f0d152e00ae4f291158dc6d631ec04b1f4e74190ad5daea08d6ccb3e7b44c0d2

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21-09-2024 14:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f0d152e00ae4f291158dc6d631ec04b1f4e74190ad5daea08d6ccb3e7b44c0d2.exe
Size

86KB
MD5

f228ffb8bc2415cfbe6cd994a9ba5236
SHA1

a294b01ca0857e264e8a7dcd72325d96085e35ca
SHA256

f0d152e00ae4f291158dc6d631ec04b1f4e74190ad5daea08d6ccb3e7b44c0d2
SHA512

0317f03a2f39c6e72db742de4cc2f5be01c5646594c3476379d678cb6f5a564d6f9d4cad2897caed3c2ac91246789deb149bf04570e6cd0f834c290fe2494c85
SSDEEP

1536:Kfe+Zk78UKUWQRbUi+QLcnC/ZMaRiIu/r:Kfe+aWnCRMaRiTT

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

pid	Process
1212	Logo1_.exe
1092	f0d152e00ae4f291158dc6d631ec04b1f4e74190ad5daea08d6ccb3e7b44c0d2.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TEXTCONV\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tt\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\dark\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.195.15\MicrosoftEdgeComRegisterShellARM64.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Internet Explorer\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Effects\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\he\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sl-sl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\he-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\server\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\dc-annotations\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SPRING\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\logger\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\it-it\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\Comprehensive\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Media Player\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\applet\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.195.15\MicrosoftEdgeUpdateSetup.exe	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-ae\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\security\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sk-sk\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-cn\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sv-se\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\it-it\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MLModels\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\BrowserCore.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pt-br\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\images\themes\dark\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\he-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ca@valencia\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\eu-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\tr-tr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\root\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\en-il\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	f0d152e00ae4f291158dc6d631ec04b1f4e74190ad5daea08d6ccb3e7b44c0d2.exe
File created	C:\Windows\Logo1_.exe	f0d152e00ae4f291158dc6d631ec04b1f4e74190ad5daea08d6ccb3e7b44c0d2.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f0d152e00ae4f291158dc6d631ec04b1f4e74190ad5daea08d6ccb3e7b44c0d2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1864	f0d152e00ae4f291158dc6d631ec04b1f4e74190ad5daea08d6ccb3e7b44c0d2.exe
1864	f0d152e00ae4f291158dc6d631ec04b1f4e74190ad5daea08d6ccb3e7b44c0d2.exe
1864	f0d152e00ae4f291158dc6d631ec04b1f4e74190ad5daea08d6ccb3e7b44c0d2.exe
1864	f0d152e00ae4f291158dc6d631ec04b1f4e74190ad5daea08d6ccb3e7b44c0d2.exe
1864	f0d152e00ae4f291158dc6d631ec04b1f4e74190ad5daea08d6ccb3e7b44c0d2.exe
1864	f0d152e00ae4f291158dc6d631ec04b1f4e74190ad5daea08d6ccb3e7b44c0d2.exe
1864	f0d152e00ae4f291158dc6d631ec04b1f4e74190ad5daea08d6ccb3e7b44c0d2.exe
1864	f0d152e00ae4f291158dc6d631ec04b1f4e74190ad5daea08d6ccb3e7b44c0d2.exe
1864	f0d152e00ae4f291158dc6d631ec04b1f4e74190ad5daea08d6ccb3e7b44c0d2.exe
1864	f0d152e00ae4f291158dc6d631ec04b1f4e74190ad5daea08d6ccb3e7b44c0d2.exe
1864	f0d152e00ae4f291158dc6d631ec04b1f4e74190ad5daea08d6ccb3e7b44c0d2.exe
1864	f0d152e00ae4f291158dc6d631ec04b1f4e74190ad5daea08d6ccb3e7b44c0d2.exe
1864	f0d152e00ae4f291158dc6d631ec04b1f4e74190ad5daea08d6ccb3e7b44c0d2.exe
1864	f0d152e00ae4f291158dc6d631ec04b1f4e74190ad5daea08d6ccb3e7b44c0d2.exe
1864	f0d152e00ae4f291158dc6d631ec04b1f4e74190ad5daea08d6ccb3e7b44c0d2.exe
1864	f0d152e00ae4f291158dc6d631ec04b1f4e74190ad5daea08d6ccb3e7b44c0d2.exe
1864	f0d152e00ae4f291158dc6d631ec04b1f4e74190ad5daea08d6ccb3e7b44c0d2.exe
1864	f0d152e00ae4f291158dc6d631ec04b1f4e74190ad5daea08d6ccb3e7b44c0d2.exe
1864	f0d152e00ae4f291158dc6d631ec04b1f4e74190ad5daea08d6ccb3e7b44c0d2.exe
1864	f0d152e00ae4f291158dc6d631ec04b1f4e74190ad5daea08d6ccb3e7b44c0d2.exe
1864	f0d152e00ae4f291158dc6d631ec04b1f4e74190ad5daea08d6ccb3e7b44c0d2.exe
1864	f0d152e00ae4f291158dc6d631ec04b1f4e74190ad5daea08d6ccb3e7b44c0d2.exe
1864	f0d152e00ae4f291158dc6d631ec04b1f4e74190ad5daea08d6ccb3e7b44c0d2.exe
1864	f0d152e00ae4f291158dc6d631ec04b1f4e74190ad5daea08d6ccb3e7b44c0d2.exe
1864	f0d152e00ae4f291158dc6d631ec04b1f4e74190ad5daea08d6ccb3e7b44c0d2.exe
1864	f0d152e00ae4f291158dc6d631ec04b1f4e74190ad5daea08d6ccb3e7b44c0d2.exe
1212	Logo1_.exe
1212	Logo1_.exe
1212	Logo1_.exe
1212	Logo1_.exe
1212	Logo1_.exe
1212	Logo1_.exe
1212	Logo1_.exe
1212	Logo1_.exe
1212	Logo1_.exe
1212	Logo1_.exe
1212	Logo1_.exe
1212	Logo1_.exe
1212	Logo1_.exe
1212	Logo1_.exe
1212	Logo1_.exe
1212	Logo1_.exe
1212	Logo1_.exe
1212	Logo1_.exe
1212	Logo1_.exe
1212	Logo1_.exe
1212	Logo1_.exe
1212	Logo1_.exe
1212	Logo1_.exe
1212	Logo1_.exe
1212	Logo1_.exe
1212	Logo1_.exe
1212	Logo1_.exe
1212	Logo1_.exe
1212	Logo1_.exe
1212	Logo1_.exe
1212	Logo1_.exe
1212	Logo1_.exe
1212	Logo1_.exe
1212	Logo1_.exe
1212	Logo1_.exe
1212	Logo1_.exe
1212	Logo1_.exe
1212	Logo1_.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1864 wrote to memory of 3112	1864	f0d152e00ae4f291158dc6d631ec04b1f4e74190ad5daea08d6ccb3e7b44c0d2.exe	83
PID 1864 wrote to memory of 3112	1864	f0d152e00ae4f291158dc6d631ec04b1f4e74190ad5daea08d6ccb3e7b44c0d2.exe	83
PID 1864 wrote to memory of 3112	1864	f0d152e00ae4f291158dc6d631ec04b1f4e74190ad5daea08d6ccb3e7b44c0d2.exe	83
PID 3112 wrote to memory of 2692	3112	net.exe	85
PID 3112 wrote to memory of 2692	3112	net.exe	85
PID 3112 wrote to memory of 2692	3112	net.exe	85
PID 1864 wrote to memory of 4176	1864	f0d152e00ae4f291158dc6d631ec04b1f4e74190ad5daea08d6ccb3e7b44c0d2.exe	86
PID 1864 wrote to memory of 4176	1864	f0d152e00ae4f291158dc6d631ec04b1f4e74190ad5daea08d6ccb3e7b44c0d2.exe	86
PID 1864 wrote to memory of 4176	1864	f0d152e00ae4f291158dc6d631ec04b1f4e74190ad5daea08d6ccb3e7b44c0d2.exe	86
PID 1864 wrote to memory of 1212	1864	f0d152e00ae4f291158dc6d631ec04b1f4e74190ad5daea08d6ccb3e7b44c0d2.exe	87
PID 1864 wrote to memory of 1212	1864	f0d152e00ae4f291158dc6d631ec04b1f4e74190ad5daea08d6ccb3e7b44c0d2.exe	87
PID 1864 wrote to memory of 1212	1864	f0d152e00ae4f291158dc6d631ec04b1f4e74190ad5daea08d6ccb3e7b44c0d2.exe	87
PID 1212 wrote to memory of 3660	1212	Logo1_.exe	89
PID 1212 wrote to memory of 3660	1212	Logo1_.exe	89
PID 1212 wrote to memory of 3660	1212	Logo1_.exe	89
PID 3660 wrote to memory of 740	3660	net.exe	91
PID 3660 wrote to memory of 740	3660	net.exe	91
PID 3660 wrote to memory of 740	3660	net.exe	91
PID 4176 wrote to memory of 1092	4176	cmd.exe	92
PID 4176 wrote to memory of 1092	4176	cmd.exe	92
PID 4176 wrote to memory of 1092	4176	cmd.exe	92
PID 1212 wrote to memory of 3464	1212	Logo1_.exe	93
PID 1212 wrote to memory of 3464	1212	Logo1_.exe	93
PID 1212 wrote to memory of 3464	1212	Logo1_.exe	93
PID 3464 wrote to memory of 1176	3464	net.exe	95
PID 3464 wrote to memory of 1176	3464	net.exe	95
PID 3464 wrote to memory of 1176	3464	net.exe	95
PID 1212 wrote to memory of 3476	1212	Logo1_.exe	56
PID 1212 wrote to memory of 3476	1212	Logo1_.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3476
- C:\Users\Admin\AppData\Local\Temp\f0d152e00ae4f291158dc6d631ec04b1f4e74190ad5daea08d6ccb3e7b44c0d2.exe
  "C:\Users\Admin\AppData\Local\Temp\f0d152e00ae4f291158dc6d631ec04b1f4e74190ad5daea08d6ccb3e7b44c0d2.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1864
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3112
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9A4C.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4176
  - - C:\Users\Admin\AppData\Local\Temp\f0d152e00ae4f291158dc6d631ec04b1f4e74190ad5daea08d6ccb3e7b44c0d2.exe
      "C:\Users\Admin\AppData\Local\Temp\f0d152e00ae4f291158dc6d631ec04b1f4e74190ad5daea08d6ccb3e7b44c0d2.exe"
      4⤵
      Executes dropped EXE
      PID:1092
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1212
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3660
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:740
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3464
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe

Filesize
250KB

MD5
6bb9d7b6949c25cc2312bcd71b8e4f91

SHA1
96d199177506b8cc560fbc5bddca9473e9444bbb

SHA256
c9b0a0f3da1d9d659f8f1e9fd23403be58b04a4e96c1ee5bab96b7fd84aee5d6

SHA512
9eab4cff5138c8d1409e97cb80dd88a190c6984591a15a3c6bef094ecab16856deeee19daba78b34b3b1a27ebf70a487196f3c6d92e4e9645c036b8f4d42e92d

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
577KB

MD5
d482896e968579c40dc016709636b6d9

SHA1
9f22a694928296a8f9711eae826019d4673890ad

SHA256
d716593b016a341c615c009724981d6960b83767c51abda0b7bb3e3ab2fd7483

SHA512
6638bd31dafc77f748009a9834599259daf1eb19804af8837d3a5d6339caf1f04cf839dbc543ddb45ce9101d24325eea33766a7117466ff915779d49e56b5d08

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
643KB

MD5
29bab5fa7dbfd951e1c8290a8f4c2ba7

SHA1
7b86728d64cef9686bd45f2ff6fdc818c11a1bbb

SHA256
dda333d8aed86ba750f669280e458ad2fb8d8ad5700a5fe0df584a1c818c481b

SHA512
5bb37bffffe297653f91e0601f17b507659bcfe78567e6e1d10506d3c3bea737e7d6374224ecc01f421cff8f74b299eba8fe3152742b2b1c228966a630de1339

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a9A4C.bat

Filesize
722B

MD5
36132e200ff9e52ebd0c72f3803d8668

SHA1
2f0744360afc32ec16c7188f0a818b1bff2f09e0

SHA256
594cf9706317b9736dd830942af638d7b5e547c1c24803cfba503ee25a4e935f

SHA512
24adf83261d5484c6ce5f4d62b8d36ffdc61f5a1cc9a36a7907c35820b253538b1ced953584a58f7395ad990ea747fcc50128f116e6a410fe80e742cc9b945d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\f0d152e00ae4f291158dc6d631ec04b1f4e74190ad5daea08d6ccb3e7b44c0d2.exe.exe

Filesize
53KB

MD5
87912631f20ab91421228cd219922519

SHA1
71a90e384de55c6f5257466e53f6c0add270a01d

SHA256
fcfdb5e2601430a674f599e054f65471e42cb18f8484aa8d8eb38f0c6f4e9c6d

SHA512
0843a6a6a1e7e6d394db8d939e5e11ddfbed917e262dcb41fddee490d7e1657d45edd93fa2e734a6d8419b2f935ef53c0185d626a83ef1e7d53db8e261f8fc8a

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
ac4d54500ddcf012f66bc5ba7530beb1

SHA1
375bfcd1b95696f4b1c5f93dd5621e5c16fcda98

SHA256
733b97920694040cf31888669d75229717b34c0e0fe892d10bb5421f0879fc09

SHA512
076bddcb1a579a43ec3714f9396a2b3836bcb86d469c9df56b9bbc94aaf1330069c97c75081e5414faf2160b8904f357fa823c40273e64c8278059c760fa974a

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-656926755-4116854191-210765258-1000\_desktop.ini

Filesize
9B

MD5
5412111268dd2c1fb1cf8697bfab9b6c

SHA1
16d0b289e83c74cb50a004edd7c5750ac706f321

SHA256
f3aa35be7048ddbf11fc581e5f9476745d75bcf097e121ba2915614e360a0cdc

SHA512
13fc5bf11faaf5471fde8a1bafdcc6d27521bad796e5e532c94d9c8232dd70088e70b6d5ac60c4c15d13e59926ac38e9a9e01b4dd4694a77d70bdd1ae7005ccf

Download Submit
memory/1212-18-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1212-3351-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1212-10-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1212-8755-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1864-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1864-9-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download