Analysis
-
max time kernel
149s -
max time network
143s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
26-10-2024 04:20
Static task
static1
Behavioral task
behavioral1
Sample
f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe
Resource
win7-20241010-en
General
-
Target
f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe
-
Size
478KB
-
MD5
28959031896021bc7ca9f579de2cc456
-
SHA1
3577f294e56af20384c17c2e6b30043d3fb467ce
-
SHA256
f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec
-
SHA512
8ccc791701cbf875cff76feb50e78391fdc4375e0bd78c59111a657059e2f4c8c91b8603755bd5cfc1feb1abcc98b3eda6e3f810de8e8d60eb35090eecb21020
-
SSDEEP
12288:CX1m0iZc0IursYCYQeSnyZJiqlEbXSb9NtCGOF2O27MVzy:o1mfMYenGJiKEbXWtfOkUy
Malware Config
Signatures
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe -
Executes dropped EXE 3 IoCs
pid Process 2924 Logo1_.exe 1916 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe 4544 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe -
Loads dropped DLL 1 IoCs
pid Process 4544 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\FREN\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\lua\meta\reader\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\es-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-ae\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\nb-no\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ar-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe Logo1_.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CONCRETE\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\fr-fr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\cs-cz\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\de-de\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\meta\art\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Portable Devices\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hr-hr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\nl-nl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files-select\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\root\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\bn_IN\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\zh-cn\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\cs-cz\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sl-si\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\legal\javafx\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\audio_output\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\root\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-ma\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ach\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\spu\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\ja\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\he-il\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\es-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sk-sk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft.NET\ADOMD.NET\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\cs-cz\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ko-kr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\it-it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\1033\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\NETWORK\_desktop.ini Logo1_.exe File created C:\Program Files\MSBuild\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ka\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sl-sl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files-select\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Configuration\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\tr-tr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\pl-pl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\nb-no\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\it-it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\dtplugin\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\en-gb\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ja-jp\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\an\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe File created C:\Windows\Logo1_.exe f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\Dll.dll Logo1_.exe -
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Logo1_.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4860 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe 4860 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe 4860 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe 4860 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe 4860 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe 4860 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe 4860 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe 4860 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe 4860 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe 4860 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe 4860 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe 4860 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe 4860 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe 4860 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe 4860 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe 4860 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe 4860 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe 4860 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe 4860 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe 4860 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe 4860 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe 4860 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe 4860 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe 4860 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe 4860 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe 4860 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe 2924 Logo1_.exe 2924 Logo1_.exe 2924 Logo1_.exe 2924 Logo1_.exe 2924 Logo1_.exe 2924 Logo1_.exe 2924 Logo1_.exe 2924 Logo1_.exe 2924 Logo1_.exe 2924 Logo1_.exe 2924 Logo1_.exe 2924 Logo1_.exe 2924 Logo1_.exe 2924 Logo1_.exe 2924 Logo1_.exe 2924 Logo1_.exe 2924 Logo1_.exe 2924 Logo1_.exe 2924 Logo1_.exe 2924 Logo1_.exe 2924 Logo1_.exe 2924 Logo1_.exe 2924 Logo1_.exe 2924 Logo1_.exe 2924 Logo1_.exe 2924 Logo1_.exe 2924 Logo1_.exe 2924 Logo1_.exe 2924 Logo1_.exe 2924 Logo1_.exe 2924 Logo1_.exe 2924 Logo1_.exe 2924 Logo1_.exe 2924 Logo1_.exe 2924 Logo1_.exe 2924 Logo1_.exe 2924 Logo1_.exe 2924 Logo1_.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 4860 wrote to memory of 4904 4860 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe 88 PID 4860 wrote to memory of 4904 4860 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe 88 PID 4860 wrote to memory of 4904 4860 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe 88 PID 4904 wrote to memory of 4644 4904 net.exe 90 PID 4904 wrote to memory of 4644 4904 net.exe 90 PID 4904 wrote to memory of 4644 4904 net.exe 90 PID 4860 wrote to memory of 4312 4860 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe 94 PID 4860 wrote to memory of 4312 4860 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe 94 PID 4860 wrote to memory of 4312 4860 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe 94 PID 4860 wrote to memory of 2924 4860 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe 96 PID 4860 wrote to memory of 2924 4860 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe 96 PID 4860 wrote to memory of 2924 4860 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe 96 PID 2924 wrote to memory of 3844 2924 Logo1_.exe 97 PID 2924 wrote to memory of 3844 2924 Logo1_.exe 97 PID 2924 wrote to memory of 3844 2924 Logo1_.exe 97 PID 3844 wrote to memory of 2628 3844 net.exe 99 PID 3844 wrote to memory of 2628 3844 net.exe 99 PID 3844 wrote to memory of 2628 3844 net.exe 99 PID 4312 wrote to memory of 1916 4312 cmd.exe 100 PID 4312 wrote to memory of 1916 4312 cmd.exe 100 PID 4312 wrote to memory of 1916 4312 cmd.exe 100 PID 1916 wrote to memory of 4544 1916 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe 101 PID 1916 wrote to memory of 4544 1916 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe 101 PID 1916 wrote to memory of 4544 1916 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe 101 PID 2924 wrote to memory of 4420 2924 Logo1_.exe 103 PID 2924 wrote to memory of 4420 2924 Logo1_.exe 103 PID 2924 wrote to memory of 4420 2924 Logo1_.exe 103 PID 4420 wrote to memory of 4064 4420 net.exe 105 PID 4420 wrote to memory of 4064 4420 net.exe 105 PID 4420 wrote to memory of 4064 4420 net.exe 105 PID 2924 wrote to memory of 3560 2924 Logo1_.exe 56 PID 2924 wrote to memory of 3560 2924 Logo1_.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3560
-
C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe"C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4860 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4904 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
PID:4644
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aAD66.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4312 -
C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe"C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1916 -
C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe"C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe" -burn.unelevated BurnPipe.{20B8B901-54FE-41E1-9C3C-043951117FAB} {AD731F2C-88A0-48DE-B7F6-C9D5098B039F} 19165⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:4544
-
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3844 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
- System Location Discovery: System Language Discovery
PID:2628
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4420 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
- System Location Discovery: System Language Discovery
PID:4064
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD510a7fff2e496850370cd3b3ee33cada0
SHA12fbeb0236ab8937b7aa472cae8b3720802e9c764
SHA2563114db136b324064263065317536490601c26e731d3558a7caf6cc7507db4d97
SHA512d714185364cce8be63ecaa6ba4abdd3da5ded059a2df252f9d26e2440cbbcecfc96e0944a84ea3201b0d8b1afa57154053dc814995dbea36bd06dfbfe629ef58
-
Filesize
577KB
MD5c271a86be0a29d90a35fe31a5c49272e
SHA140ce9f85f7a6dda6fe54d36a86a46d131bc120dc
SHA2566865992bfc8198f5af017209cc289eb9d2adee1e4aede750f881fb5cf307523a
SHA512e32d6246ec9c00d8bb8a14793f30b22983f1c03ea418c241bf4c8e22c9992334fe0ab3715b64e3d43d44b9a6cba86e4d75c2ff55d8ff2201fcb1329510b762ae
-
Filesize
722B
MD5341058fb9fafaeb388442dd979f0ca54
SHA167f40f3c87661dc03503c03476eb0407522a5b52
SHA256288b0fdb82f827dc8036b64970ba0333aeb74a8fbbd235d70ad34a29bc571608
SHA512258d8fd64100913aa2e3655fc46178693d8213ead66dd1b6842a47fd8d988278ee28ff62da1ad592c43f8c44264361404cc18ddb7531696386050d9bb9c804e5
-
C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe.exe
Filesize444KB
MD52b48f69517044d82e1ee675b1690c08b
SHA183ca22c8a8e9355d2b184c516e58b5400d8343e0
SHA256507bdc3ab5a6d9ddba2df68aff6f59572180134252f5eb8cb46f9bb23006b496
SHA51297d9b130a483263ddf59c35baceba999d7c8db4effc97bcb935cb57acc7c8d46d3681c95e24975a099e701997330c6c6175e834ddb16abc48d5e9827c74a325b
-
Filesize
1KB
MD5d6bd210f227442b3362493d046cea233
SHA1ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b
-
Filesize
126KB
MD5d7bf29763354eda154aad637017b5483
SHA1dfa7d296bfeecde738ef4708aaabfebec6bc1e48
SHA2567f5f8fcfd84132579f07e395e65b44e1b031fe01a299bce0e3dd590131c5cb93
SHA5121c76175732fe68b9b12cb46077daa21e086041adbd65401717a9a1b5f3c516e03c35a90897c22c7281647d6af4a1a5ffb3fbd5706ea376d8f6e574d27396019c
-
Filesize
33KB
MD5dd7de04b7104a93e35fb3a577b5b621b
SHA14d84ff8b82f359e1c303d9d68dda6dc503848ad6
SHA256fc02df6a818f176e9499cda422291726b9e3d37d6e381dd5629295df031cde03
SHA512569116a84fd5d09c06c4967d466de2f6a7be71b77edaa28bef11836d0eb5fa20eef5c9c415540a8f5f785cdbe0e059f21a835952b81ac97b5e620a52bf56a921
-
Filesize
10B
MD528a582403dbb209b6c5cb7bada9c918d
SHA1db58560be63032a4cbd738d2d639e5bf764d6277
SHA256b5a9fa3acde4d9499ea08a6d9ff193fc9cda57f04141f82d2422a4008f451200
SHA512511b4d3886d671d01c66d2509b784a199e68a00f2597d311d8d0770f0b1030680136ee450343a8d6c4b51d9de8448bafdde44dc1a1c6e62bccde47d5af03fbae