Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
156s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
03/10/2022, 16:37
Static task
static1
Behavioral task
behavioral1
Sample
68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe
Resource
win7-20220812-en
General
-
Target
68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe
-
Size
1.1MB
-
MD5
04406580f7a56a97734a4e98222e9361
-
SHA1
486c6f5cbc0e63ff623aae5508e047b2ed99b1ed
-
SHA256
68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e
-
SHA512
69248fb6ac33541cbf0b30bf3db7fc78a97bb6faf401620b40c99b3de0385f714c2a17b007b8d841baa0c7a984432b3c3dde0befcef6434a170a2a7084997d25
-
SSDEEP
12288:L3N4qOPajQUXXP8QvLWFx6Mo5rippDC7ee1hpls4Ey+g:L3N4najQEPnvg6PhWDC750g
Malware Config
Signatures
-
Drops file in Drivers directory 2 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts 68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe File opened for modification C:\Windows\system32\drivers\etc\hosts Logo1_.exe -
Executes dropped EXE 2 IoCs
pid Process 3432 Logo1_.exe 1840 68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\F: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\dc-annotations\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\da-dk\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\pt-br\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\Diagnostics\Simple\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\hu-hu\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.exe Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\video_splitter\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\nb-no\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PROFILE\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Resources\1033\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\demux\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.8.0_66\db\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hu-hu\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\pt-br\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-gb\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\tr-tr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\nl-nl\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\bn\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\lua\http\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\modules\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\en-ae\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\eu-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Google\Update\Download\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\pl-pl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hu-hu\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\nb-no\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sl-sl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ro-ro\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\hr-hr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\ModuleAutoDeps\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ru-ru\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ja-jp\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\uk-ua\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\Office16\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ro-ro\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\fr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ru-ru\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\tr-tr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.167.21\MicrosoftEdgeUpdateSetup.exe Logo1_.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-gb\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sv-se\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\de-de\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\hu-hu\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Portal\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hu-hu\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe 68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe File created C:\Windows\Logo1_.exe 68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\Dll.dll Logo1_.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
pid pid_target Process procid_target 4952 1840 WerFault.exe 92 -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4652 68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe 4652 68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe 4652 68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe 4652 68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe 4652 68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe 4652 68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe 4652 68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe 4652 68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe 4652 68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe 4652 68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe 4652 68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe 4652 68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe 4652 68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe 4652 68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe 4652 68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe 4652 68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe 4652 68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe 4652 68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe 4652 68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe 4652 68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe 4652 68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe 4652 68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe 4652 68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe 4652 68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe 4652 68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe 4652 68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe 3432 Logo1_.exe 3432 Logo1_.exe 3432 Logo1_.exe 3432 Logo1_.exe 3432 Logo1_.exe 3432 Logo1_.exe 3432 Logo1_.exe 3432 Logo1_.exe 3432 Logo1_.exe 3432 Logo1_.exe 3432 Logo1_.exe 3432 Logo1_.exe 3432 Logo1_.exe 3432 Logo1_.exe 3432 Logo1_.exe 3432 Logo1_.exe 3432 Logo1_.exe 3432 Logo1_.exe 3432 Logo1_.exe 3432 Logo1_.exe 3432 Logo1_.exe 3432 Logo1_.exe 3432 Logo1_.exe 3432 Logo1_.exe 3432 Logo1_.exe 3432 Logo1_.exe 3432 Logo1_.exe 3432 Logo1_.exe 3432 Logo1_.exe 3432 Logo1_.exe 3432 Logo1_.exe 3432 Logo1_.exe 3432 Logo1_.exe 3432 Logo1_.exe 3432 Logo1_.exe 3432 Logo1_.exe 3432 Logo1_.exe 3432 Logo1_.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
pid Process 1840 68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe 1840 68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe 1840 68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe 1840 68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 4652 wrote to memory of 4440 4652 68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe 83 PID 4652 wrote to memory of 4440 4652 68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe 83 PID 4652 wrote to memory of 4440 4652 68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe 83 PID 4652 wrote to memory of 4032 4652 68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe 85 PID 4652 wrote to memory of 4032 4652 68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe 85 PID 4652 wrote to memory of 4032 4652 68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe 85 PID 4652 wrote to memory of 3432 4652 68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe 87 PID 4652 wrote to memory of 3432 4652 68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe 87 PID 4652 wrote to memory of 3432 4652 68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe 87 PID 4440 wrote to memory of 204 4440 net.exe 88 PID 4440 wrote to memory of 204 4440 net.exe 88 PID 4440 wrote to memory of 204 4440 net.exe 88 PID 3432 wrote to memory of 4532 3432 Logo1_.exe 90 PID 3432 wrote to memory of 4532 3432 Logo1_.exe 90 PID 3432 wrote to memory of 4532 3432 Logo1_.exe 90 PID 4532 wrote to memory of 1940 4532 net.exe 91 PID 4532 wrote to memory of 1940 4532 net.exe 91 PID 4532 wrote to memory of 1940 4532 net.exe 91 PID 4032 wrote to memory of 1840 4032 cmd.exe 92 PID 4032 wrote to memory of 1840 4032 cmd.exe 92 PID 4032 wrote to memory of 1840 4032 cmd.exe 92 PID 3432 wrote to memory of 2404 3432 Logo1_.exe 93 PID 3432 wrote to memory of 2404 3432 Logo1_.exe 93 PID 3432 wrote to memory of 2404 3432 Logo1_.exe 93 PID 2404 wrote to memory of 3040 2404 net.exe 95 PID 2404 wrote to memory of 3040 2404 net.exe 95 PID 2404 wrote to memory of 3040 2404 net.exe 95 PID 3432 wrote to memory of 3024 3432 Logo1_.exe 36 PID 3432 wrote to memory of 3024 3432 Logo1_.exe 36
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3024
-
C:\Users\Admin\AppData\Local\Temp\68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe"C:\Users\Admin\AppData\Local\Temp\68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe"2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵PID:204
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a2105.bat3⤵
- Suspicious use of WriteProcessMemory
PID:4032 -
C:\Users\Admin\AppData\Local\Temp\68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe"C:\Users\Admin\AppData\Local\Temp\68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1840 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1840 -s 14045⤵
- Program crash
PID:4952
-
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops startup file
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3432 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:1940
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:3040
-
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 1840 -ip 18401⤵PID:4420
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
722B
MD5d446e4f926f251fff2fb7a64c70d6738
SHA12d1a671e2c0ba899813954cd1ce1e66d10f343b7
SHA256eff6722a97904e80c52ea96be88f14a2ee1ea3bd4f4e11c35b1e64ac1cee13ba
SHA512d1860070c5acba3ba7a9a3754b5805ad8c4fc66ebc9939b9ca54bc047d3ed70d4437b557f021e2f0e67027e03cf4d74110ebf26b3ca8758309a709a56d89332a
-
C:\Users\Admin\AppData\Local\Temp\68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe
Filesize1.1MB
MD5b0375fadbb808beaf33971aa2b1b56e2
SHA12b978167e0b264e7dd3484c61df8b31799f6867f
SHA25692efe448504a68a44bdcdccad6c903580900a32977ef65b9af229f972551df33
SHA5128e75fbda817d0c57e1206dbc689a0f2e2fc84f6af5774e0679c8b6088691b48e0399135b3ca9f530ded10a54ba84078f9b39060c54595b5ddd910b959a4f9d58
-
C:\Users\Admin\AppData\Local\Temp\68648c7c668c22bc0c2c694ac6aa2fe9cad35e92707188deb4e7c35273072b4e.exe.exe
Filesize1.1MB
MD5b0375fadbb808beaf33971aa2b1b56e2
SHA12b978167e0b264e7dd3484c61df8b31799f6867f
SHA25692efe448504a68a44bdcdccad6c903580900a32977ef65b9af229f972551df33
SHA5128e75fbda817d0c57e1206dbc689a0f2e2fc84f6af5774e0679c8b6088691b48e0399135b3ca9f530ded10a54ba84078f9b39060c54595b5ddd910b959a4f9d58
-
Filesize
33KB
MD5fda93e69b1fe9e9ba2bf9faef22b6829
SHA1f782afc8aae08a93a4e7d444efc680d17fce002b
SHA256180298bb40291e89cd0a6d4526b1f694f5f2b579f36d6eab9ae9fd1925785739
SHA51291e0c39c4890a1a49082bbf14e2ba553bf8f563805b265892e2c985bccff2e266e5e81e298bfb37b16b6468ccb6064e564d11794cf06e4d9d094a58af0ca19f6
-
Filesize
33KB
MD5fda93e69b1fe9e9ba2bf9faef22b6829
SHA1f782afc8aae08a93a4e7d444efc680d17fce002b
SHA256180298bb40291e89cd0a6d4526b1f694f5f2b579f36d6eab9ae9fd1925785739
SHA51291e0c39c4890a1a49082bbf14e2ba553bf8f563805b265892e2c985bccff2e266e5e81e298bfb37b16b6468ccb6064e564d11794cf06e4d9d094a58af0ca19f6
-
Filesize
33KB
MD5fda93e69b1fe9e9ba2bf9faef22b6829
SHA1f782afc8aae08a93a4e7d444efc680d17fce002b
SHA256180298bb40291e89cd0a6d4526b1f694f5f2b579f36d6eab9ae9fd1925785739
SHA51291e0c39c4890a1a49082bbf14e2ba553bf8f563805b265892e2c985bccff2e266e5e81e298bfb37b16b6468ccb6064e564d11794cf06e4d9d094a58af0ca19f6