Analysis
-
max time kernel
150s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20250619-en -
resource tags
arch:x64arch:x86image:win10v2004-20250619-enlocale:en-usos:windows10-2004-x64system -
submitted
30/06/2025, 17:36
Static task
static1
General
-
Target
f9e8ebebead6f4ea8b050cc5746f5579967f454b59acf1ea472b5a01684b4ccd.exe
-
Size
211KB
-
MD5
e912f9a8d3949365f9e464f6ae956f18
-
SHA1
3f09166515517e057ecd46646bdf6a4b4414e92d
-
SHA256
f9e8ebebead6f4ea8b050cc5746f5579967f454b59acf1ea472b5a01684b4ccd
-
SHA512
e720463f54d52b908f62afc83252dbcc4f4821f494df2bc93aa52cfbdd6a133d2b3cfa6e87c589c89aec92fbfc5950eb3e64fa53a32818e389c7a38f49b2d5cf
-
SSDEEP
6144:NU+azbRZvhGNUl462K4TSFo5Y683TdiQ:NU+azbvwNU+aKgh
Malware Config
Signatures
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe -
Executes dropped EXE 2 IoCs
pid Process 1236 Logo1_.exe 2252 f9e8ebebead6f4ea8b050cc5746f5579967f454b59acf1ea472b5a01684b4ccd.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\sm\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\WATERMAR\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Defender\de-DE\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\zh-cn\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Media Player\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Crashpad\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\886C56FD-88EF-44A3-BE1E-A901FCD4867D\root\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\zh-cn\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\pl-pl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\edge_feedback\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\pl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\da-dk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\HelpCfg\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\an\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sv-se\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\zh-cn\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft.NET\RedistList\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\1033\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\es-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\it-it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\de-de\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\he-il\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\hu-hu\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\VisualElements\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\gd\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sq\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ja-jp\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\pt-br\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\da-dk\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\zh-tw\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Defender\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PAPYRUS\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\fr\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ka\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\es-ES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\zh-tw\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\he-il\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\_desktop.ini Logo1_.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ro-ro\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sl-si\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\ja\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sl-si\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\root\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\EBWebView\x86\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe f9e8ebebead6f4ea8b050cc5746f5579967f454b59acf1ea472b5a01684b4ccd.exe File created C:\Windows\Logo1_.exe f9e8ebebead6f4ea8b050cc5746f5579967f454b59acf1ea472b5a01684b4ccd.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\Dll.dll Logo1_.exe -
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f9e8ebebead6f4ea8b050cc5746f5579967f454b59acf1ea472b5a01684b4ccd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Logo1_.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f9e8ebebead6f4ea8b050cc5746f5579967f454b59acf1ea472b5a01684b4ccd.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 736 f9e8ebebead6f4ea8b050cc5746f5579967f454b59acf1ea472b5a01684b4ccd.exe 736 f9e8ebebead6f4ea8b050cc5746f5579967f454b59acf1ea472b5a01684b4ccd.exe 736 f9e8ebebead6f4ea8b050cc5746f5579967f454b59acf1ea472b5a01684b4ccd.exe 736 f9e8ebebead6f4ea8b050cc5746f5579967f454b59acf1ea472b5a01684b4ccd.exe 736 f9e8ebebead6f4ea8b050cc5746f5579967f454b59acf1ea472b5a01684b4ccd.exe 736 f9e8ebebead6f4ea8b050cc5746f5579967f454b59acf1ea472b5a01684b4ccd.exe 736 f9e8ebebead6f4ea8b050cc5746f5579967f454b59acf1ea472b5a01684b4ccd.exe 736 f9e8ebebead6f4ea8b050cc5746f5579967f454b59acf1ea472b5a01684b4ccd.exe 736 f9e8ebebead6f4ea8b050cc5746f5579967f454b59acf1ea472b5a01684b4ccd.exe 736 f9e8ebebead6f4ea8b050cc5746f5579967f454b59acf1ea472b5a01684b4ccd.exe 736 f9e8ebebead6f4ea8b050cc5746f5579967f454b59acf1ea472b5a01684b4ccd.exe 736 f9e8ebebead6f4ea8b050cc5746f5579967f454b59acf1ea472b5a01684b4ccd.exe 736 f9e8ebebead6f4ea8b050cc5746f5579967f454b59acf1ea472b5a01684b4ccd.exe 736 f9e8ebebead6f4ea8b050cc5746f5579967f454b59acf1ea472b5a01684b4ccd.exe 736 f9e8ebebead6f4ea8b050cc5746f5579967f454b59acf1ea472b5a01684b4ccd.exe 736 f9e8ebebead6f4ea8b050cc5746f5579967f454b59acf1ea472b5a01684b4ccd.exe 736 f9e8ebebead6f4ea8b050cc5746f5579967f454b59acf1ea472b5a01684b4ccd.exe 736 f9e8ebebead6f4ea8b050cc5746f5579967f454b59acf1ea472b5a01684b4ccd.exe 736 f9e8ebebead6f4ea8b050cc5746f5579967f454b59acf1ea472b5a01684b4ccd.exe 736 f9e8ebebead6f4ea8b050cc5746f5579967f454b59acf1ea472b5a01684b4ccd.exe 736 f9e8ebebead6f4ea8b050cc5746f5579967f454b59acf1ea472b5a01684b4ccd.exe 736 f9e8ebebead6f4ea8b050cc5746f5579967f454b59acf1ea472b5a01684b4ccd.exe 736 f9e8ebebead6f4ea8b050cc5746f5579967f454b59acf1ea472b5a01684b4ccd.exe 736 f9e8ebebead6f4ea8b050cc5746f5579967f454b59acf1ea472b5a01684b4ccd.exe 736 f9e8ebebead6f4ea8b050cc5746f5579967f454b59acf1ea472b5a01684b4ccd.exe 736 f9e8ebebead6f4ea8b050cc5746f5579967f454b59acf1ea472b5a01684b4ccd.exe 1236 Logo1_.exe 1236 Logo1_.exe 1236 Logo1_.exe 1236 Logo1_.exe 1236 Logo1_.exe 1236 Logo1_.exe 1236 Logo1_.exe 1236 Logo1_.exe 1236 Logo1_.exe 1236 Logo1_.exe 1236 Logo1_.exe 1236 Logo1_.exe 1236 Logo1_.exe 1236 Logo1_.exe 1236 Logo1_.exe 1236 Logo1_.exe 1236 Logo1_.exe 1236 Logo1_.exe 1236 Logo1_.exe 1236 Logo1_.exe 1236 Logo1_.exe 1236 Logo1_.exe 1236 Logo1_.exe 1236 Logo1_.exe 1236 Logo1_.exe 1236 Logo1_.exe 1236 Logo1_.exe 1236 Logo1_.exe 1236 Logo1_.exe 1236 Logo1_.exe 1236 Logo1_.exe 1236 Logo1_.exe 1236 Logo1_.exe 1236 Logo1_.exe 1236 Logo1_.exe 1236 Logo1_.exe 1236 Logo1_.exe 1236 Logo1_.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2252 f9e8ebebead6f4ea8b050cc5746f5579967f454b59acf1ea472b5a01684b4ccd.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 736 wrote to memory of 1124 736 f9e8ebebead6f4ea8b050cc5746f5579967f454b59acf1ea472b5a01684b4ccd.exe 85 PID 736 wrote to memory of 1124 736 f9e8ebebead6f4ea8b050cc5746f5579967f454b59acf1ea472b5a01684b4ccd.exe 85 PID 736 wrote to memory of 1124 736 f9e8ebebead6f4ea8b050cc5746f5579967f454b59acf1ea472b5a01684b4ccd.exe 85 PID 1124 wrote to memory of 4748 1124 net.exe 87 PID 1124 wrote to memory of 4748 1124 net.exe 87 PID 1124 wrote to memory of 4748 1124 net.exe 87 PID 736 wrote to memory of 1012 736 f9e8ebebead6f4ea8b050cc5746f5579967f454b59acf1ea472b5a01684b4ccd.exe 91 PID 736 wrote to memory of 1012 736 f9e8ebebead6f4ea8b050cc5746f5579967f454b59acf1ea472b5a01684b4ccd.exe 91 PID 736 wrote to memory of 1012 736 f9e8ebebead6f4ea8b050cc5746f5579967f454b59acf1ea472b5a01684b4ccd.exe 91 PID 736 wrote to memory of 1236 736 f9e8ebebead6f4ea8b050cc5746f5579967f454b59acf1ea472b5a01684b4ccd.exe 92 PID 736 wrote to memory of 1236 736 f9e8ebebead6f4ea8b050cc5746f5579967f454b59acf1ea472b5a01684b4ccd.exe 92 PID 736 wrote to memory of 1236 736 f9e8ebebead6f4ea8b050cc5746f5579967f454b59acf1ea472b5a01684b4ccd.exe 92 PID 1236 wrote to memory of 4868 1236 Logo1_.exe 93 PID 1236 wrote to memory of 4868 1236 Logo1_.exe 93 PID 1236 wrote to memory of 4868 1236 Logo1_.exe 93 PID 4868 wrote to memory of 2332 4868 net.exe 95 PID 4868 wrote to memory of 2332 4868 net.exe 95 PID 4868 wrote to memory of 2332 4868 net.exe 95 PID 1012 wrote to memory of 2252 1012 cmd.exe 97 PID 1012 wrote to memory of 2252 1012 cmd.exe 97 PID 1012 wrote to memory of 2252 1012 cmd.exe 97 PID 1236 wrote to memory of 4952 1236 Logo1_.exe 98 PID 1236 wrote to memory of 4952 1236 Logo1_.exe 98 PID 1236 wrote to memory of 4952 1236 Logo1_.exe 98 PID 4952 wrote to memory of 5084 4952 net.exe 100 PID 4952 wrote to memory of 5084 4952 net.exe 100 PID 4952 wrote to memory of 5084 4952 net.exe 100 PID 1236 wrote to memory of 3448 1236 Logo1_.exe 56 PID 1236 wrote to memory of 3448 1236 Logo1_.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3448
-
C:\Users\Admin\AppData\Local\Temp\f9e8ebebead6f4ea8b050cc5746f5579967f454b59acf1ea472b5a01684b4ccd.exe"C:\Users\Admin\AppData\Local\Temp\f9e8ebebead6f4ea8b050cc5746f5579967f454b59acf1ea472b5a01684b4ccd.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:736 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
PID:4748
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5C68.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1012 -
C:\Users\Admin\AppData\Local\Temp\f9e8ebebead6f4ea8b050cc5746f5579967f454b59acf1ea472b5a01684b4ccd.exe"C:\Users\Admin\AppData\Local\Temp\f9e8ebebead6f4ea8b050cc5746f5579967f454b59acf1ea472b5a01684b4ccd.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
PID:2252
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1236 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4868 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
- System Location Discovery: System Language Discovery
PID:2332
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
- System Location Discovery: System Language Discovery
PID:5084
-
-
-
-
Network
MITRE ATT&CK Enterprise v16
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
138KB
MD5a11372a95cce0bbd8a0ce60729ddf74b
SHA1074f38c75ffeac822e2c93c316bfd96bb8bf785c
SHA2565bd62949e133801618e53482c6bd8667a3f02f8d6f6cf8c1442df4073260bd2d
SHA5124819b1e3cf7c601210b63849abd66e41a6e2dc006e0de9a8041814663ed21aa0eff942fba3df67b1f91a3ae4f1c1d990baebe7c67e708e76c6e5c2898513d406
-
Filesize
588KB
MD575eba632fa745295d5074956b90bb922
SHA1f6c75dadbe487f776e18f8dac540b0910fdd7ebe
SHA2560e862fcacb2b779cad40e4d9ba214ccd4d1ffab5e350935118f0ed8dbe6e9dd6
SHA512234a46b58624603f683e62a07ff2ba036855c061e6cf184cf16ff81b47680c691a169873dd660f7d423b1598275d81762a211a646567eadf9574fa8904b1846a
-
Filesize
494KB
MD5291d8d0cec3232f9755eb64c15a0f16f
SHA1ffa8dae6872abbaadb7f420ff46a6654d481ef2a
SHA25671506ca9b022ea1e70b54e6171442c1a35e82d9c1f3a12701f3af3045209ee0f
SHA512a7b8813934510c7454ca0b1e17bf5b443ea0544b8c16f0c571470eaeb5cafb52e6c2b8ec07e0c98c8247c7ace199303ab74629c8bb0ec24b72bb4864b7743581
-
Filesize
722B
MD5a4743fc3dabea14c72da5ee139f151a3
SHA1549e6053005c08789816af81bb90001fe0f7e917
SHA25678555ae19b0c487533a1c7df3f0f89e5637de776c920f7f90fd3fba1c833dd09
SHA5129423fd155de2b0aa9d4ee162517ce06fc07997e271386bf37c926d421601c94fe093f55ada6cadcaadc6411385ba370fe78471d63a57aebde26ba4e5c4dd0107
-
C:\Users\Admin\AppData\Local\Temp\f9e8ebebead6f4ea8b050cc5746f5579967f454b59acf1ea472b5a01684b4ccd.exe.exe
Filesize172KB
MD5b6e281bf0e2c2f182f1537bc5148faa9
SHA10d6aac1d3c5709084ae6ee5cce7f8b29df2cd4ca
SHA2565238261f80d3683101d2ef2242d92c3719a92a63c45a211c7973b831dd318f36
SHA512442776a93bf23cb69c6437ba72851bcb5dc4b90c9b03f53f37177fd271e834247b3a1f0c6ed8724e5490b59f2465afe5668513efd9cd3aeafed3aaa071416576
-
Filesize
39KB
MD51a12f352652e096ecd946fc1fa035a3f
SHA1725f446ec095d1edb6d43bb638ab91565247114c
SHA256ef2b389dd83dd2ea7e0c248907a09e8ec5aceb309a723382cad99c2a85a5f89a
SHA5120a13e1800a316730a182e497f994194d561287acd85d37606001a9072c0d5d5683ab715c0a2c28a5b07cff12304f59a187a11620ebfdeadb722a17ea40bf2214
-
Filesize
9B
MD58d5d367ed8a2afc1fc0b8fc7d14da98c
SHA1fddfad39cd8b448d0d3dbb6e9c67752999568783
SHA25693740c0db50f557803e16032194380e92e586f9cd845c4543eae2c3aa97d95f6
SHA5123215518f650fe697fa80054e2e7e98a55a23832309347704985d502ecf46726048291ace0a619b669726fda404c9235047a21563971a238864ee3523f5bbe96b