Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-10-2024 04:14
Static task
static1
Behavioral task
behavioral1
Sample
02d27dc43e5599144329fecc9ed1220f4d3b675302dcd9998d2fef859f5303e3.exe
Resource
win7-20240903-en
General
-
Target
02d27dc43e5599144329fecc9ed1220f4d3b675302dcd9998d2fef859f5303e3.exe
-
Size
6.5MB
-
MD5
178fa8bfc57c0f593619559868a20b12
-
SHA1
edde5f6d54c02a1189829af8a20b9287fa9d6e80
-
SHA256
02d27dc43e5599144329fecc9ed1220f4d3b675302dcd9998d2fef859f5303e3
-
SHA512
26332a13779550fd6f26c9f21c2cc431e4a2d3153c36943397a936d05f756018ac26e8215d97c500fdd7e7438024cc442a4de4849ea68800ee30a3c3b5c6d62d
-
SSDEEP
196608:fCzNA7rlvRz1rrFBV6tpjuj6gYPKHCKsg:fjUtYj6gYPYp
Malware Config
Signatures
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe -
Executes dropped EXE 2 IoCs
pid Process 1336 Logo1_.exe 2528 02d27dc43e5599144329fecc9ed1220f4d3b675302dcd9998d2fef859f5303e3.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\de-de\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\cs-cz\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\zh-cn\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe Logo1_.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Photo Viewer\uk-UA\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\cs-cz\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\fr-fr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\root\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\da-dk\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\de-de\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\fi-fi\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Defender\en-US\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft.NET\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\he-il\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ar-ae\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ca-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\plugins\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sv-se\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\cs-cz\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\16\BIN\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\root\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\pt-br\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\de-de\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ru-ru\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\hu-hu\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\zh-tw\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Internet Explorer\ja-JP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Resources\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\pl-pl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\sk-sk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\crashreporter.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\en-gb\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ko-kr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sl-si\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\te\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\he-il\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\eu-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\nb-no\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\nl-nl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\images\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\da-dk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\fr-fr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sk-sk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\en-us\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\Diagnostics\Simple\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sv-se\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\zh-tw\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Logo1_.exe 02d27dc43e5599144329fecc9ed1220f4d3b675302dcd9998d2fef859f5303e3.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\Dll.dll Logo1_.exe File created C:\Windows\rundl132.exe 02d27dc43e5599144329fecc9ed1220f4d3b675302dcd9998d2fef859f5303e3.exe -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Logo1_.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 02d27dc43e5599144329fecc9ed1220f4d3b675302dcd9998d2fef859f5303e3.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3968 02d27dc43e5599144329fecc9ed1220f4d3b675302dcd9998d2fef859f5303e3.exe 3968 02d27dc43e5599144329fecc9ed1220f4d3b675302dcd9998d2fef859f5303e3.exe 3968 02d27dc43e5599144329fecc9ed1220f4d3b675302dcd9998d2fef859f5303e3.exe 3968 02d27dc43e5599144329fecc9ed1220f4d3b675302dcd9998d2fef859f5303e3.exe 3968 02d27dc43e5599144329fecc9ed1220f4d3b675302dcd9998d2fef859f5303e3.exe 3968 02d27dc43e5599144329fecc9ed1220f4d3b675302dcd9998d2fef859f5303e3.exe 3968 02d27dc43e5599144329fecc9ed1220f4d3b675302dcd9998d2fef859f5303e3.exe 3968 02d27dc43e5599144329fecc9ed1220f4d3b675302dcd9998d2fef859f5303e3.exe 3968 02d27dc43e5599144329fecc9ed1220f4d3b675302dcd9998d2fef859f5303e3.exe 3968 02d27dc43e5599144329fecc9ed1220f4d3b675302dcd9998d2fef859f5303e3.exe 3968 02d27dc43e5599144329fecc9ed1220f4d3b675302dcd9998d2fef859f5303e3.exe 3968 02d27dc43e5599144329fecc9ed1220f4d3b675302dcd9998d2fef859f5303e3.exe 3968 02d27dc43e5599144329fecc9ed1220f4d3b675302dcd9998d2fef859f5303e3.exe 3968 02d27dc43e5599144329fecc9ed1220f4d3b675302dcd9998d2fef859f5303e3.exe 3968 02d27dc43e5599144329fecc9ed1220f4d3b675302dcd9998d2fef859f5303e3.exe 3968 02d27dc43e5599144329fecc9ed1220f4d3b675302dcd9998d2fef859f5303e3.exe 3968 02d27dc43e5599144329fecc9ed1220f4d3b675302dcd9998d2fef859f5303e3.exe 3968 02d27dc43e5599144329fecc9ed1220f4d3b675302dcd9998d2fef859f5303e3.exe 3968 02d27dc43e5599144329fecc9ed1220f4d3b675302dcd9998d2fef859f5303e3.exe 3968 02d27dc43e5599144329fecc9ed1220f4d3b675302dcd9998d2fef859f5303e3.exe 3968 02d27dc43e5599144329fecc9ed1220f4d3b675302dcd9998d2fef859f5303e3.exe 3968 02d27dc43e5599144329fecc9ed1220f4d3b675302dcd9998d2fef859f5303e3.exe 3968 02d27dc43e5599144329fecc9ed1220f4d3b675302dcd9998d2fef859f5303e3.exe 3968 02d27dc43e5599144329fecc9ed1220f4d3b675302dcd9998d2fef859f5303e3.exe 3968 02d27dc43e5599144329fecc9ed1220f4d3b675302dcd9998d2fef859f5303e3.exe 3968 02d27dc43e5599144329fecc9ed1220f4d3b675302dcd9998d2fef859f5303e3.exe 1336 Logo1_.exe 1336 Logo1_.exe 1336 Logo1_.exe 1336 Logo1_.exe 1336 Logo1_.exe 1336 Logo1_.exe 1336 Logo1_.exe 1336 Logo1_.exe 1336 Logo1_.exe 1336 Logo1_.exe 1336 Logo1_.exe 1336 Logo1_.exe 1336 Logo1_.exe 1336 Logo1_.exe 1336 Logo1_.exe 1336 Logo1_.exe 1336 Logo1_.exe 1336 Logo1_.exe 1336 Logo1_.exe 1336 Logo1_.exe 1336 Logo1_.exe 1336 Logo1_.exe 1336 Logo1_.exe 1336 Logo1_.exe 1336 Logo1_.exe 1336 Logo1_.exe 1336 Logo1_.exe 1336 Logo1_.exe 1336 Logo1_.exe 1336 Logo1_.exe 1336 Logo1_.exe 1336 Logo1_.exe 1336 Logo1_.exe 1336 Logo1_.exe 1336 Logo1_.exe 1336 Logo1_.exe 1336 Logo1_.exe 1336 Logo1_.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2528 02d27dc43e5599144329fecc9ed1220f4d3b675302dcd9998d2fef859f5303e3.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 3968 wrote to memory of 4048 3968 02d27dc43e5599144329fecc9ed1220f4d3b675302dcd9998d2fef859f5303e3.exe 84 PID 3968 wrote to memory of 4048 3968 02d27dc43e5599144329fecc9ed1220f4d3b675302dcd9998d2fef859f5303e3.exe 84 PID 3968 wrote to memory of 4048 3968 02d27dc43e5599144329fecc9ed1220f4d3b675302dcd9998d2fef859f5303e3.exe 84 PID 4048 wrote to memory of 3048 4048 net.exe 86 PID 4048 wrote to memory of 3048 4048 net.exe 86 PID 4048 wrote to memory of 3048 4048 net.exe 86 PID 3968 wrote to memory of 1180 3968 02d27dc43e5599144329fecc9ed1220f4d3b675302dcd9998d2fef859f5303e3.exe 90 PID 3968 wrote to memory of 1180 3968 02d27dc43e5599144329fecc9ed1220f4d3b675302dcd9998d2fef859f5303e3.exe 90 PID 3968 wrote to memory of 1180 3968 02d27dc43e5599144329fecc9ed1220f4d3b675302dcd9998d2fef859f5303e3.exe 90 PID 3968 wrote to memory of 1336 3968 02d27dc43e5599144329fecc9ed1220f4d3b675302dcd9998d2fef859f5303e3.exe 91 PID 3968 wrote to memory of 1336 3968 02d27dc43e5599144329fecc9ed1220f4d3b675302dcd9998d2fef859f5303e3.exe 91 PID 3968 wrote to memory of 1336 3968 02d27dc43e5599144329fecc9ed1220f4d3b675302dcd9998d2fef859f5303e3.exe 91 PID 1336 wrote to memory of 2312 1336 Logo1_.exe 93 PID 1336 wrote to memory of 2312 1336 Logo1_.exe 93 PID 1336 wrote to memory of 2312 1336 Logo1_.exe 93 PID 1180 wrote to memory of 2528 1180 cmd.exe 95 PID 1180 wrote to memory of 2528 1180 cmd.exe 95 PID 2312 wrote to memory of 320 2312 net.exe 96 PID 2312 wrote to memory of 320 2312 net.exe 96 PID 2312 wrote to memory of 320 2312 net.exe 96 PID 1336 wrote to memory of 2928 1336 Logo1_.exe 97 PID 1336 wrote to memory of 2928 1336 Logo1_.exe 97 PID 1336 wrote to memory of 2928 1336 Logo1_.exe 97 PID 2928 wrote to memory of 2660 2928 net.exe 99 PID 2928 wrote to memory of 2660 2928 net.exe 99 PID 2928 wrote to memory of 2660 2928 net.exe 99 PID 1336 wrote to memory of 3360 1336 Logo1_.exe 55 PID 1336 wrote to memory of 3360 1336 Logo1_.exe 55
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3360
-
C:\Users\Admin\AppData\Local\Temp\02d27dc43e5599144329fecc9ed1220f4d3b675302dcd9998d2fef859f5303e3.exe"C:\Users\Admin\AppData\Local\Temp\02d27dc43e5599144329fecc9ed1220f4d3b675302dcd9998d2fef859f5303e3.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4048 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
PID:3048
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aABFF.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1180 -
C:\Users\Admin\AppData\Local\Temp\02d27dc43e5599144329fecc9ed1220f4d3b675302dcd9998d2fef859f5303e3.exe"C:\Users\Admin\AppData\Local\Temp\02d27dc43e5599144329fecc9ed1220f4d3b675302dcd9998d2fef859f5303e3.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2528
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
- System Location Discovery: System Language Discovery
PID:320
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2928 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
- System Location Discovery: System Language Discovery
PID:2660
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD525289b652ba570bb7865014294dbafdc
SHA13b9853b795419c9d08b3fe88705d7a1b38fd6399
SHA256211cd6cf08591be8bcf0ea63c6c6cdbcd2439b61062bc9f8dcd4e91250891b9b
SHA5127465aea7eacf5674305e2e4d8722723e06e1761f48a2fc5ad26a04561589bf6465abfc6696f931407a49e80288a681bc07ca078361b0f5be30e6903168d36082
-
Filesize
488KB
MD5088cfecffaa7ad64f6b0317f3dd70054
SHA1720fbc36a55c2fbe0ef2610d89093f8ed0bbaf98
SHA256006ab9587bb2d6a0ef067df8840f9b303d361032f50cec8e8dbb94954bf20025
SHA5126936f8ca350b1d09c63e422801599fef0da289bb0eb81d0e4d3b5b0397e46f9ec661454e45bd1b641a2a7d00215ff9a290b0f0e6c83b9cd8e5078b07926dee50
-
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize643KB
MD5efcce7232eb78a3095a2cedcfcff1d26
SHA1fcecbd07f20e3500faa209e80cf1c78af3fd10a7
SHA256c091a8efdac1e393ae2cc2b45686cf63b9ed2ad73d7b334031a13fa340f65429
SHA512d787335cb0f515a626e16f6d99ce151eccbca0f7888db2405bdc2445e96afff22afe292a06d57b6f8ae6c24ea3c8d114649b23b2cfe7352f921e55e47503fef4
-
Filesize
722B
MD556b953210101fe2830c8e75b114b344b
SHA18e38aee6d71585684c06cdd95acf881b0acc4a9b
SHA2565ca3d3273f1ceb79f62e64f5d1aa29438556c309de627c1130b4d4ce1007d281
SHA51238b2170e246e591382495d37683951e78b1df0b0d395dbb0ba0a2a2710e3b997d172c3c130864a0cb921eafd7f31eb05327436c7e0a3630812f446438f2e7be3
-
C:\Users\Admin\AppData\Local\Temp\02d27dc43e5599144329fecc9ed1220f4d3b675302dcd9998d2fef859f5303e3.exe.exe
Filesize6.4MB
MD5f24affc10132405930282aaeb206b7b7
SHA1462d7a447a7d6f06bf3083c2af2f00b615c6a1a0
SHA256abcca6f158b94303d92197bf8e6db545fe4929161e3767619176c4574ccb70fc
SHA512c7729e3a050797b7d2c6ee07cc432c6dca56ffdb6b7e2662b1a70c90e287bbb2480a3752f262a896110f60f9ce18f884452f3cae3a06c80bef5eec476fba8cfe
-
Filesize
9KB
MD578e591860832608ebc49dddd9fc0e1db
SHA1d927f135f15190f95805dd8bfe6df0de20dfff53
SHA256ccb5f71ce184e151412a8f04144011ba4da50371c20ef12778d276577f691f9a
SHA51257f334f57f0aaba4238e7ce834784dece8e81cceae248999f1a45aa8fed0b86fe20f3d6ac6fb3649cf653e9f65f3b35695e203f1d6ed1e54e073df10fe008fc0
-
Filesize
166KB
MD510aaf2cebba115d53566b56f9fae1326
SHA1a52d2e0102ece5cfd4a95fb4bec0f0bb47af1545
SHA25664f47b2c959d0bfa493e104796ff25b2e9159cae1b4bb8dd12e2a9bddac4c384
SHA512bb6b913fa1364fb4b6963ba47b251fa9e5f2089a5c215e5d1778562998ff05969ca421512ecda0aed0c6b425d150b9f895808c7561763f04aa30a573b6ec7010
-
Filesize
166KB
MD55af52e83386c82a63536f4015eea27fb
SHA1b160b7d8654282f7231641b2b511ae1dccc15698
SHA25621ef9ee0595e8ddcd7d69bf79002b1ca04be60277a2e91c8dfb8272dffb327cf
SHA51252d98979982edaaadcf078632d0cec6da585dc1e6cf9d9e75594e0c98cb99d0d638b496ddc5c4c8abf3d47000758da0a6fe74e51c2ce6634ead820b8971d6e0f
-
Filesize
166KB
MD59c57de2b95339834ff959dbafe8acbfd
SHA12bae31eedbfb862eda3e0c051f14bef41efa8974
SHA2560cc6cd8d875e4955a4c7e5a14a75ed29620910bc90a7ccc68920bd71d32859db
SHA5125deb6ba906efd1db417db1f165f93b0bd4e968900d084b069fed173d855c51177bce1f83fa6c4e8b2c7205517d6ef508fe3063e22bc200de5ddadf482082d643
-
Filesize
166KB
MD5ecc99433f78693bc1f3d00eb9e3ad5a1
SHA16ee702765220d805b844b49fea99059a368c4935
SHA25629b21c4872dd9dacde93a39441959889c6a367a5c84bca598851162e8f998c48
SHA512c3436592e897d842a0fe5274bcb327483a9b2801d71fb1fe07b8d68a02e684c16db3dffa7d8fcd458087520418888aad74413643cb6cc1ae198a7f7ce15df70d
-
Filesize
166KB
MD5b39ce207bda2c90673b117760317b3e7
SHA1182bd9b614d9e5003d219ddbd46727cb57a4e990
SHA25658c70053203dc94f045fdd8b53fceb60da9bfc32ff56b1c6ed61833994bb1e90
SHA51225bad2614e71ed99116f554f6ef667dcc95a9d83ed7810132e3b2672bee7f51ee27d50fe0a67c52d26197a85bbe8dad699dbe608e09f032533d303be4feeb405
-
Filesize
166KB
MD593efaad020ebe4f5994afb9a6e454adb
SHA18b85c1d8e32771f12f09ba9e930f5894bed593c4
SHA25671d7948a42d68eaa2c0f2db15bcfb3ee86f41ee794969c45ea4b63f1e87a9a35
SHA512cb951054d63a330de2f2fefd0b27cec9a786b224cc18e2d3be0ca0a1d48bc77431043da032e5b61931c3111db5b46e583881f938855d332a73e32645b4c22d48
-
Filesize
166KB
MD544f5c164b976a1b8dc37b9afceca627b
SHA11f94dceb0b05cd9069d929cbecf5054c5775b80e
SHA2568fd9902a1e1bad8d1a4e9ced5386768dd2f04257d99b73f3e5cc575783ad644a
SHA512bcf335b85f1216b0f5c22c7f8a65b78ca284312787377360d42f946833e6cc79a23447acfbef06060c88dfcf742b6c52cf5ab5f97f0d509fd0b8cfc979dcf8ed
-
Filesize
166KB
MD50ec3809dea6547547acb9104a692921a
SHA15edb48b5c045df9ddd8acbdbd5194e5b0b3f62f4
SHA2560350a99b7c85cd21e22cbc990b4a2db8d27dd24bb100ddfe096000e6a5bc3954
SHA5122f514dedc832b59a36d7cbab8c65015a426d9ba9fbd4de10a5071fad145241b22d5a81d4fa65c36030fc701e989a97abf310b70fc86eacd47494a9b638035539
-
Filesize
166KB
MD5d242c8f1f34adc4e2a18d7664b980044
SHA1e4580cff26ed508f5abdb3f1a67470ba647554ae
SHA256a61ab0eb1680fead55a37630d822c6d4e25a53437fcf2d4521f52852f5db7ecd
SHA512bb257601f49c81f9cf3a29776fdbed0bb6b468c12e568a1abeb462e7d467fc5194b56425fa48c7ef242979190ae5bb58bae25971ed7b82df479d6f9378b7012f
-
Filesize
317KB
MD5e21f5dd05257ece5fb64430b77cfa5c9
SHA13bac7f4dbc6e5bd4531d0f48aa6fc878311c5608
SHA256d293bdd8180921bfb31cb8afe91d7339acb3cee4c406df6c56c87f9460932b44
SHA51282588d57617eff7f8419b8830dd332afe0aaf9b284e6dee1aed05c8c3a79dc73fa031670fb14a0b81ec27cdb59b97d2aa41e3edd05b7f00f8eab0c4a11cbebef
-
Filesize
61KB
MD53f7b9b16fe7c0c3130ddd546c3f82c75
SHA1d6ac383d6dcabaed425096bdcb94b4e59641f9ec
SHA2561f865c638c4da788a5d517a0a11727338f58cbe5d57d6b822f5bd06415cb8b9f
SHA512d2842c34b74a56345c90ab6797d25d793d72b3987022a6e405b62bba15f11653735d521270f1512fd63257281594874e028d3a6adc03ed0632a495b217b0782e
-
Filesize
228KB
MD516996e59468c0b980e9e71e1dfde5edf
SHA1a9217ebff1cc074753499184f9b9a5abc97f89f7
SHA25656833a73e78aac21aa3b88724564a6fc0e4b348014b162865e1f4f82aac1833d
SHA512f876552307b7c167b6104c3cefe6fe07522e0fd91caacb8014fc4efc2be06399363bdd21a3660c633dc93849d1e453b8c22b45613ec9d7670d7b8aee058b1bd9
-
Filesize
33KB
MD54b59d42c30960693269448e00b2ffca6
SHA1cd5f11fe1cfa26eef8d7b9e90ae2346b0d8cf562
SHA2566a1d9701474cb7644e120689be4c71fe45f978be0c2934ff91481124c1f14363
SHA51207fb18f632389983cc70432e59a247d94325da55f793c04db33d078c1d199628da9ccf45488610b3db25ca8c54f161630c7bb478e0a286babf42e168217a8ca1
-
Filesize
10B
MD528a582403dbb209b6c5cb7bada9c918d
SHA1db58560be63032a4cbd738d2d639e5bf764d6277
SHA256b5a9fa3acde4d9499ea08a6d9ff193fc9cda57f04141f82d2422a4008f451200
SHA512511b4d3886d671d01c66d2509b784a199e68a00f2597d311d8d0770f0b1030680136ee450343a8d6c4b51d9de8448bafdde44dc1a1c6e62bccde47d5af03fbae