998dbf404219d64228ef17e7ea8d0f3c91fc1ea5adef267f4f4ae9ac2c670085

Analysis

max time kernel
149s
max time network
143s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
18/04/2024, 00:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

998dbf404219d64228ef17e7ea8d0f3c91fc1ea5adef267f4f4ae9ac2c670085.exe
Size

2.6MB
MD5

468f2a8822e72abbd40916941c5b8503
SHA1

9800a6ef9a5d92fb495f4612c3dcc37378347b68
SHA256

998dbf404219d64228ef17e7ea8d0f3c91fc1ea5adef267f4f4ae9ac2c670085
SHA512

666fb147d0726e561c094261068263d90f5f866cbe4b9932361a55da7aacfb9a33a9402a6741aa542a19d0bddbdd676d6d8e12d1f4a35e99ba1be1c60812d402
SSDEEP

49152:/7M8jxPN5HmPJhtG6ToOK0+Hy5zlBiB55oTZeyiLmSW6Ir42/rTmJ7kgHgOK:AYPB0Z5zlBiH5oIyiLmHw2OhkgQ

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1564	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
2004	Logo1_.exe
2948	998dbf404219d64228ef17e7ea8d0f3c91fc1ea5adef267f4f4ae9ac2c670085.exe

Loads dropped DLL 2 IoCs

pid	Process
1564	cmd.exe
2948	998dbf404219d64228ef17e7ea8d0f3c91fc1ea5adef267f4f4ae9ac2c670085.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VC\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Defender\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\brx\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Things\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Hearts\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Photo Viewer\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Media Player\Media Renderer\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\zh_CN\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\SAMPLES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hi\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\14\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\SpeechEngines\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\ssvagent.exe	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tet\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fa\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	998dbf404219d64228ef17e7ea8d0f3c91fc1ea5adef267f4f4ae9ac2c670085.exe
File created	C:\Windows\Logo1_.exe	998dbf404219d64228ef17e7ea8d0f3c91fc1ea5adef267f4f4ae9ac2c670085.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "419563169"	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009b106788dea7af4d98683a8983feb7c600000000020000000000106600000001000020000000be3f56c952ac79dee82e658209c66194b09b78ec760feca94f52b57588105c4d000000000e800000000200002000000040a4177f5ebbb99867809fca5d7e49f7f1a9f9ae7bba41941d044285f5b8f2bd20000000d6b83ab9c80828c95b33c0cd7c79552b79bd8c8440f980ece906792c5fc0c56140000000079356b6ccac3e92760ecc09e3ffb57690954758e7ff2f141a90cec47f25afa3ffec45f7f12c17d995283c33ebb1edc18abc60cf629c222b9276ba8e75d8296b	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IntelliForms	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000009b106788dea7af4d98683a8983feb7c600000000020000000000106600000001000020000000852e92004c24493f303c6688f60758953aa0b775f8ce5676f2b49c71d1abc531000000000e80000000020000200000009c22ee6b55e1057c91307d4c1d6ac4132e83a8b8b957417ff2614d85d1ba7bb090000000e2f1614a8a49e927bdbd84a1666200957021746f124e703d0407661b84ec3ff51451ad20f1d12e9a3cda948a177ac3a62347d8710ec0f0f6ba7130325192c72d8212f783e7fc10032306e6f2a671a587c2b1182fd686add55a29d52bdc1699cc96263af8db88d2fd24d75f5911a81c67a0ad8a67e76935b20324db5f170a431aa3862d730c6456b86830198f548c9231400000003688824c23b0a83464947d8d68a6e4db5e7e7d37a898012836401d88e3f43cd2de899530d291bfeaa1f652cc66d35d67b48210bb6e1033808cf2681c248c56fd	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\PageSetup	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Zoom	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 0033026f2a91da01	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\InternetRegistry	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{5AD91881-FD1D-11EE-80DF-F60046394256} = "0"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\SearchScopes	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	IEXPLORE.EXE

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2004	Logo1_.exe
2004	Logo1_.exe
2004	Logo1_.exe
2004	Logo1_.exe
2004	Logo1_.exe
2004	Logo1_.exe
2004	Logo1_.exe
2004	Logo1_.exe
2004	Logo1_.exe
2004	Logo1_.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2324	IEXPLORE.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2324	IEXPLORE.EXE
2324	IEXPLORE.EXE
1584	IEXPLORE.EXE
1584	IEXPLORE.EXE
1584	IEXPLORE.EXE
1584	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 1564	2896	998dbf404219d64228ef17e7ea8d0f3c91fc1ea5adef267f4f4ae9ac2c670085.exe	28
PID 2896 wrote to memory of 1564	2896	998dbf404219d64228ef17e7ea8d0f3c91fc1ea5adef267f4f4ae9ac2c670085.exe	28
PID 2896 wrote to memory of 1564	2896	998dbf404219d64228ef17e7ea8d0f3c91fc1ea5adef267f4f4ae9ac2c670085.exe	28
PID 2896 wrote to memory of 1564	2896	998dbf404219d64228ef17e7ea8d0f3c91fc1ea5adef267f4f4ae9ac2c670085.exe	28
PID 2896 wrote to memory of 2004	2896	998dbf404219d64228ef17e7ea8d0f3c91fc1ea5adef267f4f4ae9ac2c670085.exe	29
PID 2896 wrote to memory of 2004	2896	998dbf404219d64228ef17e7ea8d0f3c91fc1ea5adef267f4f4ae9ac2c670085.exe	29
PID 2896 wrote to memory of 2004	2896	998dbf404219d64228ef17e7ea8d0f3c91fc1ea5adef267f4f4ae9ac2c670085.exe	29
PID 2896 wrote to memory of 2004	2896	998dbf404219d64228ef17e7ea8d0f3c91fc1ea5adef267f4f4ae9ac2c670085.exe	29
PID 2004 wrote to memory of 2528	2004	Logo1_.exe	30
PID 2004 wrote to memory of 2528	2004	Logo1_.exe	30
PID 2004 wrote to memory of 2528	2004	Logo1_.exe	30
PID 2004 wrote to memory of 2528	2004	Logo1_.exe	30
PID 2528 wrote to memory of 2460	2528	net.exe	33
PID 2528 wrote to memory of 2460	2528	net.exe	33
PID 2528 wrote to memory of 2460	2528	net.exe	33
PID 2528 wrote to memory of 2460	2528	net.exe	33
PID 1564 wrote to memory of 2948	1564	cmd.exe	34
PID 1564 wrote to memory of 2948	1564	cmd.exe	34
PID 1564 wrote to memory of 2948	1564	cmd.exe	34
PID 1564 wrote to memory of 2948	1564	cmd.exe	34
PID 2004 wrote to memory of 1140	2004	Logo1_.exe	20
PID 2004 wrote to memory of 1140	2004	Logo1_.exe	20
PID 2948 wrote to memory of 2328	2948	998dbf404219d64228ef17e7ea8d0f3c91fc1ea5adef267f4f4ae9ac2c670085.exe	35
PID 2948 wrote to memory of 2328	2948	998dbf404219d64228ef17e7ea8d0f3c91fc1ea5adef267f4f4ae9ac2c670085.exe	35
PID 2948 wrote to memory of 2328	2948	998dbf404219d64228ef17e7ea8d0f3c91fc1ea5adef267f4f4ae9ac2c670085.exe	35
PID 2948 wrote to memory of 2328	2948	998dbf404219d64228ef17e7ea8d0f3c91fc1ea5adef267f4f4ae9ac2c670085.exe	35
PID 2328 wrote to memory of 2324	2328	iexplore.exe	36
PID 2328 wrote to memory of 2324	2328	iexplore.exe	36
PID 2328 wrote to memory of 2324	2328	iexplore.exe	36
PID 2328 wrote to memory of 2324	2328	iexplore.exe	36
PID 2324 wrote to memory of 1584	2324	IEXPLORE.EXE	38
PID 2324 wrote to memory of 1584	2324	IEXPLORE.EXE	38
PID 2324 wrote to memory of 1584	2324	IEXPLORE.EXE	38
PID 2324 wrote to memory of 1584	2324	IEXPLORE.EXE	38

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1140
- C:\Users\Admin\AppData\Local\Temp\998dbf404219d64228ef17e7ea8d0f3c91fc1ea5adef267f4f4ae9ac2c670085.exe
  "C:\Users\Admin\AppData\Local\Temp\998dbf404219d64228ef17e7ea8d0f3c91fc1ea5adef267f4f4ae9ac2c670085.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a19F6.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1564
  - - C:\Users\Admin\AppData\Local\Temp\998dbf404219d64228ef17e7ea8d0f3c91fc1ea5adef267f4f4ae9ac2c670085.exe
      "C:\Users\Admin\AppData\Local\Temp\998dbf404219d64228ef17e7ea8d0f3c91fc1ea5adef267f4f4ae9ac2c670085.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2948
    - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe" http://se.360.cn/
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2328
      - C:\Program Files\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://se.360.cn/
        6⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2324 CREDAT:275457 /prefetch:2
        7⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1584
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2004
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2528
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
3a4ae7d36a409e517a8b88e7c8884f43

SHA1
a1131b4bb058dc5d5200e265ab93a2e6f706691f

SHA256
0e03a0de5ba761adc588229fddca341da31f1c3e2a0d8787ffd2f04aa2c7375f

SHA512
73a23fefa570f033b9126abfee56bbc20ade32aa98e9887ea5cc81b54dc8349eeb79b1c35b10022e5560cf3055304be278762a3d62529204638c3c1cdbbb03eb

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
c6c8fde27f649c91ddaab8cb9ca344a6

SHA1
5e4865aec432a18107182f47edda176e8c566152

SHA256
32c3fed53bfc1d890e9bd1d771fdc7e2c81480e03f1425bce07b4045a192d100

SHA512
a8df7d1e852d871d7f16bae10c4ff049359583da88cc85a039f0298525839040d5363ce5ef4cbdb92a12a25785f73df83cf0df07752b78e6e6444f32160a2155

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
69133784d8fcfed2a270250c4a237346

SHA1
d3f0be936aed86d07c719b2d5522c659331b112f

SHA256
ef679972618e1a36730d6b49e51c6f1db5e791e6d868e0bcdf0a11ce25c0788f

SHA512
283532f2a19818480a70e5339dd15e1f223fec815286876eb079f237708ea9ff32e0b5df3fafd07d09641b61ba37b5b1e1ce70e97453bf2856958a49fdba69a0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8a047cb4b8a9a101d7e088fc7c3cfc0d

SHA1
6fde7273549dc11efbcd89ad2e4c72c8961377c6

SHA256
bd1ea8d9e84241573bd0e309a0b3a7d41a4b3ecb15f6566105e40d27dcdaab8c

SHA512
530b281881533f578744e1ddfa424ed51cf3192e75e0fa31469f1d74820f5ad267b39ad988e73a93cb58226b5556f880b333408d214b847688ba4f2606717057

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
728782eb2d588025d1018633a8dc0ed0

SHA1
d0b9ba53c3a86801ff4b5fc53d6f53c864ecb9a3

SHA256
aa7271d68b81bf8e1e50d25fb78d107fa1b7800930c08309849244057c59c777

SHA512
f562d7a6b8386d9bc00db239f1f1f706f6cc317d0a7b0d3136b928a1d032965d5ba7eaa5dc4b339a365e25df1d9d96b6df8f8aa83cfa5f7e6ea5de48d66f30c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
079ab3c5cd845adca95305ec71879248

SHA1
628bc98109c7d0d027e28d018aea6a1ff1057c78

SHA256
a4310aa99564c54a26cb92537cb256fb06f75d3e97a34ec471b4471257a16bac

SHA512
2e1526f2d556d99aefd041a96be53040ec5a753306702045151b7f411ac4d5badccf7d383a9efcb1ec22b124cb5914678f93447c9b738162dcead7a5b1bce241

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4e51fb20b5f30d4407b1b4d72f9c0b64

SHA1
e34fa19f5970b391d637dd21891848c757f39864

SHA256
19ef34964623474d72cccab4712e8916388eeae0bb87e9ca54caf59f825eeda7

SHA512
c7dd237b3df4a9eb11ae197dde75c642a2c6647345389e20c958d6e2e172b0186b357225dcd91fcd4230f3cee5ce473c7c16b4b876d10d8d7a1ee57486e78170

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
5b47371e1adfba79979c937337c545b9

SHA1
4a3154fb1057f23243c4a747cd195bf42acc832c

SHA256
30aa6834b98a787366ade3563f7d004c92c59840a452adebaebd4cc3f6f3ac2c

SHA512
aaa1dba9bd725b1c1d5d6272d0ed02a8b3ab4b329a035d5965d544ff3a48f1934c8f8f8f4e3a9067926bd80c6acde63e25d023389eb51d64044fff1aec7c262c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
539f10469128b93e2e651cf89c57d210

SHA1
a0b35bf0d249470c581346d53867034745d4e482

SHA256
617bf9932d5a5ee86973f888288e368dd8b02ce53699109ca84c82a498e5f426

SHA512
7c96e886779c315f20affff6d7c56ed24f97a432054dd1122b5dd61ba5b877be93369f1fa4cf1419f387a65299e6833b5cc714080d5537d47ca41e5b9113d590

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
afa331638554683166fee04011bf349b

SHA1
1e2a634bff44afb270e1b50fdf7b345861b5166a

SHA256
ecdf45b9d3e7833b027564fb9320d891a882d453cc0ac1e8310da3893d08cbce

SHA512
6fff2c393de2d2a2ec1b798fe4f94e1c39c30fb9ad3aa0f011602b1eaf06a09ce9e4c2c8afc4880258b71c8d0c1632ba1238c06df7626f124ac5bc69865bdce3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0f14110f2ef30287c725e51b1c0d903b

SHA1
05ebdd85f9ca17608529775e23d20d0a45ca07ea

SHA256
b002466d6838d02d05c0633e050b1a7d60dd14b7bdc6e16d4526efe5fda2c0aa

SHA512
738c44829405d9620b894484605b25204ec5d53c37ed35959f3b62733114c2ba193bd3577cb13e8ff6a5746ce7fc4c92fd9a9d0225443e5af77ccc088c90e551

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
35acabae64f9a21ea1a2bdcd06575d3c

SHA1
8385fb8cd74a54773ce9026e254de7c4ce912101

SHA256
8b3685554c68ee08ae454e895e71819116736c9b686fa3c1bb76ef4386bf8f13

SHA512
2816abe73c252cb9b036baa64f61a76744232396e26a68231aecbffc0fcd861f0f385acd9970d146b8e65595636d9458f652e11bf2d0da42bc9deb4829edd9ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
53240734e28135be3ad543fcaa6badd5

SHA1
45d4dce705bbfe6be0b38f7c482afbf134e5a8f1

SHA256
f5a245040727e1afd9787cb75db250f095663af4ac6625bd9215dc2d5865a9b8

SHA512
f704c4e87df4c1aa2247793480ba79b7170d5001b7d2be2170c37f972e288ce8751bab32146436464cb213bb46bbd446ddb2b77c13bff7e980fdb6cc929a601b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1347abee44f97c4519c61e63e0418556

SHA1
aeaac36fdce5291948bec8d9f7dec51765ee56ce

SHA256
453cdc22523aadee5edb8c9a617fd58480301ec99a0b3ea18c3d3e5565d96535

SHA512
11081cbe78d7d44f1e098ddf4ef76c010aa8211ddc463010acc64437999fe49aad76b7f936ff9277a7a03927e280b56458d06201d956c03cde701f8f45ca906b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
d6f7315f80f6e87ccab188205e016bf1

SHA1
2d1a24953422dbace775571b4d5800b814642bf7

SHA256
7d3a31c9959e9f6ab06839cb24b09ab6cd3c0f02dd9ea9f631a7011add05f2fe

SHA512
3a06b10dcc05a0a17a094300e92d2db8e8b8ac3a8872bac0689d23cb62b662b7346bd92bfb9d116291320978f250aa648f51763b5f5bf05b4e3ba662ece29026

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a7cb56966538ad5d49e2ff16cbf547da

SHA1
5b91e7f069f2b770a43a9a5a03efcff4429352e8

SHA256
6be4c6b95163d1983e024bc18b75aca30a40b5e167d2e3b61126401e04019f4b

SHA512
e0844f7da04fec70d060b4bdd0c03227fcf8b737226e0470266db80f7e39a00803fe4ca68812841b831502f3b096509ab301aad9f417506a81e9e1abe1af2d1c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6a4e1cc100b5dacb79fc095ea9f3b392

SHA1
ba77c0befe82f770e13260aa2525c0f59680e37c

SHA256
8f426813ceaebb9cdece79ae4d58c62deac55c679967e1ab97a671786a4d3cf1

SHA512
2ec050a5dff0c1d07369485b0b74b4169f58f9c236bcdcc02ffebd27e5b8d73f002656e70723f905d1a3c5474db0a92d4337a52d970f4937307ac91cb31c31bd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dd335f594b70699da414bd63562dce68

SHA1
ebd0be601592ef26b440997286f8f2e6fd4460f6

SHA256
3e93a4bfc7a36f6498518cde5302ad0de44c9e454f5bdc8eb0dbb1b4ae80991c

SHA512
2049f0be182ecdb3f6d822ea1bd8639bfe61c7bb2f8a4c252e1ea99b1e62f5a94895bd14c48d9291d79e2bed3ae7ebea39bb2d916cf5a9fa5bba2b8ff0e69c39

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dc1528d1c0bbc43194ad58e2c5b50f91

SHA1
53ea2a439022eff0b122268b1be1266f3ebcc88a

SHA256
edb206daa36bc35491ec607cc36d0c1885e290522d4c959fdcd724d1867cc45c

SHA512
2c73099c44af182abb71dcb045fa2ee12f719a3eee87c6015ffe0a68801844c24502fdaa4cd421d76473c2c36a7580f0200a3c724a49f7514b0fc5e6f753c599

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
38c38321e957fc2f628afdbc3591dcc9

SHA1
358a83ae4d9cfd5d3f8f3c515375d623b57cd6c7

SHA256
5eb01c60abfec5e0c675171c8617451ae5fb00d23bfc9f21e6564749ab32baf4

SHA512
866b2ed5af7858fb1bde5c3149eeccc9dc87be444d6193309140c2f96874313f816b53faa5c7720508e7c42a38a006612ea300ea714a9e599f9ea73b39d954fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a19F6.bat

Filesize
722B

MD5
a68b25b1718a1bdd6a0cf29e96040740

SHA1
40e470d3f5ab7b50ad477dd9efe2d101bd1ec4c1

SHA256
c008b5113946dc61643d3abde337f33b8fb65496cda6a45af0551ddd65aee307

SHA512
7d1fad4487ec2cb51a99b3ba26675ee42f9e4617ecd6b7d24d2c41718c60556655ce20487295f11c225b159e322fd2e58346597b04cdac942cc85a492ae01e60

Download Submit
C:\Users\Admin\AppData\Local\Temp\998dbf404219d64228ef17e7ea8d0f3c91fc1ea5adef267f4f4ae9ac2c670085.exe.exe

Filesize
2.6MB

MD5
78e059cdb97de787e780109e42edc055

SHA1
43e35ab547d9ef8cb978cbc5bfbef89b4f6aea53

SHA256
61b7d31fa80f3c9fd584c454c9c70e6ce1f101864abcd3fd1cdb22d8b344dbd4

SHA512
426cd43d00ce9d6c850b57159c4934ed88731ce3ad56107be65d95d200c9616517967b3c7b7c2cf1b42eda4e58b6a28383cfce52a11258422eb093ee489e69ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3544.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3646.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Windows\rundl132.exe

Filesize
26KB

MD5
6ff88aed67261a9080c1e62fd8bd0504

SHA1
14aed18f7ccd0e479389f111b63e79f2578001b1

SHA256
ee50a980fa1e7b2d29fc3adfa8acdeeda2cfd4937f4efe6346bfd9d0dac37a45

SHA512
4eac127c6e81a6c5c91b5276cd4a059c1fc3d78f8b5911d1c4b8fb77cb355d61f32b22c8230d55c6ac61f7ef52062dffe76f9b98dd0d18331e26a8c7eb070172

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2248906074-2862704502-246302768-1000\_desktop.ini

Filesize
9B

MD5
72b7e38c6ba037d117f32b55c07b1a9c

SHA1
35e2435e512e17ca2be885e17d75913f06b90361

SHA256
e9719e3c653627668046bac84b77097bfb0cd018d68465c17130ed31d6d6eca6

SHA512
2bebd814b81ad2dc547802d42891d833caaad81d004758ec4373f9c7af2971eb822f0a559d2d5d4fca499912fea95e25bab22e92cb0c149d6a4c692eee6ee46a

Download Submit
memory/1140-30-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/2004-34-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2004-41-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2004-47-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2004-93-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2004-2326-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2004-1351-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2004-573-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2004-4001-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2004-4270-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2004-21-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2896-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2896-14-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2896-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download