b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9

Analysis

max time kernel
190s
max time network
186s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2022, 16:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe
Size

655KB
MD5

04e66c511fdf2485df76cbc4a2cb14b0
SHA1

a669c062474a18e31f61dc00a4a3fcaf697b02e9
SHA256

b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9
SHA512

090c99782f65618ab0e9230846b2ab5dc1bcdf433d34819d6a819297bc6b173484259905427420241a965640bf584c4e66db68d7898c08aa5a04c37041235210
SSDEEP

12288:Jq+a9slb39XcI9TC9/1bfLkKKeXnehedVzQjRGf6DbLHAqujSIySgzJ2w7eQke:JqB9TtklkBTzQlGf6DbLHAqujSIcC6

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1436	Logo1_.exe
2784	b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation	b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\F:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\VisualElements\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\include\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft.NET\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\cs\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pa\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SKY\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ks_IN\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\amd64\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECHO\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CAPSULES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\an\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\brx\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft.NET\ADOMD.NET\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gu\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\orbd.exe	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Fonts\private\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ach\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\PlatformCapabilities\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BREEZE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\NETWORK\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\FLTLDR.EXE	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\DESIGNER\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cy\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Resources\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\as_IN\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ko\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	Logo1_.exe
File opened for modification	C:\Program Files\Internet Explorer\SIGNUP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\Common AppData\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RICEPAPR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Internet Explorer\fr-FR\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe
File created	C:\Windows\Logo1_.exe	b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\Dll.dll	Logo1_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2236	b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe
2236	b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe
2236	b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe
2236	b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe
2236	b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe
2236	b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe
2236	b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe
2236	b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe
2236	b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe
2236	b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe
2236	b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe
2236	b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe
2236	b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe
2236	b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe
2236	b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe
2236	b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe
2236	b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe
2236	b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe
2236	b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe
2236	b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe
2236	b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe
2236	b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe
2236	b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe
2236	b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe
2236	b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe
2236	b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe
1436	Logo1_.exe
1436	Logo1_.exe
1436	Logo1_.exe
1436	Logo1_.exe
1436	Logo1_.exe
1436	Logo1_.exe
1436	Logo1_.exe
1436	Logo1_.exe
1436	Logo1_.exe
1436	Logo1_.exe
1436	Logo1_.exe
1436	Logo1_.exe
1436	Logo1_.exe
1436	Logo1_.exe
1436	Logo1_.exe
1436	Logo1_.exe
1436	Logo1_.exe
1436	Logo1_.exe
1436	Logo1_.exe
1436	Logo1_.exe
1436	Logo1_.exe
1436	Logo1_.exe
1436	Logo1_.exe
1436	Logo1_.exe
1436	Logo1_.exe
1436	Logo1_.exe
1436	Logo1_.exe
1436	Logo1_.exe
1436	Logo1_.exe
1436	Logo1_.exe
1436	Logo1_.exe
1436	Logo1_.exe
1436	Logo1_.exe
1436	Logo1_.exe
1436	Logo1_.exe
1436	Logo1_.exe
1436	Logo1_.exe
1436	Logo1_.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2784	b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe
Token: SeImpersonatePrivilege	2784	b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 4760	2236	b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe	84
PID 2236 wrote to memory of 4760	2236	b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe	84
PID 2236 wrote to memory of 4760	2236	b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe	84
PID 4760 wrote to memory of 2776	4760	net.exe	86
PID 4760 wrote to memory of 2776	4760	net.exe	86
PID 4760 wrote to memory of 2776	4760	net.exe	86
PID 2236 wrote to memory of 4160	2236	b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe	87
PID 2236 wrote to memory of 4160	2236	b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe	87
PID 2236 wrote to memory of 4160	2236	b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe	87
PID 2236 wrote to memory of 1436	2236	b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe	88
PID 2236 wrote to memory of 1436	2236	b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe	88
PID 2236 wrote to memory of 1436	2236	b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe	88
PID 1436 wrote to memory of 3456	1436	Logo1_.exe	90
PID 1436 wrote to memory of 3456	1436	Logo1_.exe	90
PID 1436 wrote to memory of 3456	1436	Logo1_.exe	90
PID 3456 wrote to memory of 4868	3456	net.exe	92
PID 3456 wrote to memory of 4868	3456	net.exe	92
PID 3456 wrote to memory of 4868	3456	net.exe	92
PID 4160 wrote to memory of 2784	4160	cmd.exe	93
PID 4160 wrote to memory of 2784	4160	cmd.exe	93
PID 4160 wrote to memory of 2784	4160	cmd.exe	93
PID 1436 wrote to memory of 1772	1436	Logo1_.exe	94
PID 1436 wrote to memory of 1772	1436	Logo1_.exe	94
PID 1436 wrote to memory of 1772	1436	Logo1_.exe	94
PID 1772 wrote to memory of 648	1772	net.exe	96
PID 1772 wrote to memory of 648	1772	net.exe	96
PID 1772 wrote to memory of 648	1772	net.exe	96
PID 1436 wrote to memory of 2348	1436	Logo1_.exe	39
PID 1436 wrote to memory of 2348	1436	Logo1_.exe	39
PID 2784 wrote to memory of 3588	2784	b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe	99
PID 2784 wrote to memory of 3588	2784	b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe	99
PID 2784 wrote to memory of 3588	2784	b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe	99
PID 4948 wrote to memory of 4320	4948	explorer.exe	101
PID 4948 wrote to memory of 4320	4948	explorer.exe	101
PID 4320 wrote to memory of 980	4320	msedge.exe	103
PID 4320 wrote to memory of 980	4320	msedge.exe	103

C:\Users\Admin\AppData\Local\Temp\b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe
"C:\Users\Admin\AppData\Local\Temp\b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\SysWOW64\net.exe
  net stop "Kingsoft AntiVirus Service"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4760
- - C:\Windows\SysWOW64\net1.exe
    C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
    3⤵
    PID:2776
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a154D.bat
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4160
- - C:\Users\Admin\AppData\Local\Temp\b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe
    "C:\Users\Admin\AppData\Local\Temp\b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\Windows\SysWOW64\explorer.exe
      "C:\Windows\System32\explorer.exe" URL="http://down.360safe.com/setup.exe"
      4⤵
      PID:3588
- C:\Windows\Logo1_.exe
  C:\Windows\Logo1_.exe
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1436
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3456
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:4868
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1772
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:648

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2348

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:4948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://down.360safe.com/setup.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4320
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd7efa46f8,0x7ffd7efa4708,0x7ffd7efa4718
    3⤵
    PID:980

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\$$a154D.bat

Filesize
722B

MD5
7912cbf465c3e8950ce613f336922db2

SHA1
e64e3af97a60c5b7b6119ed35ddbf5579a0d4f36

SHA256
9e3ab2e30442d6fe0daf9a43f0b0ce17a1dc08f1b4f228da7cce6da3451a00e2

SHA512
c9608e01e1042416d4a269b0b864e733bfa8e2a381da000a768a8652ec2dd4cc2385ec816524aec38506951ff4e4811a558bff196507944b5e23d72233a20e02

Download Submit
C:\Users\Admin\AppData\Local\Temp\b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe

Filesize
621KB

MD5
b96935d921cb6665638ff00f1b6b8098

SHA1
b71c40c76301a52e3d49b06ad3f99afffa178934

SHA256
ca5b1c8f21cb3209e93636300391aba0693ad68957e997fe3ce85c0880eb1f93

SHA512
40505dc52b697907a9ca9a196a156b751af43e75c97eb6d99835147bafd0561b25b8943ea421350bee5b6cc398b4d13159dfc0d500a4f5ce99130c9ca301e5e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\b443fb983556d0009bb4cd94b32d2b38ea3a34fde28a2b8f5d5b06c5b0735fb9.exe.exe

Filesize
621KB

MD5
b96935d921cb6665638ff00f1b6b8098

SHA1
b71c40c76301a52e3d49b06ad3f99afffa178934

SHA256
ca5b1c8f21cb3209e93636300391aba0693ad68957e997fe3ce85c0880eb1f93

SHA512
40505dc52b697907a9ca9a196a156b751af43e75c97eb6d99835147bafd0561b25b8943ea421350bee5b6cc398b4d13159dfc0d500a4f5ce99130c9ca301e5e8

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
d3c9b20260fa9b0131b750f762f5d083

SHA1
a41ae48d90e642b7ec53c03e2dcefe75ff9c523c

SHA256
73bc4265b6f4825db9a7ee89cc589ffd01891b2878d7037da02a9bbdcfd6a33f

SHA512
c69d28908697b802ab9c3997c5af54d3ee3d369bb4e349f9cee846418609715eea7251620f4e09f0e485ac6287d9650aee89c663da538577e46137378db88d64

Download Submit
C:\Windows\Logo1_.exe

Filesize
33KB

MD5
d3c9b20260fa9b0131b750f762f5d083

SHA1
a41ae48d90e642b7ec53c03e2dcefe75ff9c523c

SHA256
73bc4265b6f4825db9a7ee89cc589ffd01891b2878d7037da02a9bbdcfd6a33f

SHA512
c69d28908697b802ab9c3997c5af54d3ee3d369bb4e349f9cee846418609715eea7251620f4e09f0e485ac6287d9650aee89c663da538577e46137378db88d64

Download Submit
C:\Windows\rundl132.exe

Filesize
33KB

MD5
d3c9b20260fa9b0131b750f762f5d083

SHA1
a41ae48d90e642b7ec53c03e2dcefe75ff9c523c

SHA256
73bc4265b6f4825db9a7ee89cc589ffd01891b2878d7037da02a9bbdcfd6a33f

SHA512
c69d28908697b802ab9c3997c5af54d3ee3d369bb4e349f9cee846418609715eea7251620f4e09f0e485ac6287d9650aee89c663da538577e46137378db88d64

Download Submit
memory/1436-150-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/1436-141-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2236-138-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2236-133-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download