Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21/09/2024, 14:17
Static task
static1
Behavioral task
behavioral1
Sample
043824e73122c345e4081841e81d64ada72700e8f95549eb4b0ae0a07ee0d8cf.exe
Resource
win7-20240903-en
General
-
Target
043824e73122c345e4081841e81d64ada72700e8f95549eb4b0ae0a07ee0d8cf.exe
-
Size
164KB
-
MD5
05d3c6e1c2726cfa659f044cc6c3f232
-
SHA1
b82f957011ea799358735b7c4422188a03d0a09f
-
SHA256
043824e73122c345e4081841e81d64ada72700e8f95549eb4b0ae0a07ee0d8cf
-
SHA512
68cf693d6b60afe565b38a5b117d00e2bd4977a2b11226a737f202d000a75b56657360f21985dd087de4536df0330b65121d5417f3d7c409755ad38b2df3b2a7
-
SSDEEP
3072:xHe+aX38yas99djmMGWBgh1002J8emEu3T7TO+9Z9sTOVrZzxVxU:c+aX38KYWBW1Wu3rOOuOVr8
Malware Config
Signatures
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe -
Executes dropped EXE 2 IoCs
pid Process 4732 Logo1_.exe 1940 043824e73122c345e4081841e81d64ada72700e8f95549eb4b0ae0a07ee0d8cf.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Microsoft Office\Updates\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ca-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-ma\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\he-il\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\hr-hr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\hr-hr\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ie\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\nb-no\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Media Player\uk-UA\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ja-jp\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ru-ru\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ro-ro\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ko-kr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files-select\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sv-se\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-gb\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Defender\uk-UA\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\fi-fi\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\hr-hr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\tr-tr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ro-ro\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\he-il\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\16\BIN\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ne\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\lua\http\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\pl-pl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\hu-hu\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ar-ae\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ko-kr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\9FC6CB38-5C10-4E84-A2B8-DBDBBDBFF3D0\root\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\Simple\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sl-si\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-fr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\cs-cz\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\nl-nl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\tr-tr\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TEXTCONV\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\ja-jp\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\nl-nl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\cs-cz\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\pl-pl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\de\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\uk-UA\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jre-1.8\lib\applet\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sv-se\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\es-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\de-de\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\or_IN\LC_MESSAGES\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe 043824e73122c345e4081841e81d64ada72700e8f95549eb4b0ae0a07ee0d8cf.exe File created C:\Windows\Logo1_.exe 043824e73122c345e4081841e81d64ada72700e8f95549eb4b0ae0a07ee0d8cf.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\Dll.dll Logo1_.exe -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Logo1_.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 043824e73122c345e4081841e81d64ada72700e8f95549eb4b0ae0a07ee0d8cf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2964 043824e73122c345e4081841e81d64ada72700e8f95549eb4b0ae0a07ee0d8cf.exe 2964 043824e73122c345e4081841e81d64ada72700e8f95549eb4b0ae0a07ee0d8cf.exe 2964 043824e73122c345e4081841e81d64ada72700e8f95549eb4b0ae0a07ee0d8cf.exe 2964 043824e73122c345e4081841e81d64ada72700e8f95549eb4b0ae0a07ee0d8cf.exe 2964 043824e73122c345e4081841e81d64ada72700e8f95549eb4b0ae0a07ee0d8cf.exe 2964 043824e73122c345e4081841e81d64ada72700e8f95549eb4b0ae0a07ee0d8cf.exe 2964 043824e73122c345e4081841e81d64ada72700e8f95549eb4b0ae0a07ee0d8cf.exe 2964 043824e73122c345e4081841e81d64ada72700e8f95549eb4b0ae0a07ee0d8cf.exe 2964 043824e73122c345e4081841e81d64ada72700e8f95549eb4b0ae0a07ee0d8cf.exe 2964 043824e73122c345e4081841e81d64ada72700e8f95549eb4b0ae0a07ee0d8cf.exe 2964 043824e73122c345e4081841e81d64ada72700e8f95549eb4b0ae0a07ee0d8cf.exe 2964 043824e73122c345e4081841e81d64ada72700e8f95549eb4b0ae0a07ee0d8cf.exe 2964 043824e73122c345e4081841e81d64ada72700e8f95549eb4b0ae0a07ee0d8cf.exe 2964 043824e73122c345e4081841e81d64ada72700e8f95549eb4b0ae0a07ee0d8cf.exe 2964 043824e73122c345e4081841e81d64ada72700e8f95549eb4b0ae0a07ee0d8cf.exe 2964 043824e73122c345e4081841e81d64ada72700e8f95549eb4b0ae0a07ee0d8cf.exe 2964 043824e73122c345e4081841e81d64ada72700e8f95549eb4b0ae0a07ee0d8cf.exe 2964 043824e73122c345e4081841e81d64ada72700e8f95549eb4b0ae0a07ee0d8cf.exe 2964 043824e73122c345e4081841e81d64ada72700e8f95549eb4b0ae0a07ee0d8cf.exe 2964 043824e73122c345e4081841e81d64ada72700e8f95549eb4b0ae0a07ee0d8cf.exe 2964 043824e73122c345e4081841e81d64ada72700e8f95549eb4b0ae0a07ee0d8cf.exe 2964 043824e73122c345e4081841e81d64ada72700e8f95549eb4b0ae0a07ee0d8cf.exe 2964 043824e73122c345e4081841e81d64ada72700e8f95549eb4b0ae0a07ee0d8cf.exe 2964 043824e73122c345e4081841e81d64ada72700e8f95549eb4b0ae0a07ee0d8cf.exe 2964 043824e73122c345e4081841e81d64ada72700e8f95549eb4b0ae0a07ee0d8cf.exe 2964 043824e73122c345e4081841e81d64ada72700e8f95549eb4b0ae0a07ee0d8cf.exe 4732 Logo1_.exe 4732 Logo1_.exe 4732 Logo1_.exe 4732 Logo1_.exe 4732 Logo1_.exe 4732 Logo1_.exe 4732 Logo1_.exe 4732 Logo1_.exe 4732 Logo1_.exe 4732 Logo1_.exe 4732 Logo1_.exe 4732 Logo1_.exe 4732 Logo1_.exe 4732 Logo1_.exe 4732 Logo1_.exe 4732 Logo1_.exe 4732 Logo1_.exe 4732 Logo1_.exe 4732 Logo1_.exe 4732 Logo1_.exe 4732 Logo1_.exe 4732 Logo1_.exe 4732 Logo1_.exe 4732 Logo1_.exe 4732 Logo1_.exe 4732 Logo1_.exe 4732 Logo1_.exe 4732 Logo1_.exe 4732 Logo1_.exe 4732 Logo1_.exe 4732 Logo1_.exe 4732 Logo1_.exe 4732 Logo1_.exe 4732 Logo1_.exe 4732 Logo1_.exe 4732 Logo1_.exe 4732 Logo1_.exe 4732 Logo1_.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 1940 043824e73122c345e4081841e81d64ada72700e8f95549eb4b0ae0a07ee0d8cf.exe 1940 043824e73122c345e4081841e81d64ada72700e8f95549eb4b0ae0a07ee0d8cf.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2964 wrote to memory of 4700 2964 043824e73122c345e4081841e81d64ada72700e8f95549eb4b0ae0a07ee0d8cf.exe 82 PID 2964 wrote to memory of 4700 2964 043824e73122c345e4081841e81d64ada72700e8f95549eb4b0ae0a07ee0d8cf.exe 82 PID 2964 wrote to memory of 4700 2964 043824e73122c345e4081841e81d64ada72700e8f95549eb4b0ae0a07ee0d8cf.exe 82 PID 4700 wrote to memory of 3556 4700 net.exe 84 PID 4700 wrote to memory of 3556 4700 net.exe 84 PID 4700 wrote to memory of 3556 4700 net.exe 84 PID 2964 wrote to memory of 1860 2964 043824e73122c345e4081841e81d64ada72700e8f95549eb4b0ae0a07ee0d8cf.exe 85 PID 2964 wrote to memory of 1860 2964 043824e73122c345e4081841e81d64ada72700e8f95549eb4b0ae0a07ee0d8cf.exe 85 PID 2964 wrote to memory of 1860 2964 043824e73122c345e4081841e81d64ada72700e8f95549eb4b0ae0a07ee0d8cf.exe 85 PID 2964 wrote to memory of 4732 2964 043824e73122c345e4081841e81d64ada72700e8f95549eb4b0ae0a07ee0d8cf.exe 86 PID 2964 wrote to memory of 4732 2964 043824e73122c345e4081841e81d64ada72700e8f95549eb4b0ae0a07ee0d8cf.exe 86 PID 2964 wrote to memory of 4732 2964 043824e73122c345e4081841e81d64ada72700e8f95549eb4b0ae0a07ee0d8cf.exe 86 PID 4732 wrote to memory of 2920 4732 Logo1_.exe 88 PID 4732 wrote to memory of 2920 4732 Logo1_.exe 88 PID 4732 wrote to memory of 2920 4732 Logo1_.exe 88 PID 2920 wrote to memory of 4992 2920 net.exe 90 PID 2920 wrote to memory of 4992 2920 net.exe 90 PID 2920 wrote to memory of 4992 2920 net.exe 90 PID 1860 wrote to memory of 1940 1860 cmd.exe 91 PID 1860 wrote to memory of 1940 1860 cmd.exe 91 PID 4732 wrote to memory of 2780 4732 Logo1_.exe 94 PID 4732 wrote to memory of 2780 4732 Logo1_.exe 94 PID 4732 wrote to memory of 2780 4732 Logo1_.exe 94 PID 2780 wrote to memory of 4472 2780 net.exe 96 PID 2780 wrote to memory of 4472 2780 net.exe 96 PID 2780 wrote to memory of 4472 2780 net.exe 96 PID 4732 wrote to memory of 3472 4732 Logo1_.exe 56 PID 4732 wrote to memory of 3472 4732 Logo1_.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3472
-
C:\Users\Admin\AppData\Local\Temp\043824e73122c345e4081841e81d64ada72700e8f95549eb4b0ae0a07ee0d8cf.exe"C:\Users\Admin\AppData\Local\Temp\043824e73122c345e4081841e81d64ada72700e8f95549eb4b0ae0a07ee0d8cf.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4700 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
PID:3556
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aA103.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1860 -
C:\Users\Admin\AppData\Local\Temp\043824e73122c345e4081841e81d64ada72700e8f95549eb4b0ae0a07ee0d8cf.exe"C:\Users\Admin\AppData\Local\Temp\043824e73122c345e4081841e81d64ada72700e8f95549eb4b0ae0a07ee0d8cf.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1940
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
- System Location Discovery: System Language Discovery
PID:4992
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
- System Location Discovery: System Language Discovery
PID:4472
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
250KB
MD5e02a26d5c40ba99e0dd41bf5283f0a89
SHA1974aed12b49db8fd18494a80d2de9a73dd98e594
SHA2562f8f7e0cb11eac3e0ed40c10d931d225e43e8a7b47d2043c1126709b809f1f05
SHA51268566c219e68a07608a7ce9d2cd1124ecc82fe5272087637c61393e51c9afb60d939f84c0c2b03bab6ac239fcdbcfb93fa1b0ff80c2e6531cfbf55452b3bb49f
-
Filesize
577KB
MD53a84e2e2d803729ca1b5d7dae236609b
SHA1b9024563b4c92548ae0375e8bdffb303a72403c8
SHA25624d15e4819b257074e2d5afa799b1bbc12489d0bce68328ce16870068466b65c
SHA512b062be5d60825a0f6c92f4862b06e46e7c232fe2f8fdf80324cc9183d21da63922968626bd12d553f78214af8f717be9824655944637c7156a90e7e4e13a8581
-
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize643KB
MD5c0057db68dfd75cccab3b14a084dd427
SHA175f6f857332903754df4c73bb1a22201a0f5fa94
SHA256a248fabffb80434c968c6878a53560b86c15015b2a567ecc26d7405786b665ab
SHA512369739ca80ba57d97a3c3a15fc1b5b30d1b111a8450510c8dd32e7768a68426e10bcece74754b3826a437cd05b6eb70ad882a092aafb85f72b9072779d485854
-
Filesize
722B
MD5f4347ed9f03f570e52f860c51caf4c53
SHA15b80550a2ccb01df600ef08f2fad12a97b813a2a
SHA2567d2e7a6fed869417bbb5c36df6cbf5b4e76ac56a5e520cd935d11deae012d601
SHA512ee0bdc638dc95533eb02676e4902d5d2351848798b68cbb35845a085d3b4b4c236eb491e8bf28aeb37e2e051a6b3da5e73de28d739fc8e0de772bcfa20218551
-
C:\Users\Admin\AppData\Local\Temp\043824e73122c345e4081841e81d64ada72700e8f95549eb4b0ae0a07ee0d8cf.exe.exe
Filesize131KB
MD516438a96a8adb85472ca72da04701b29
SHA1b1f5ee8bc083804de4de820255107f6541c84735
SHA2569291cd97d2f1b119438f16e97ea75119f19fd959ec5414e84b337530d692e289
SHA51258f659a29cb34245a261b7666b1cda4b76f2df1039f3713dda6ff5a97c33b4cc273b110d10b4131a6a5c13897efcfa9a5ef3031e0e5fb14db1adc0ac1ef25dcd
-
Filesize
33KB
MD5fac489180a927456fde29aa70b6c863c
SHA1b7638615678d7137f7c9a8ab01952fd6266730d0
SHA256e888702980111bdea63056293f56946432701aac652c474a5f8614a137e021d7
SHA512cbe953def68f48b32003143d8980b0443c46373395d31ceab62192cb0d2a97d45428e950f54f03b507b9e39b12770c9701e2b5de6e1fda1ce763a9aede7e6682
-
Filesize
9B
MD55412111268dd2c1fb1cf8697bfab9b6c
SHA116d0b289e83c74cb50a004edd7c5750ac706f321
SHA256f3aa35be7048ddbf11fc581e5f9476745d75bcf097e121ba2915614e360a0cdc
SHA51213fc5bf11faaf5471fde8a1bafdcc6d27521bad796e5e532c94d9c8232dd70088e70b6d5ac60c4c15d13e59926ac38e9a9e01b4dd4694a77d70bdd1ae7005ccf