d034c018f4146b5c10d86c7a9839f754d3300e955372fd28e80abd850f6f5ded

Analysis

max time kernel
149s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
18-02-2025 07:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d034c018f4146b5c10d86c7a9839f754d3300e955372fd28e80abd850f6f5ded.exe
Size

191KB
MD5

826f550207fcf20aa9539cc671dfccaf
SHA1

b61b8f54e93a7f1c7b09c24f9f84245f709ff241
SHA256

d034c018f4146b5c10d86c7a9839f754d3300e955372fd28e80abd850f6f5ded
SHA512

89711c9c2018dfa5f076ed1ec0807f8bdf82d7ff8522aea1c659c5903a636909294fd23a5522524cd25148d9f6760412032eb899dfc7f18cde9b03f3021161a6
SSDEEP

3072:8iNe+azbRPrlr9RXFvARYLJXJoYtpA/H3RpDecC+EZX70RjLTu46R0Eb:I+azbRZvJgYLjvqXRpDecw7Kj3u46db

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	Logo1_.exe

Executes dropped EXE 2 IoCs

pid	Process
3540	Logo1_.exe
3404	d034c018f4146b5c10d86c7a9839f754d3300e955372fd28e80abd850f6f5ded.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-cn\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugins\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\eu-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\sv-se\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\sv-se\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\en-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Internet Explorer\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\da-dk\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\eu-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ro-ro\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ru-ru\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sl-si\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\policy\limited\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\te\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\nl-nl\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Multimedia Platform\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\uk-ua\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ja-jp\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft.NET\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\root\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\es-es\_desktop.ini	Logo1_.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\tr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Internet Explorer\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\de-de\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ko-kr\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\AFTRNOON\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\is\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PSReadline\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\eu-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	Logo1_.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\uk-UA\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-il\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\root\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\fi-fi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\SmartTagInstall.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fy\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\hu-hu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ar-ae\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate\Offline\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\Comprehensive\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-gb\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}\132.0.2957.140\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\he-il\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\msedge_proxy.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\it-it\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ne\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\es-es\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ca-es\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	d034c018f4146b5c10d86c7a9839f754d3300e955372fd28e80abd850f6f5ded.exe
File created	C:\Windows\Logo1_.exe	d034c018f4146b5c10d86c7a9839f754d3300e955372fd28e80abd850f6f5ded.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d034c018f4146b5c10d86c7a9839f754d3300e955372fd28e80abd850f6f5ded.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4480	d034c018f4146b5c10d86c7a9839f754d3300e955372fd28e80abd850f6f5ded.exe
4480	d034c018f4146b5c10d86c7a9839f754d3300e955372fd28e80abd850f6f5ded.exe
4480	d034c018f4146b5c10d86c7a9839f754d3300e955372fd28e80abd850f6f5ded.exe
4480	d034c018f4146b5c10d86c7a9839f754d3300e955372fd28e80abd850f6f5ded.exe
4480	d034c018f4146b5c10d86c7a9839f754d3300e955372fd28e80abd850f6f5ded.exe
4480	d034c018f4146b5c10d86c7a9839f754d3300e955372fd28e80abd850f6f5ded.exe
4480	d034c018f4146b5c10d86c7a9839f754d3300e955372fd28e80abd850f6f5ded.exe
4480	d034c018f4146b5c10d86c7a9839f754d3300e955372fd28e80abd850f6f5ded.exe
4480	d034c018f4146b5c10d86c7a9839f754d3300e955372fd28e80abd850f6f5ded.exe
4480	d034c018f4146b5c10d86c7a9839f754d3300e955372fd28e80abd850f6f5ded.exe
4480	d034c018f4146b5c10d86c7a9839f754d3300e955372fd28e80abd850f6f5ded.exe
4480	d034c018f4146b5c10d86c7a9839f754d3300e955372fd28e80abd850f6f5ded.exe
4480	d034c018f4146b5c10d86c7a9839f754d3300e955372fd28e80abd850f6f5ded.exe
4480	d034c018f4146b5c10d86c7a9839f754d3300e955372fd28e80abd850f6f5ded.exe
4480	d034c018f4146b5c10d86c7a9839f754d3300e955372fd28e80abd850f6f5ded.exe
4480	d034c018f4146b5c10d86c7a9839f754d3300e955372fd28e80abd850f6f5ded.exe
4480	d034c018f4146b5c10d86c7a9839f754d3300e955372fd28e80abd850f6f5ded.exe
4480	d034c018f4146b5c10d86c7a9839f754d3300e955372fd28e80abd850f6f5ded.exe
4480	d034c018f4146b5c10d86c7a9839f754d3300e955372fd28e80abd850f6f5ded.exe
4480	d034c018f4146b5c10d86c7a9839f754d3300e955372fd28e80abd850f6f5ded.exe
4480	d034c018f4146b5c10d86c7a9839f754d3300e955372fd28e80abd850f6f5ded.exe
4480	d034c018f4146b5c10d86c7a9839f754d3300e955372fd28e80abd850f6f5ded.exe
4480	d034c018f4146b5c10d86c7a9839f754d3300e955372fd28e80abd850f6f5ded.exe
4480	d034c018f4146b5c10d86c7a9839f754d3300e955372fd28e80abd850f6f5ded.exe
4480	d034c018f4146b5c10d86c7a9839f754d3300e955372fd28e80abd850f6f5ded.exe
4480	d034c018f4146b5c10d86c7a9839f754d3300e955372fd28e80abd850f6f5ded.exe
3540	Logo1_.exe
3540	Logo1_.exe
3540	Logo1_.exe
3540	Logo1_.exe
3540	Logo1_.exe
3540	Logo1_.exe
3540	Logo1_.exe
3540	Logo1_.exe
3540	Logo1_.exe
3540	Logo1_.exe
3540	Logo1_.exe
3540	Logo1_.exe
3540	Logo1_.exe
3540	Logo1_.exe
3540	Logo1_.exe
3540	Logo1_.exe
3540	Logo1_.exe
3540	Logo1_.exe
3540	Logo1_.exe
3540	Logo1_.exe
3540	Logo1_.exe
3540	Logo1_.exe
3540	Logo1_.exe
3540	Logo1_.exe
3540	Logo1_.exe
3540	Logo1_.exe
3540	Logo1_.exe
3540	Logo1_.exe
3540	Logo1_.exe
3540	Logo1_.exe
3540	Logo1_.exe
3540	Logo1_.exe
3540	Logo1_.exe
3540	Logo1_.exe
3540	Logo1_.exe
3540	Logo1_.exe
3540	Logo1_.exe
3540	Logo1_.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 4480 wrote to memory of 3168	4480	d034c018f4146b5c10d86c7a9839f754d3300e955372fd28e80abd850f6f5ded.exe	83
PID 4480 wrote to memory of 3168	4480	d034c018f4146b5c10d86c7a9839f754d3300e955372fd28e80abd850f6f5ded.exe	83
PID 4480 wrote to memory of 3168	4480	d034c018f4146b5c10d86c7a9839f754d3300e955372fd28e80abd850f6f5ded.exe	83
PID 3168 wrote to memory of 1476	3168	net.exe	86
PID 3168 wrote to memory of 1476	3168	net.exe	86
PID 3168 wrote to memory of 1476	3168	net.exe	86
PID 4480 wrote to memory of 3928	4480	d034c018f4146b5c10d86c7a9839f754d3300e955372fd28e80abd850f6f5ded.exe	90
PID 4480 wrote to memory of 3928	4480	d034c018f4146b5c10d86c7a9839f754d3300e955372fd28e80abd850f6f5ded.exe	90
PID 4480 wrote to memory of 3928	4480	d034c018f4146b5c10d86c7a9839f754d3300e955372fd28e80abd850f6f5ded.exe	90
PID 4480 wrote to memory of 3540	4480	d034c018f4146b5c10d86c7a9839f754d3300e955372fd28e80abd850f6f5ded.exe	92
PID 4480 wrote to memory of 3540	4480	d034c018f4146b5c10d86c7a9839f754d3300e955372fd28e80abd850f6f5ded.exe	92
PID 4480 wrote to memory of 3540	4480	d034c018f4146b5c10d86c7a9839f754d3300e955372fd28e80abd850f6f5ded.exe	92
PID 3540 wrote to memory of 2116	3540	Logo1_.exe	93
PID 3540 wrote to memory of 2116	3540	Logo1_.exe	93
PID 3540 wrote to memory of 2116	3540	Logo1_.exe	93
PID 3928 wrote to memory of 3404	3928	cmd.exe	95
PID 3928 wrote to memory of 3404	3928	cmd.exe	95
PID 2116 wrote to memory of 3684	2116	net.exe	96
PID 2116 wrote to memory of 3684	2116	net.exe	96
PID 2116 wrote to memory of 3684	2116	net.exe	96
PID 3540 wrote to memory of 4572	3540	Logo1_.exe	98
PID 3540 wrote to memory of 4572	3540	Logo1_.exe	98
PID 3540 wrote to memory of 4572	3540	Logo1_.exe	98
PID 4572 wrote to memory of 4964	4572	net.exe	100
PID 4572 wrote to memory of 4964	4572	net.exe	100
PID 4572 wrote to memory of 4964	4572	net.exe	100
PID 3540 wrote to memory of 3436	3540	Logo1_.exe	55
PID 3540 wrote to memory of 3436	3540	Logo1_.exe	55

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3436
- C:\Users\Admin\AppData\Local\Temp\d034c018f4146b5c10d86c7a9839f754d3300e955372fd28e80abd850f6f5ded.exe
  "C:\Users\Admin\AppData\Local\Temp\d034c018f4146b5c10d86c7a9839f754d3300e955372fd28e80abd850f6f5ded.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4480
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3168
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1476
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6EF6.bat
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3928
  - - C:\Users\Admin\AppData\Local\Temp\d034c018f4146b5c10d86c7a9839f754d3300e955372fd28e80abd850f6f5ded.exe
      "C:\Users\Admin\AppData\Local\Temp\d034c018f4146b5c10d86c7a9839f754d3300e955372fd28e80abd850f6f5ded.exe"
      4⤵
      Executes dropped EXE
      PID:3404
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Drops startup file
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:3540
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2116
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3684
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4572
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe

Filesize
257KB

MD5
b7061d43af1c1fbfe7e81049f59a701d

SHA1
1152459adea7708f8168980fd6d870489e085e2a

SHA256
104791a1ba38143d84d3f0e19f2c03786afad6b06eefd91a20bbfa0b083fe60e

SHA512
938812c10f034f2027e900126dfa37718eb10509d3ffa0d626a1e32e30334adab3babca595e7f6edaf332b2d724b036fc8e004739d89112429a24c9c785507cb

Download Submit
C:\Program Files\UnprotectPush.exe

Filesize
754KB

MD5
9aecccf5d9d785d915a69f76cbcd9707

SHA1
37277a0d9ffe2c702b0196823053be0d809315fa

SHA256
bff1befdec242643983bed45b86bfc8e6605bb082b5ab4c210c63472b83a9a42

SHA512
76b1c688acaf3b821c444dbb8a77c77c8b7fba288ec4f19e31ce40f9d9511315f0de1f957594268dd64d0b1c38e88afe62aef92e8f7b0cf88d466d8e5a51c72d

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
649KB

MD5
f29f43e8858826598313451706b14d40

SHA1
d892a7d524dde6913838cdda4f947458aa580e18

SHA256
41ba9a9400c46b13e39f3bf6887e6db9549b403ca98ec5d05bd33ba86d7275fa

SHA512
b624ee238a91451f207e40f3cd72b6a31662cc7d6327bcd4c4f46a9cf48a6c65298b536ee5b5472328200badf5ab9291cdd259562172ee97fabd539e3e4e94da

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a6EF6.bat

Filesize
722B

MD5
8d181cdff682c59070e5475da8688804

SHA1
af0792077e9712b22a92428b623349c04ebaace0

SHA256
1d89d9a2d6468d369ddc71c32259a08450d60360ec629a7680357e047f9a773f

SHA512
df8ef0a29274a8e3480655acdb92f684312f1e2ca55f7a09a08bcaa3f9028057dc1be4d434d6ffd9dbe14e0293a9e587d7e7138e3b46c9a82118afaeb797f198

Download Submit
C:\Users\Admin\AppData\Local\Temp\d034c018f4146b5c10d86c7a9839f754d3300e955372fd28e80abd850f6f5ded.exe.exe

Filesize
152KB

MD5
3440c72d695db245adb2728b6a5d9b1d

SHA1
1e510973687c9a0b58464aaf43048a183d825e26

SHA256
37462e31a348d32c9421557f38a601a632c0bdf24d8157481ba82b45f8fef64f

SHA512
5be93dca3a1f9b8e286146d43f848ef6b8bc5ef99ca5cf50839a62dd5083d915dc94ca5a30658838e2365a45a5dd522e641ee71f811202148c9db860113018e6

Download Submit
C:\Windows\Logo1_.exe

Filesize
39KB

MD5
c681ebae7053ce901d02307e3b7b21a0

SHA1
51a315ecd6540c69026501d78040c2d54f5c556a

SHA256
733c4bd3928b8e63bf3415868882493411bc8d7eb8bea5c3eb4e2f4e5f311905

SHA512
5011080e43641edd7af9146ec1ff43e79041d834adf178e60c0cdbf3e3132b6370cbc0e5a5ec1c32faa6964b7f317334b23810e710598b21fd65c6d86c5c920d

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-100612193-3312047696-905266872-1000\_desktop.ini

Filesize
9B

MD5
576ff9d62716d7d16a19e1a8cab615c8

SHA1
8b8bef85ba37eb111a77df7cb614112fa0c2b8f2

SHA256
2a5c445e416a2f6782ff3da47470b09394b6960d59320d1232bf84cb41c8682e

SHA512
12853c683bcd5af639f8088af88c4146f44f7b888ead60ff0d1fa826ce0e46a159b5443cbd124ce29ea9e16932ef403b18d1d12d6cc76bd82f6b3117a22a7848

Download Submit
memory/3540-3049-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3540-18-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3540-8-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/3540-8915-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4480-0-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/4480-11-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download