 wrote to memory of 2984	4544	Logo1_.exe	104
PID 2984 wrote to memory of 4912	2984	net.exe	106
PID 2984 wrote to memory of 4912	2984	net.exe	106
PID 2984 wrote to memory of 4912	2984	net.exe	106
PID 4544 wrote to memory of 3532	4544	Logo1_.exe	56
PID 4544 wrote to memory of 3532	4544	Logo1_.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3532
- C:\Users\Admin\AppData\Local\Temp\58cb016e86578542b1b7283ef0f41c0c63e6419a50e4f888006deab9493611fe.exe
  "C:\Users\Admin\AppData\Local\Temp\58cb016e86578542b1b7283ef0f41c0c63e6419a50e4f888006deab9493611fe.exe"
  2⤵
  - Drops file in Drivers directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:636
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4048
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2268
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4205.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3108
  - - C:\Users\Admin\AppData\Local\Temp\58cb016e86578542b1b7283ef0f41c0c63e6419a50e4f888006deab9493611fe.exe
      "C:\Users\Admin\AppData\Local\Temp\58cb016e86578542b1b7283ef0f41c0c63e6419a50e4f888006deab9493611fe.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:696
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops file in Drivers directory
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4544
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:548
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4748
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2984
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4912

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4128,i,13995403245988825027,7033610968827661507,262144 --variations-seed-version --mojo-platform-channel-handle=4240 /prefetch:8
1⤵
PID:5024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe

Filesize
251KB

MD5
6cb25b5085d8e311fa5576cd969bdbd9

SHA1
852683fe5c1d127b8d76dc303a3282736fc865ce

SHA256
b38201d81b2080d2063affacd5c5ba6b471cb8491eb88bdde5363170b3a85e24

SHA512
82a386aa83422622501f983210baebfb0d6b1077ad6ff24af21eff2f6e06a64e50b7793fae5c4259e4c6b970df4c4f84f930ad5b7bcc629952395f9fc825ad07

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
577KB

MD5
edfe9ce97bdabbdb15f952282646f68a

SHA1
ed1200b9356d9c0bfdae79269c5d75fea9e34d47

SHA256
ffab38adc1d635d386dbaf7f82c28c2d43f73a50f5c7748968f34d4e21540f48

SHA512
825f971b009e2df9332218487df493c87c04b737b5506bf7e25c0cf662c83bd0252253d100cefaba0cc6f6735f3959a22d7e16630837c0f72d2f3d691b5f0cde

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
644KB

MD5
2e4a3f8c2098f9b0d0cc86b3e58a29bf

SHA1
74f22c7ea25755eda62ae59179f8f0d370755fd4

SHA256
d4d630be83a422a629ceb3d8e0ee97ba0ada62be4fcfacb246b340513ab5479d

SHA512
bdab40c0e0ab9ba7e4c92494de566355a58d78b21a23a3eda620fc7e791a260396d5b213500532ae5e02d2fe2eaa8c54367eeb37c2014891fe70ac3cc16a7102

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a4205.bat

Filesize
722B

MD5
2cd8bc2c6c598f627a85037431d2d81c

SHA1
2a8ad7f85431b7beed30165f7c6e8687da9d6af5

SHA256
6829db035ab3d7df4fd33e3d73c8d934bfdb4cf7e3264a353caa1bc62216704c

SHA512
cb434c6df34c6bae87939ce95333155185b2fa9e9076cf1ee30b7ecceebb365570c85863ca45eaf22846c516b05b5429b8ef16ad343c03616ffc8add5d101b83

Download Submit
C:\Users\Admin\AppData\Local\Temp\58cb016e86578542b1b7283ef0f41c0c63e6419a50e4f888006deab9493611fe.exe.exe

Filesize
121KB

MD5
80cc9322df68c420fff96de7c5c411a5

SHA1
3c3266806bd5478b5e399346517bed34eb2e1e59

SHA256
218bedb6e3bd39365a6907d00982e6baf2da54fdeb7d06bbc2af88e86f88ad0d

SHA512
b79a67e9c77a3a7e1768c531fdfd3902657755a66f9b3814aff569cc65f653efe14eb125212e5fcd9560370a0fe7b0c13ab8b68c0afddb8efaa4a1d25fd19606

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
1cc4b2e52309d6e741bf3fa2bd801d7c

SHA1
4016162fa8268b511018effda4a0c43a402f77d0

SHA256
c66aa8d0e0213149915eb0a82bc31daad2b878f21f67922cdb2471ad3a6ea778

SHA512
14fd09f99b4af86cb174bd49adc9415a1e247f5cf75220bcfc4b94752bef89648eb27151a3874976772a0617bf0c880e8ce902bf391734574d214a13f3cb2611

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
842B

MD5
6f4adf207ef402d9ef40c6aa52ffd245

SHA1
4b05b495619c643f02e278dede8f5b1392555a57

SHA256
d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e

SHA512
a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2170637797-568393320-3232933035-1000\_desktop.ini

Filesize
8B

MD5
646a1be8fae9210cfba53ee1aab14c96

SHA1
8677ff347131a9c8304f10b48012ebd8b075030c

SHA256
660d57a3dc71884e70a9cbd6ca26d02872f4706abeb098c6d35f6b217462edf5

SHA512
812b716a422628d486a4c78c66a85c641f13976537fbd452e14fab9a6c440b442632df04de8437c485c9c8164e3b3499201d3dbe681b36fe6bec749df1ab75e4

Download Submit
memory/636-0-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/636-12-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4544-20-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4544-2538-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4544-9-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4544-9224-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download