Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
25/09/2024, 17:51
Static task
static1
Behavioral task
behavioral1
Sample
a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe
Resource
win7-20240708-en
General
-
Target
a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe
-
Size
66KB
-
MD5
9a769a66705076525660d751ac973f10
-
SHA1
84c2e6fcc5e44a94a3c70e72d3c58476ef8fe344
-
SHA256
a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1
-
SHA512
e105b5ecb8864e34c573a2696c2a3653c84e2225430e4bcbdc92da6106c1550171dc782097c45c07784526015970a937d8591cd2fd78db735aab6e8177ae0a9d
-
SSDEEP
1536:JEaYzMXqtGN/CstC9qVFuiS4qz0XSW3iDhy3:JEaY46tGNFC0VFPS4qz3DhO
Malware Config
Signatures
-
Drops file in Drivers directory 2 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe File opened for modification C:\Windows\system32\drivers\etc\hosts Logo1_.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe -
Executes dropped EXE 2 IoCs
pid Process 4192 Logo1_.exe 4980 a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk-1.8\legal\jdk\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sl-si\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\fr-fr\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ja-jp\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\7-Zip\7zG.exe Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\pl-pl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\eu-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\es-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\es-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\de-de\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\images\cursors\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sv-se\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\de-de\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ar-ae\_desktop.ini Logo1_.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\video_chroma\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\fi-fi\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Media Player\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\cs-cz\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk-1.8\include\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-ae\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sk-sk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\pt-br\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\ja-jp\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-cn\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Crashpad\reports\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ja-jp\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\zh-cn\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.195.15\MicrosoftEdgeUpdateSetup.exe Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ie\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ro-ro\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-ma\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\fr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\en-US\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-si\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\fr-fr\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\pt_BR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ja-jp\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\he-il\_desktop.ini Logo1_.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\default_apps\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe File created C:\Windows\Logo1_.exe a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\Dll.dll Logo1_.exe -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2600 a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe 2600 a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe 2600 a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe 2600 a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe 2600 a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe 2600 a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe 2600 a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe 2600 a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe 2600 a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe 2600 a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe 2600 a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe 2600 a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe 2600 a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe 2600 a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe 2600 a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe 2600 a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe 2600 a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe 2600 a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe 2600 a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe 2600 a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe 2600 a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe 2600 a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe 2600 a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe 2600 a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe 2600 a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe 2600 a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe 4192 Logo1_.exe 4192 Logo1_.exe 4192 Logo1_.exe 4192 Logo1_.exe 4192 Logo1_.exe 4192 Logo1_.exe 4192 Logo1_.exe 4192 Logo1_.exe 4192 Logo1_.exe 4192 Logo1_.exe 4192 Logo1_.exe 4192 Logo1_.exe 4192 Logo1_.exe 4192 Logo1_.exe 4192 Logo1_.exe 4192 Logo1_.exe 4192 Logo1_.exe 4192 Logo1_.exe 4192 Logo1_.exe 4192 Logo1_.exe 4192 Logo1_.exe 4192 Logo1_.exe 4192 Logo1_.exe 4192 Logo1_.exe 4192 Logo1_.exe 4192 Logo1_.exe 4192 Logo1_.exe 4192 Logo1_.exe 4192 Logo1_.exe 4192 Logo1_.exe 4192 Logo1_.exe 4192 Logo1_.exe 4192 Logo1_.exe 4192 Logo1_.exe 4192 Logo1_.exe 4192 Logo1_.exe 4192 Logo1_.exe 4192 Logo1_.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 2600 wrote to memory of 2980 2600 a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe 82 PID 2600 wrote to memory of 2980 2600 a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe 82 PID 2600 wrote to memory of 2980 2600 a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe 82 PID 2980 wrote to memory of 3512 2980 net.exe 84 PID 2980 wrote to memory of 3512 2980 net.exe 84 PID 2980 wrote to memory of 3512 2980 net.exe 84 PID 2600 wrote to memory of 2292 2600 a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe 85 PID 2600 wrote to memory of 2292 2600 a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe 85 PID 2600 wrote to memory of 2292 2600 a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe 85 PID 2600 wrote to memory of 4192 2600 a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe 86 PID 2600 wrote to memory of 4192 2600 a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe 86 PID 2600 wrote to memory of 4192 2600 a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe 86 PID 4192 wrote to memory of 692 4192 Logo1_.exe 87 PID 4192 wrote to memory of 692 4192 Logo1_.exe 87 PID 4192 wrote to memory of 692 4192 Logo1_.exe 87 PID 692 wrote to memory of 3304 692 net.exe 90 PID 692 wrote to memory of 3304 692 net.exe 90 PID 692 wrote to memory of 3304 692 net.exe 90 PID 2292 wrote to memory of 4980 2292 cmd.exe 91 PID 2292 wrote to memory of 4980 2292 cmd.exe 91 PID 2292 wrote to memory of 4980 2292 cmd.exe 91 PID 4192 wrote to memory of 2060 4192 Logo1_.exe 92 PID 4192 wrote to memory of 2060 4192 Logo1_.exe 92 PID 4192 wrote to memory of 2060 4192 Logo1_.exe 92 PID 2060 wrote to memory of 4800 2060 net.exe 94 PID 2060 wrote to memory of 4800 2060 net.exe 94 PID 2060 wrote to memory of 4800 2060 net.exe 94 PID 4192 wrote to memory of 3532 4192 Logo1_.exe 56 PID 4192 wrote to memory of 3532 4192 Logo1_.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3532
-
C:\Users\Admin\AppData\Local\Temp\a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe"C:\Users\Admin\AppData\Local\Temp\a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe"2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2600 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
PID:3512
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a705D.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2292 -
C:\Users\Admin\AppData\Local\Temp\a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe"C:\Users\Admin\AppData\Local\Temp\a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe"4⤵
- Executes dropped EXE
PID:4980
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Drops file in Drivers directory
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4192 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:692 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
- System Location Discovery: System Language Discovery
PID:3304
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
- System Location Discovery: System Language Discovery
PID:4800
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD55ca9e8b7545a05fc5e64d531cd019824
SHA15de7b8bdc13ca961c18bc121ae38285ac27ca982
SHA25675383cef3c9a81f719e5a9c048f339681e8664eb1aa01379f5753b13c83eb173
SHA512957dd4239ff5a46df373aafe728ef16c5a345a91545b6435328c67d470cb1ea163b4d88e4faa4377c6bf6453452287fa8097efcec3bf9fd209fd4dca44871319
-
Filesize
577KB
MD5c2fe4f6b862991214548a6e7d9148737
SHA1072bd4a0b34741a2a182cdb8d81d134b09d44ceb
SHA25624bc895a6b6b00adc5f63d4947e421e12bec3072aa51ccc9a534b16c4bda65d2
SHA51224c69c5fef51897883d0da0da56577b76ca55f48b6df4b9ca12ef2b3a5636d72a6251366f8bc52215e9e993bdbf3bd6c1ca90cf90d91bb3ab748a6d5038dd9a2
-
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize644KB
MD5b683d08031e54ea6942378775fcacdf7
SHA1a2e7e8911ab44ce6e768058d02e2d68a8b093c7d
SHA2567d2c375e7c1e52dfb0254cab9fb3816c5a1ba987b44910dcbbc5f0b3b8294070
SHA51268d53577071249f8e4a5a70713c9b82a295bde488e00cb5c5287ed7c78a5195829eb65c83ddee6f64f6da085d3c0b0723249464044f20088b76aa631dff72599
-
Filesize
722B
MD59b9c8b5988b038a343900019464bbcae
SHA10a71a2bd6d42eb4e75087f994f47332d325535ad
SHA25625b42f6206300bed2eb351beafadc3628f97b4a93d9bb04765742e4ac5566d75
SHA512d98490f9148a6249a5c7abc93190aee5d780eca9de063031d5abf12625fa12774c09ec204126c64d05eebd7cc6237b8ded6b2cd43a42dc33bd37efa2d976e32b
-
C:\Users\Admin\AppData\Local\Temp\a9f241143fd476d42bed70ab3fb7dfb31fda59ceaec2eca9dabe136fb432adb1.exe.exe
Filesize33KB
MD5e23f654ce94c5fea4bc1d10bac9e1705
SHA18bf96eb96181339a2c0f261768045546503d7545
SHA25674d75e8cd9f52cd9b294bd8203d21c83009824890811174af2601795a2bffe6c
SHA512c9021cec17d19bfea97d6c038747f6c0a387934d3700e058b4ffad41f9d4805771c52739c5f9efdf69db099a52fc48040e7fed692acbea0398b3ffe843f9fce6
-
Filesize
33KB
MD559da86273cbde98e3fb6274e3181834b
SHA124b2e7d415d7f4e40ec6420f0e88cb401165b64a
SHA256853e0659e3f3c5fd81de6edcebb97b388b0006f7c78b514cd2aa93aa1d97f724
SHA5123534114ac7de80b2f6c5794109a7f89386b86df095799844353530384f113e63bffa6a85f445f5c1a825d45740631b95c80a0612d8a2a1964469207df6615f41
-
Filesize
842B
MD56f4adf207ef402d9ef40c6aa52ffd245
SHA14b05b495619c643f02e278dede8f5b1392555a57
SHA256d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e
SHA512a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47
-
Filesize
9B
MD5e02899454c67c7d6d1af854fdcb53b67
SHA126fb213f7c299c2a4d8c4afd234ee0b751d7a30e
SHA2560e67e90646d3ba7b46f935b205c9f89e8bff2dca7aeda3cd5dfb93868b262315
SHA512e1519bebf62ab4cb28e630a201312812e04f815ec0663f7b68b478da97c0bf7c7c2238a8632540d3d1f37acbe83919fb198b39ebeb222c19faa2130ab65ffffa