Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
125s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
21/09/2024, 15:07
Static task
static1
Behavioral task
behavioral1
Sample
7c9f3c7f0a82db60905b7dab8bcbe9fb7492a7ea6c34137c6c89461dc7725537.exe
Resource
win7-20240903-en
General
-
Target
7c9f3c7f0a82db60905b7dab8bcbe9fb7492a7ea6c34137c6c89461dc7725537.exe
-
Size
66KB
-
MD5
9d2b72abd8d0fade5bdca3c1109ce4c5
-
SHA1
fcee37365cdc82a91ae115beaf503c8f3457aa5b
-
SHA256
7c9f3c7f0a82db60905b7dab8bcbe9fb7492a7ea6c34137c6c89461dc7725537
-
SHA512
8d3b89fd3ef6a23bedd229d7daed68051644f530c02aceca3d5a8b0f89160d5f09554ab78ed3bde8e2f4356f994b1b78ec6d3e73113d27b5f502a34556e54628
-
SSDEEP
1536:PuPoaYzMXqtGNttyUn01Q78a4RE/MF0Vz5gpEaDoc:PhaY46tGNttyJQ7KRE/W0VzBaDP
Malware Config
Signatures
-
Drops file in Drivers directory 2 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts Logo1_.exe File opened for modification C:\Windows\system32\drivers\etc\hosts 7c9f3c7f0a82db60905b7dab8bcbe9fb7492a7ea6c34137c6c89461dc7725537.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe -
Executes dropped EXE 2 IoCs
pid Process 2116 Logo1_.exe 3540 7c9f3c7f0a82db60905b7dab8bcbe9fb7492a7ea6c34137c6c89461dc7725537.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sl-sl\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\nb-no\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\uk-ua\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\eu-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\_platform_specific\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ta\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fi-fi\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\es-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ca-es\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\lo\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Configuration\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sk-sk\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-ae\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-gb\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\d3d11\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\_desktop.ini Logo1_.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\rsod\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ENES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ru-ru\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\uk-ua\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows NT\Accessories\en-US\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\es-ES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pl-pl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\nl-nl\_desktop.ini Logo1_.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\co\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\it-it\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ca-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\sv-se\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\es-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\nl-nl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\pt-br\_desktop.ini Logo1_.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Defender\uk-UA\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sl-si\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ko-kr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\css\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Resources\1033\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ja-jp\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ar-ae\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\he-il\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Crashpad\reports\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\cs-cz\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\hu-hu\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\collect_feedback\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{E9FAE721-C42D-4B32-B146-9DE88A456C64}\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\swidtag\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\images\themeless\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe 7c9f3c7f0a82db60905b7dab8bcbe9fb7492a7ea6c34137c6c89461dc7725537.exe File created C:\Windows\Logo1_.exe 7c9f3c7f0a82db60905b7dab8bcbe9fb7492a7ea6c34137c6c89461dc7725537.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\Dll.dll Logo1_.exe -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7c9f3c7f0a82db60905b7dab8bcbe9fb7492a7ea6c34137c6c89461dc7725537.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 404 7c9f3c7f0a82db60905b7dab8bcbe9fb7492a7ea6c34137c6c89461dc7725537.exe 404 7c9f3c7f0a82db60905b7dab8bcbe9fb7492a7ea6c34137c6c89461dc7725537.exe 404 7c9f3c7f0a82db60905b7dab8bcbe9fb7492a7ea6c34137c6c89461dc7725537.exe 404 7c9f3c7f0a82db60905b7dab8bcbe9fb7492a7ea6c34137c6c89461dc7725537.exe 404 7c9f3c7f0a82db60905b7dab8bcbe9fb7492a7ea6c34137c6c89461dc7725537.exe 404 7c9f3c7f0a82db60905b7dab8bcbe9fb7492a7ea6c34137c6c89461dc7725537.exe 404 7c9f3c7f0a82db60905b7dab8bcbe9fb7492a7ea6c34137c6c89461dc7725537.exe 404 7c9f3c7f0a82db60905b7dab8bcbe9fb7492a7ea6c34137c6c89461dc7725537.exe 404 7c9f3c7f0a82db60905b7dab8bcbe9fb7492a7ea6c34137c6c89461dc7725537.exe 404 7c9f3c7f0a82db60905b7dab8bcbe9fb7492a7ea6c34137c6c89461dc7725537.exe 404 7c9f3c7f0a82db60905b7dab8bcbe9fb7492a7ea6c34137c6c89461dc7725537.exe 404 7c9f3c7f0a82db60905b7dab8bcbe9fb7492a7ea6c34137c6c89461dc7725537.exe 404 7c9f3c7f0a82db60905b7dab8bcbe9fb7492a7ea6c34137c6c89461dc7725537.exe 404 7c9f3c7f0a82db60905b7dab8bcbe9fb7492a7ea6c34137c6c89461dc7725537.exe 404 7c9f3c7f0a82db60905b7dab8bcbe9fb7492a7ea6c34137c6c89461dc7725537.exe 404 7c9f3c7f0a82db60905b7dab8bcbe9fb7492a7ea6c34137c6c89461dc7725537.exe 404 7c9f3c7f0a82db60905b7dab8bcbe9fb7492a7ea6c34137c6c89461dc7725537.exe 404 7c9f3c7f0a82db60905b7dab8bcbe9fb7492a7ea6c34137c6c89461dc7725537.exe 404 7c9f3c7f0a82db60905b7dab8bcbe9fb7492a7ea6c34137c6c89461dc7725537.exe 404 7c9f3c7f0a82db60905b7dab8bcbe9fb7492a7ea6c34137c6c89461dc7725537.exe 404 7c9f3c7f0a82db60905b7dab8bcbe9fb7492a7ea6c34137c6c89461dc7725537.exe 404 7c9f3c7f0a82db60905b7dab8bcbe9fb7492a7ea6c34137c6c89461dc7725537.exe 404 7c9f3c7f0a82db60905b7dab8bcbe9fb7492a7ea6c34137c6c89461dc7725537.exe 404 7c9f3c7f0a82db60905b7dab8bcbe9fb7492a7ea6c34137c6c89461dc7725537.exe 404 7c9f3c7f0a82db60905b7dab8bcbe9fb7492a7ea6c34137c6c89461dc7725537.exe 404 7c9f3c7f0a82db60905b7dab8bcbe9fb7492a7ea6c34137c6c89461dc7725537.exe 2116 Logo1_.exe 2116 Logo1_.exe 2116 Logo1_.exe 2116 Logo1_.exe 2116 Logo1_.exe 2116 Logo1_.exe 2116 Logo1_.exe 2116 Logo1_.exe 2116 Logo1_.exe 2116 Logo1_.exe 2116 Logo1_.exe 2116 Logo1_.exe 2116 Logo1_.exe 2116 Logo1_.exe 2116 Logo1_.exe 2116 Logo1_.exe 2116 Logo1_.exe 2116 Logo1_.exe 2116 Logo1_.exe 2116 Logo1_.exe 2116 Logo1_.exe 2116 Logo1_.exe 2116 Logo1_.exe 2116 Logo1_.exe 2116 Logo1_.exe 2116 Logo1_.exe 2116 Logo1_.exe 2116 Logo1_.exe 2116 Logo1_.exe 2116 Logo1_.exe 2116 Logo1_.exe 2116 Logo1_.exe 2116 Logo1_.exe 2116 Logo1_.exe 2116 Logo1_.exe 2116 Logo1_.exe 2116 Logo1_.exe 2116 Logo1_.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 404 wrote to memory of 3684 404 7c9f3c7f0a82db60905b7dab8bcbe9fb7492a7ea6c34137c6c89461dc7725537.exe 82 PID 404 wrote to memory of 3684 404 7c9f3c7f0a82db60905b7dab8bcbe9fb7492a7ea6c34137c6c89461dc7725537.exe 82 PID 404 wrote to memory of 3684 404 7c9f3c7f0a82db60905b7dab8bcbe9fb7492a7ea6c34137c6c89461dc7725537.exe 82 PID 3684 wrote to memory of 5108 3684 net.exe 84 PID 3684 wrote to memory of 5108 3684 net.exe 84 PID 3684 wrote to memory of 5108 3684 net.exe 84 PID 404 wrote to memory of 3204 404 7c9f3c7f0a82db60905b7dab8bcbe9fb7492a7ea6c34137c6c89461dc7725537.exe 85 PID 404 wrote to memory of 3204 404 7c9f3c7f0a82db60905b7dab8bcbe9fb7492a7ea6c34137c6c89461dc7725537.exe 85 PID 404 wrote to memory of 3204 404 7c9f3c7f0a82db60905b7dab8bcbe9fb7492a7ea6c34137c6c89461dc7725537.exe 85 PID 404 wrote to memory of 2116 404 7c9f3c7f0a82db60905b7dab8bcbe9fb7492a7ea6c34137c6c89461dc7725537.exe 87 PID 404 wrote to memory of 2116 404 7c9f3c7f0a82db60905b7dab8bcbe9fb7492a7ea6c34137c6c89461dc7725537.exe 87 PID 404 wrote to memory of 2116 404 7c9f3c7f0a82db60905b7dab8bcbe9fb7492a7ea6c34137c6c89461dc7725537.exe 87 PID 2116 wrote to memory of 436 2116 Logo1_.exe 88 PID 2116 wrote to memory of 436 2116 Logo1_.exe 88 PID 2116 wrote to memory of 436 2116 Logo1_.exe 88 PID 436 wrote to memory of 2448 436 net.exe 90 PID 436 wrote to memory of 2448 436 net.exe 90 PID 436 wrote to memory of 2448 436 net.exe 90 PID 3204 wrote to memory of 3540 3204 cmd.exe 91 PID 3204 wrote to memory of 3540 3204 cmd.exe 91 PID 3204 wrote to memory of 3540 3204 cmd.exe 91 PID 2116 wrote to memory of 2356 2116 Logo1_.exe 92 PID 2116 wrote to memory of 2356 2116 Logo1_.exe 92 PID 2116 wrote to memory of 2356 2116 Logo1_.exe 92 PID 2356 wrote to memory of 1044 2356 net.exe 94 PID 2356 wrote to memory of 1044 2356 net.exe 94 PID 2356 wrote to memory of 1044 2356 net.exe 94 PID 2116 wrote to memory of 3480 2116 Logo1_.exe 56 PID 2116 wrote to memory of 3480 2116 Logo1_.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3480
-
C:\Users\Admin\AppData\Local\Temp\7c9f3c7f0a82db60905b7dab8bcbe9fb7492a7ea6c34137c6c89461dc7725537.exe"C:\Users\Admin\AppData\Local\Temp\7c9f3c7f0a82db60905b7dab8bcbe9fb7492a7ea6c34137c6c89461dc7725537.exe"2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
PID:5108
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9C21.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3204 -
C:\Users\Admin\AppData\Local\Temp\7c9f3c7f0a82db60905b7dab8bcbe9fb7492a7ea6c34137c6c89461dc7725537.exe"C:\Users\Admin\AppData\Local\Temp\7c9f3c7f0a82db60905b7dab8bcbe9fb7492a7ea6c34137c6c89461dc7725537.exe"4⤵
- Executes dropped EXE
PID:3540
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Drops file in Drivers directory
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2116 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:436 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
- System Location Discovery: System Language Discovery
PID:2448
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
- System Location Discovery: System Language Discovery
PID:1044
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD590d69822206b8e980d10a29cea7d01de
SHA17984618563bf7b6f02f085dccc0703e46da11f24
SHA256f8c8eae5776a28c081e2d60d82beba328347cddcacf1779f8de50ff7db2f90e1
SHA512b2f06e660e23689db6185de8837bdf2ca733a51216413485f621e46ecf835d8f269a6a83e4ae3e91e7d8b3f569ddec3e0deeb1baf5cc4aaa05b80623eb3c686d
-
Filesize
577KB
MD534021089aa784bb71f1f7d2dc7425b9b
SHA17e7b4c719eee1a4d4e95aae349409ad178b193ee
SHA256883aa1531ffe6e58b523772781f0c6fe8f4c3d346c32c9750a065a97a076dab7
SHA512787b81683f15b28d50439c8f8b7c6493b43a0cd7e1e3056585b8613361262a64b04b66d42b68542d14883bfc411a3a2d212c2f114b077c3e0c90cc5bd5c968d2
-
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize643KB
MD5c812cad58e4a4cedd3373f5125ed73dc
SHA148cb77381e1c81f5f75e13ee39e35ced130fc784
SHA2561c27223874f6c587ed068134e66e9a0588de3776370bf5f14bfdd246c860d9cf
SHA51272af90d02def9f922ca8d4e621bea562718c8e530039eb22f44e8fc9089ccc4990e0a20b1f2d5761e46af0e579bbd5a666c9176d07b096c751b754a476e6626f
-
Filesize
722B
MD5936ee9c068712ee1b0b745caa8f09428
SHA12bab9421e852a9288fead5a6e79bca0122a817d8
SHA256745790dcac7655b98553366f47b2666392019f8a1fa6ac8366a064e6c6091ec4
SHA512fae909c2e5d3bc309aa439055844c7e7d80d14be0726cdc23e43887db463baeb366b2a1c08893956ab89caed3e3b27ee82fd1216a58c9068abb2cf79a36133d8
-
C:\Users\Admin\AppData\Local\Temp\7c9f3c7f0a82db60905b7dab8bcbe9fb7492a7ea6c34137c6c89461dc7725537.exe.exe
Filesize33KB
MD5cfcf15f5729649399cfb9b2590c9e80a
SHA1f595a3f2812a29492326e5a0478f3924bcbae545
SHA256b6fde5431374f5cc8a2b6b6953d7c466ce8828faf68c43661a2c0cf87481868f
SHA512bbd925abf352af8962ab5e7d4b76bc4146e806cb0f8fde8a7cc2c13318450b46dd5529f6855065241de56efd72e33f4f9961ef5aa4ba8fd3c1ca312444ac8e19
-
Filesize
33KB
MD54674ed865526038d8119445bb553f2b3
SHA197748b9e405e0f585e3d53fea53017d42994f311
SHA256bc3afb605b77075a2bc94b73ffa22e4402fc9e3362806ad293c4198ea81fd51f
SHA512e1b2a929cf3b7f66934c1df530c49345da935c51e56a66f271397a971639eb2ea37eda451bffc90bc788865c9fa22359530508d0245efe6045aa182ecb5b7e2d
-
Filesize
842B
MD56f4adf207ef402d9ef40c6aa52ffd245
SHA14b05b495619c643f02e278dede8f5b1392555a57
SHA256d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e
SHA512a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47
-
Filesize
9B
MD55412111268dd2c1fb1cf8697bfab9b6c
SHA116d0b289e83c74cb50a004edd7c5750ac706f321
SHA256f3aa35be7048ddbf11fc581e5f9476745d75bcf097e121ba2915614e360a0cdc
SHA51213fc5bf11faaf5471fde8a1bafdcc6d27521bad796e5e532c94d9c8232dd70088e70b6d5ac60c4c15d13e59926ac38e9a9e01b4dd4694a77d70bdd1ae7005ccf