Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-04-2024 19:58
Static task
static1
Behavioral task
behavioral1
Sample
9a4e9e734733ef52767bbadc94a028cb5785703e42027aebbaea9416acdf6f51.exe
Resource
win7-20240221-en
General
-
Target
9a4e9e734733ef52767bbadc94a028cb5785703e42027aebbaea9416acdf6f51.exe
-
Size
130KB
-
MD5
9bd6a8b6a72d058386cca6728c19b40d
-
SHA1
722164902147c79a9988f1d6c84849eece0d3c77
-
SHA256
9a4e9e734733ef52767bbadc94a028cb5785703e42027aebbaea9416acdf6f51
-
SHA512
169d130b922d07abdb710c1ba3f136727e0773568ff5c0e54f9b1303c6b7c5af7d5ca857b4117469b9a640c502c27846c9fd39ebcf91a4621016152b47be3ddd
-
SSDEEP
3072:PVaY46tGNttyJQ7KRHvgmJAIlwPxX/ZWOFrb:346tGdyuvI+PxBWOFn
Malware Config
Signatures
-
Drops file in Drivers directory 2 IoCs
Processes:
9a4e9e734733ef52767bbadc94a028cb5785703e42027aebbaea9416acdf6f51.exeLogo1_.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts 9a4e9e734733ef52767bbadc94a028cb5785703e42027aebbaea9416acdf6f51.exe File opened for modification C:\Windows\system32\drivers\etc\hosts Logo1_.exe -
Drops startup file 2 IoCs
Processes:
Logo1_.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe -
Executes dropped EXE 2 IoCs
Processes:
Logo1_.exe9a4e9e734733ef52767bbadc94a028cb5785703e42027aebbaea9416acdf6f51.exepid process 5040 Logo1_.exe 4316 9a4e9e734733ef52767bbadc94a028cb5785703e42027aebbaea9416acdf6f51.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Logo1_.exedescription ioc process File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
Processes:
Logo1_.exedescription ioc process File created C:\Program Files\VideoLAN\VLC\locale\de\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\hu-hu\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\zh-tw\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\pl-pl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.17\MicrosoftEdgeUpdateComRegisterShell64.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Media Player\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\PackageManifests\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ja-jp\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\nl-nl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sk-sk\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\hr-hr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\da-dk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\de-de\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PAPYRUS\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\stream_extractor\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\he-il\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\he-il\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\16\BIN\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\spu\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ro-ro\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\MsEdgeCrashpad\reports\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\uk-ua\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TEXTCONV\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Portable Devices\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\root\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\it-it\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\nb-no\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\sv-se\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RICEPAPR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\en-il\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\REFINED\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office 15\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nl-nl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ca-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ca-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\en-il\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\sl-sl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\zh-cn\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ja-jp\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{63A530B2-4AF6-40C9-B231-B4073A76EB72}\chrome_installer.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ro-ro\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.17\MicrosoftEdgeUpdate.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\schemagen.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\include\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Resources\1033\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\sk-sk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ca-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-cn\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\zh-tw\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\nb-no\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
Processes:
9a4e9e734733ef52767bbadc94a028cb5785703e42027aebbaea9416acdf6f51.exeLogo1_.exedescription ioc process File created C:\Windows\rundl132.exe 9a4e9e734733ef52767bbadc94a028cb5785703e42027aebbaea9416acdf6f51.exe File created C:\Windows\Logo1_.exe 9a4e9e734733ef52767bbadc94a028cb5785703e42027aebbaea9416acdf6f51.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\Dll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
9a4e9e734733ef52767bbadc94a028cb5785703e42027aebbaea9416acdf6f51.exeLogo1_.exepid process 4068 9a4e9e734733ef52767bbadc94a028cb5785703e42027aebbaea9416acdf6f51.exe 4068 9a4e9e734733ef52767bbadc94a028cb5785703e42027aebbaea9416acdf6f51.exe 4068 9a4e9e734733ef52767bbadc94a028cb5785703e42027aebbaea9416acdf6f51.exe 4068 9a4e9e734733ef52767bbadc94a028cb5785703e42027aebbaea9416acdf6f51.exe 4068 9a4e9e734733ef52767bbadc94a028cb5785703e42027aebbaea9416acdf6f51.exe 4068 9a4e9e734733ef52767bbadc94a028cb5785703e42027aebbaea9416acdf6f51.exe 4068 9a4e9e734733ef52767bbadc94a028cb5785703e42027aebbaea9416acdf6f51.exe 4068 9a4e9e734733ef52767bbadc94a028cb5785703e42027aebbaea9416acdf6f51.exe 4068 9a4e9e734733ef52767bbadc94a028cb5785703e42027aebbaea9416acdf6f51.exe 4068 9a4e9e734733ef52767bbadc94a028cb5785703e42027aebbaea9416acdf6f51.exe 4068 9a4e9e734733ef52767bbadc94a028cb5785703e42027aebbaea9416acdf6f51.exe 4068 9a4e9e734733ef52767bbadc94a028cb5785703e42027aebbaea9416acdf6f51.exe 4068 9a4e9e734733ef52767bbadc94a028cb5785703e42027aebbaea9416acdf6f51.exe 4068 9a4e9e734733ef52767bbadc94a028cb5785703e42027aebbaea9416acdf6f51.exe 4068 9a4e9e734733ef52767bbadc94a028cb5785703e42027aebbaea9416acdf6f51.exe 4068 9a4e9e734733ef52767bbadc94a028cb5785703e42027aebbaea9416acdf6f51.exe 4068 9a4e9e734733ef52767bbadc94a028cb5785703e42027aebbaea9416acdf6f51.exe 4068 9a4e9e734733ef52767bbadc94a028cb5785703e42027aebbaea9416acdf6f51.exe 4068 9a4e9e734733ef52767bbadc94a028cb5785703e42027aebbaea9416acdf6f51.exe 4068 9a4e9e734733ef52767bbadc94a028cb5785703e42027aebbaea9416acdf6f51.exe 4068 9a4e9e734733ef52767bbadc94a028cb5785703e42027aebbaea9416acdf6f51.exe 4068 9a4e9e734733ef52767bbadc94a028cb5785703e42027aebbaea9416acdf6f51.exe 4068 9a4e9e734733ef52767bbadc94a028cb5785703e42027aebbaea9416acdf6f51.exe 4068 9a4e9e734733ef52767bbadc94a028cb5785703e42027aebbaea9416acdf6f51.exe 4068 9a4e9e734733ef52767bbadc94a028cb5785703e42027aebbaea9416acdf6f51.exe 4068 9a4e9e734733ef52767bbadc94a028cb5785703e42027aebbaea9416acdf6f51.exe 5040 Logo1_.exe 5040 Logo1_.exe 5040 Logo1_.exe 5040 Logo1_.exe 5040 Logo1_.exe 5040 Logo1_.exe 5040 Logo1_.exe 5040 Logo1_.exe 5040 Logo1_.exe 5040 Logo1_.exe 5040 Logo1_.exe 5040 Logo1_.exe 5040 Logo1_.exe 5040 Logo1_.exe 5040 Logo1_.exe 5040 Logo1_.exe 5040 Logo1_.exe 5040 Logo1_.exe 5040 Logo1_.exe 5040 Logo1_.exe 5040 Logo1_.exe 5040 Logo1_.exe 5040 Logo1_.exe 5040 Logo1_.exe 5040 Logo1_.exe 5040 Logo1_.exe 5040 Logo1_.exe 5040 Logo1_.exe 5040 Logo1_.exe 5040 Logo1_.exe 5040 Logo1_.exe 5040 Logo1_.exe 5040 Logo1_.exe 5040 Logo1_.exe 5040 Logo1_.exe 5040 Logo1_.exe 5040 Logo1_.exe 5040 Logo1_.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
9a4e9e734733ef52767bbadc94a028cb5785703e42027aebbaea9416acdf6f51.exepid process 4316 9a4e9e734733ef52767bbadc94a028cb5785703e42027aebbaea9416acdf6f51.exe 4316 9a4e9e734733ef52767bbadc94a028cb5785703e42027aebbaea9416acdf6f51.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
9a4e9e734733ef52767bbadc94a028cb5785703e42027aebbaea9416acdf6f51.exenet.exeLogo1_.exenet.exenet.execmd.exedescription pid process target process PID 4068 wrote to memory of 1920 4068 9a4e9e734733ef52767bbadc94a028cb5785703e42027aebbaea9416acdf6f51.exe net.exe PID 4068 wrote to memory of 1920 4068 9a4e9e734733ef52767bbadc94a028cb5785703e42027aebbaea9416acdf6f51.exe net.exe PID 4068 wrote to memory of 1920 4068 9a4e9e734733ef52767bbadc94a028cb5785703e42027aebbaea9416acdf6f51.exe net.exe PID 1920 wrote to memory of 5028 1920 net.exe net1.exe PID 1920 wrote to memory of 5028 1920 net.exe net1.exe PID 1920 wrote to memory of 5028 1920 net.exe net1.exe PID 4068 wrote to memory of 4736 4068 9a4e9e734733ef52767bbadc94a028cb5785703e42027aebbaea9416acdf6f51.exe cmd.exe PID 4068 wrote to memory of 4736 4068 9a4e9e734733ef52767bbadc94a028cb5785703e42027aebbaea9416acdf6f51.exe cmd.exe PID 4068 wrote to memory of 4736 4068 9a4e9e734733ef52767bbadc94a028cb5785703e42027aebbaea9416acdf6f51.exe cmd.exe PID 4068 wrote to memory of 5040 4068 9a4e9e734733ef52767bbadc94a028cb5785703e42027aebbaea9416acdf6f51.exe Logo1_.exe PID 4068 wrote to memory of 5040 4068 9a4e9e734733ef52767bbadc94a028cb5785703e42027aebbaea9416acdf6f51.exe Logo1_.exe PID 4068 wrote to memory of 5040 4068 9a4e9e734733ef52767bbadc94a028cb5785703e42027aebbaea9416acdf6f51.exe Logo1_.exe PID 5040 wrote to memory of 2476 5040 Logo1_.exe net.exe PID 5040 wrote to memory of 2476 5040 Logo1_.exe net.exe PID 5040 wrote to memory of 2476 5040 Logo1_.exe net.exe PID 5040 wrote to memory of 2404 5040 Logo1_.exe net.exe PID 5040 wrote to memory of 2404 5040 Logo1_.exe net.exe PID 5040 wrote to memory of 2404 5040 Logo1_.exe net.exe PID 2476 wrote to memory of 2032 2476 net.exe net1.exe PID 2476 wrote to memory of 2032 2476 net.exe net1.exe PID 2476 wrote to memory of 2032 2476 net.exe net1.exe PID 2404 wrote to memory of 704 2404 net.exe net1.exe PID 2404 wrote to memory of 704 2404 net.exe net1.exe PID 2404 wrote to memory of 704 2404 net.exe net1.exe PID 4736 wrote to memory of 4316 4736 cmd.exe 9a4e9e734733ef52767bbadc94a028cb5785703e42027aebbaea9416acdf6f51.exe PID 4736 wrote to memory of 4316 4736 cmd.exe 9a4e9e734733ef52767bbadc94a028cb5785703e42027aebbaea9416acdf6f51.exe PID 4736 wrote to memory of 4316 4736 cmd.exe 9a4e9e734733ef52767bbadc94a028cb5785703e42027aebbaea9416acdf6f51.exe PID 5040 wrote to memory of 3484 5040 Logo1_.exe Explorer.EXE PID 5040 wrote to memory of 3484 5040 Logo1_.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3484
-
C:\Users\Admin\AppData\Local\Temp\9a4e9e734733ef52767bbadc94a028cb5785703e42027aebbaea9416acdf6f51.exe"C:\Users\Admin\AppData\Local\Temp\9a4e9e734733ef52767bbadc94a028cb5785703e42027aebbaea9416acdf6f51.exe"2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4068 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- Suspicious use of WriteProcessMemory
PID:1920 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵PID:5028
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7167.bat3⤵
- Suspicious use of WriteProcessMemory
PID:4736 -
C:\Users\Admin\AppData\Local\Temp\9a4e9e734733ef52767bbadc94a028cb5785703e42027aebbaea9416acdf6f51.exe"C:\Users\Admin\AppData\Local\Temp\9a4e9e734733ef52767bbadc94a028cb5785703e42027aebbaea9416acdf6f51.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4316 -
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Drops file in Drivers directory
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5040 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2032
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:704
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4100 --field-trial-handle=2588,i,14229658658073991926,6938034815163866135,262144 --variations-seed-version /prefetch:81⤵PID:3892
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
258KB
MD5196e80c6461b51a75560df3e57cfbd9a
SHA13dd1bb9835e97f093efe4ffd8c078d8fa3d4ef7f
SHA256dee2cf210ee5f75549462b7cb03674155eb011190c77e332d53edcf655bcc237
SHA51200a3d357b589b85a644c78558fd8eff80832cec119f8d4976f7248ce2521dbe331078129ec35af26ec18d182daad55812e3d57f2f9b73615762a37ac2fc15798
-
Filesize
577KB
MD552b929e3308c6c5cf1e9366799ba774d
SHA173367e44a6aeb30f38c053492485ccc88f3f96b9
SHA2561371f108190c128f882a8babd65e575855c16a158530163f97d4aaec08204a3a
SHA512074eb6f7224979654bf1f5239a9b46a4a30ce8a17c3e47b3f38902cffdbb4c394facbe948d6b0b7f99077483708f8bc03aa40fb1ddba2c18033d52719ac47baa
-
Filesize
488KB
MD515137620fba9c2013dfa9107be4321d5
SHA131c790632ae19274fc2ed7e1615458324bc199bd
SHA25637cf90de70064c0ecf765ae35e8b0cf412c90cca2aaa2513cfba95b408b4e604
SHA512e2cbb59ec77cb009bf1b0d8d398c0898e65380858d33afb58e6ffc762842526f097d112369200cda95f015f5aa75e5af88810e2f2e174e0d1600cb6ec22a77e3
-
Filesize
722B
MD5310b1e3973a3d4326f9b75ee0c2847ad
SHA1072a3dc4ab9f97ca45f625197cf874bc44689d3a
SHA256bad59992bd05c689a5980b8dd7e9df0eac6315039e7f8240955bdb41d26651f6
SHA512ca3d8c1a7faca9a640b5c5b13fe08272d47b484c144663ecb2c61648095b9d0fe52002148fb7036f61f16e63d68e3ca6cec5a34eed05f7b0d9cc1219f692756a
-
C:\Users\Admin\AppData\Local\Temp\9a4e9e734733ef52767bbadc94a028cb5785703e42027aebbaea9416acdf6f51.exe.exe
Filesize97KB
MD5713a30695b671b6e3b19b7d09f9d8409
SHA183916537c86d7dc1043c752f195f04fa42813afe
SHA2566b42e2e9822b99f5f13a6d1f639fa64cc93001266ceb7a7d342da1bce84d5c08
SHA512a450c691e0c8d16519b418b366a260360a57e8511c6975f2e3029c41f30a68d83448126c3d57c9fb36b3a44e839d4bbcaa73e0adfe305a71e04def2fd990cbf7
-
Filesize
33KB
MD50e8792b58f9237e03516447b7048d63c
SHA16f28494f0766ee470bbced1fe79fb10e5fee8252
SHA2567e4e7447ce04580a3af3a9bf90810712d6daebc0ced6c6856eae22771ac50956
SHA5126b935debde1916d7b1f2239ac3534c1f1585406c0d5f1060fdb356253cfab2fe9c716fd7ad05f20b9b3bb222307f15ae1b88e9062c7282d570b523150364e8a5
-
Filesize
842B
MD56f4adf207ef402d9ef40c6aa52ffd245
SHA14b05b495619c643f02e278dede8f5b1392555a57
SHA256d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e
SHA512a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47
-
Filesize
8B
MD5331b730a7f1adbf1f0bc05e0c610f0f1
SHA12f2283f84f040fbd4ecf99055026b70bb3b732ec
SHA2562d3dbb80989e5cc7ef9ef800cc986bb8dccf4ca1f78437040bccd59312a55593
SHA51216790117c382e66c8af2932ed0c37229ae5ee6b8bbaa8bd4e3f9afed6e07cd89c5807c81145f19f561ab714d844826cf6099a6dc97d84fa3f9da5e763bcc78c4