Analysis
-
max time kernel
149s -
max time network
137s -
platform
windows10-2004_x64 -
resource
win10v2004-20250619-en -
resource tags
arch:x64arch:x86image:win10v2004-20250619-enlocale:en-usos:windows10-2004-x64system -
submitted
30/06/2025, 17:42
Static task
static1
Behavioral task
behavioral1
Sample
d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe
Resource
win10v2004-20250619-en
Behavioral task
behavioral2
Sample
d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe
Resource
win11-20250619-en
General
-
Target
d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe
-
Size
579KB
-
MD5
28bd5c3abf0b5b887d65baf1994b56a6
-
SHA1
86102826cbdc7e7801eae5ab3c51f67c88411eef
-
SHA256
d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91
-
SHA512
1e2446e3e68c6038a9a8ead218942dde6bec49cd3d311ccd94f15c94a769fcea5d8433d22ec8ea9ab065acdeeea8ad30be9bd9daf4f9ffa50fa28fd06e38c186
-
SSDEEP
12288:VjiSjjiSjjiSjjiSjjiSjjiSjjiSjjiSjjiSjjiSjjiSjjiSjjiSjjiSjjiSjji2:kfffffffffffffffji
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe Set value (int) \REGISTRY\USER\S-1-5-21-4144907350-1836498122-2806216936-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" 0BC3D.com -
Executes dropped EXE 18 IoCs
pid Process 1412 Logo1_.exe 552 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 5804 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 3244 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 4692 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 4928 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 3632 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 4948 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 4996 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 3328 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 6108 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 412 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 4020 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 1400 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 4464 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 3996 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 2448 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 5060 0BC3D.com -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TempCom = "C:\\WINDOWS\\FONTS\\0BC3D.com" d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Java\jdk-1.8\jre\lib\fonts\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\Office16\Configuration\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_FA000000050\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\hu-hu\_desktop.ini Logo1_.exe File created C:\Program Files\edge_BITS_4564_616499314\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\setup.exe Logo1_.exe File created C:\Program Files\Microsoft Office\Office16\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Cartridges\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\visualization\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk-1.8\lib\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\SystemX86\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\keystore\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ko-kr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\dc-annotations\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\de-de\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\nb-no\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jre-1.8\lib\images\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\GRPHFLT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\lt\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\misc\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-ma\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\dark\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\uk\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\es-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\it-it\_desktop.ini Logo1_.exe File created C:\Program Files\MsEdgeCrashpad\attachments\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ja-jp\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\da\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\JOURNAL\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-gb\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\epdf\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\lua\http\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\swidtag\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sl-sl\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ar-ae\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-sl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\pl-pl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sv-se\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\cs-cz\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\hy\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\pt-br\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-gb\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\hr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nb-no\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\eu-es\_desktop.ini Logo1_.exe -
Drops file in Windows directory 21 IoCs
description ioc Process File created C:\WINDOWS\FONTS\0BC3D.com d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe File opened for modification C:\WINDOWS\FONTS\0BC3D.com d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe File created C:\Windows\Dll.dll Logo1_.exe File created C:\Windows\Logo1_.exe d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe File created C:\Windows\Logo1_.exe d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe File created C:\Windows\Logo1_.exe d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe File created C:\Windows\Logo1_.exe d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe File created C:\Windows\Logo1_.exe d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe File created C:\Windows\Logo1_.exe d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe File created C:\Windows\Logo1_.exe d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe File created C:\Windows\Logo1_.exe d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe File created C:\Windows\Logo1_.exe d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe File created C:\Windows\Logo1_.exe d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe File created C:\Windows\Logo1_.exe d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe File created C:\Windows\rundl132.exe d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe File created C:\Windows\Logo1_.exe d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe File created C:\Windows\Logo1_.exe d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe File created C:\Windows\Logo1_.exe d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\Logo1_.exe d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe File created C:\Windows\Logo1_.exe d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 1596 1412 WerFault.exe 87 -
System Location Discovery: System Language Discovery 1 TTPs 37 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Logo1_.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 0BC3D.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 62 IoCs
pid Process 1884 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 1884 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 1884 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 1884 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 1884 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 1884 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 1884 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 1884 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 1884 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 1884 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 1884 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 1884 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 1884 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 1884 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 1884 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 1884 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 1884 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 1884 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 5060 0BC3D.com -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2448 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 5060 0BC3D.com -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1884 wrote to memory of 224 1884 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 86 PID 1884 wrote to memory of 224 1884 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 86 PID 1884 wrote to memory of 224 1884 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 86 PID 1884 wrote to memory of 1412 1884 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 87 PID 1884 wrote to memory of 1412 1884 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 87 PID 1884 wrote to memory of 1412 1884 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 87 PID 1412 wrote to memory of 6036 1412 Logo1_.exe 89 PID 1412 wrote to memory of 6036 1412 Logo1_.exe 89 PID 1412 wrote to memory of 6036 1412 Logo1_.exe 89 PID 224 wrote to memory of 552 224 cmd.exe 91 PID 224 wrote to memory of 552 224 cmd.exe 91 PID 224 wrote to memory of 552 224 cmd.exe 91 PID 6036 wrote to memory of 5948 6036 net.exe 92 PID 6036 wrote to memory of 5948 6036 net.exe 92 PID 6036 wrote to memory of 5948 6036 net.exe 92 PID 552 wrote to memory of 1692 552 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 93 PID 552 wrote to memory of 1692 552 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 93 PID 552 wrote to memory of 1692 552 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 93 PID 1692 wrote to memory of 5804 1692 cmd.exe 95 PID 1692 wrote to memory of 5804 1692 cmd.exe 95 PID 1692 wrote to memory of 5804 1692 cmd.exe 95 PID 5804 wrote to memory of 5184 5804 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 96 PID 5804 wrote to memory of 5184 5804 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 96 PID 5804 wrote to memory of 5184 5804 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 96 PID 5184 wrote to memory of 3244 5184 cmd.exe 99 PID 5184 wrote to memory of 3244 5184 cmd.exe 99 PID 5184 wrote to memory of 3244 5184 cmd.exe 99 PID 3244 wrote to memory of 4596 3244 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 100 PID 3244 wrote to memory of 4596 3244 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 100 PID 3244 wrote to memory of 4596 3244 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 100 PID 4596 wrote to memory of 4692 4596 cmd.exe 102 PID 4596 wrote to memory of 4692 4596 cmd.exe 102 PID 4596 wrote to memory of 4692 4596 cmd.exe 102 PID 4692 wrote to memory of 4732 4692 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 103 PID 4692 wrote to memory of 4732 4692 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 103 PID 4692 wrote to memory of 4732 4692 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 103 PID 4732 wrote to memory of 4928 4732 cmd.exe 105 PID 4732 wrote to memory of 4928 4732 cmd.exe 105 PID 4732 wrote to memory of 4928 4732 cmd.exe 105 PID 4928 wrote to memory of 5108 4928 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 106 PID 4928 wrote to memory of 5108 4928 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 106 PID 4928 wrote to memory of 5108 4928 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 106 PID 5108 wrote to memory of 3632 5108 cmd.exe 109 PID 5108 wrote to memory of 3632 5108 cmd.exe 109 PID 5108 wrote to memory of 3632 5108 cmd.exe 109 PID 3632 wrote to memory of 3008 3632 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 110 PID 3632 wrote to memory of 3008 3632 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 110 PID 3632 wrote to memory of 3008 3632 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 110 PID 3008 wrote to memory of 4948 3008 cmd.exe 112 PID 3008 wrote to memory of 4948 3008 cmd.exe 112 PID 3008 wrote to memory of 4948 3008 cmd.exe 112 PID 4948 wrote to memory of 5368 4948 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 113 PID 4948 wrote to memory of 5368 4948 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 113 PID 4948 wrote to memory of 5368 4948 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 113 PID 5368 wrote to memory of 4996 5368 cmd.exe 115 PID 5368 wrote to memory of 4996 5368 cmd.exe 115 PID 5368 wrote to memory of 4996 5368 cmd.exe 115 PID 4996 wrote to memory of 2644 4996 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 116 PID 4996 wrote to memory of 2644 4996 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 116 PID 4996 wrote to memory of 2644 4996 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 116 PID 2644 wrote to memory of 3328 2644 cmd.exe 118 PID 2644 wrote to memory of 3328 2644 cmd.exe 118 PID 2644 wrote to memory of 3328 2644 cmd.exe 118 PID 3328 wrote to memory of 5796 3328 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 119
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3464
-
C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1884 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a61B7.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:552 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a62F0.bat5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"6⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5804 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a63CB.bat7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5184 -
C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"8⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3244 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6486.bat9⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4596 -
C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"10⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4692 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6503.bat11⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"12⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6590.bat13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"14⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3632 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a665B.bat15⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3008 -
C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"16⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4948 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6755.bat17⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5368 -
C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"18⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a67B3.bat19⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2644 -
C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"20⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3328 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6820.bat21⤵
- System Location Discovery: System Language Discovery
PID:5796 -
C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"22⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:6108 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a68CC.bat23⤵
- System Location Discovery: System Language Discovery
PID:4540 -
C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"24⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:412 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6939.bat25⤵
- System Location Discovery: System Language Discovery
PID:5328 -
C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"26⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4020 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6997.bat27⤵
- System Location Discovery: System Language Discovery
PID:624 -
C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"28⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1400 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6A04.bat29⤵
- System Location Discovery: System Language Discovery
PID:4404 -
C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"30⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4464 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6A81.bat31⤵
- System Location Discovery: System Language Discovery
PID:3472 -
C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"32⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3996 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6AEF.bat33⤵
- System Location Discovery: System Language Discovery
PID:3952 -
C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"34⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2448
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:6036 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
- System Location Discovery: System Language Discovery
PID:5948
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1412 -s 10524⤵
- Program crash
PID:1596
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\WINDOWS\FONTS\0BC3D.com2⤵PID:5676
-
C:\WINDOWS\FONTS\0BC3D.comC:\WINDOWS\FONTS\0BC3D.com3⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5060
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1412 -ip 14121⤵PID:5788
Network
MITRE ATT&CK Enterprise v16
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
722B
MD5f8115e6abd9518589ecf4b7679a6fa7d
SHA1a7831927705a64f880de2dacbc4bf1ef23bb4c7c
SHA25612767504d0d168f9543afd23a524d68e2102efbedd8786acaee2e32bf11b47b4
SHA51280c81128497405fe588a26fa60be600c8767a67d7e04e3c04628e0fd047e27c88bed0df6d2d9cf012e7e9a63cf62b58d4783748a7ae4af2e3c882ada80aef2e9
-
Filesize
722B
MD5c36bdc98acac740ed90ce67a0014a16f
SHA179a97a31d9c5cf08fbe6b2d15339bcf1b539a6f5
SHA25624a147b606209d80e96f82e56b385ad4968e9711674d3722613d5144776a9267
SHA512897ad13ff1c7a4a72ba3a6fd1e9ad9ff81a42d8cabbd6a12267719e93b5ec1602541b5ae0ee6438e57ce4c1d8aac58ced8d0fcc6eb029eb0aad15c17acc2f36c
-
Filesize
722B
MD5c34a4ab0abf8b068b2eb58d420c70e46
SHA1c690ff1bb344d5e3166537161f4aeeabe7d2256d
SHA2567693a8a462c12935383742d3922d19e88a3f46f5d4185da02dfc01d3c868c7b0
SHA51206ce7e69fdf205ab93feb29cb6e5521e7bdd7b37d46dc7580f82a29b398cba29ad5697bf1bf5a3bb0666e05b1e589d2abf102598980f540a23fbe1f266f46739
-
Filesize
722B
MD54c141f9647c4075e28bf6793334659e3
SHA1d3a9c5769c234bf51b2da147a5df82018ab2f0e5
SHA256178b2a4dc49986e274d3fd9f12512f8eda66f7b724992a252478e0f1419a737f
SHA512205a93a371b97dfb293f7ca1fed70e441550b5563e1dbac358e67d88233ac3f6329bdc3d90320819af57c444e7b049c8470b30ec7f3537aaf6cbb9670a3cf89b
-
Filesize
722B
MD5a47b9503b1e3247394304c8bd8facf33
SHA1b66f53d0f48acff6a3f067b8ecfc1bbde21a6d0d
SHA256c5aac0c0309484daac453c2f72e90e711167c8f615da9683804dfa43ea68a7c6
SHA512360cfcd25e0b225f6ee5fa2202617ce1c8be886d8ce92dda94e9587fe3c03b290fbb7ffe8b4bbe3a1489e14729d27d0e00e7ae42ba1988dfad3be71eae2ca953
-
Filesize
722B
MD55f2bd2f005c0d9fc402711c144f6b5a8
SHA1f9e56748d6e28d131f4b3a752795983fe82a0c72
SHA2562374f617a044c5dc5f93e15b5b68d1787b66eee6e6f021ecd7f2fe7404c85544
SHA5124595c369f7370e071ef660eb18fc80a2d1c5ffac8c57add148af531e087e28951a3b2fcaa55c708edf82f3ed675d76e6bc6210c1adcdb61e586fee29cc9d7af7
-
Filesize
722B
MD5895629218ecb5413c409561af738fe78
SHA173dea6239e651b253322539573ade90021277076
SHA256f28fbc17d100d2fc451587d92c7cebcd42df1c479b0276d126743c9f96e35aef
SHA512ba7ddef0f31f224dbba28b8c48858dc4db56155ddef2c3535a35e0073fc350056f756022530210f0a72b31ffaff2a6b7dcfe85f408fffd31d00dbb514854471a
-
Filesize
722B
MD59f5c24b3cd94a2584b56f997fc2ba88e
SHA1ae9e05f41a66e32e4bd6d33707c261a98c7c1fa2
SHA2564099e0c8d014d48fd25a5ab1a452ea2ee20dd31b8bb0ba596fbdf3ee48fa7dfd
SHA512e1697cce846e5b480b75146a71e66f2b41f464422c0a30c4836c91b13507b64d294e4bf4cd87920883c0a14613684f9ad9fb2988fb9d7d8a10661c1508c3f2c5
-
Filesize
722B
MD5123914acc04b86df443862f7d3942d80
SHA1489203cc9342ddd152c70234c6cb8f605382154d
SHA256254066de58276eb955facd100f2fcf084e9490cd6b4891762af59f6e41d7fdd8
SHA512b7e1c7b682bedcc47281929430d4f7027db24984f4018cd30d4b8c7d697ef04f966d1f2c9906a49d72ec85128e250243f40db5a7577a1ce022b0c5361bd38854
-
Filesize
722B
MD5eab8e15a41fb5638be5f72a428c371d6
SHA1493542028e0188c8063c390cc219cca5a070a52a
SHA2561198705363bbb05c6e033d523acca90b8aafc2c9874be3ecfa5fa3e3d800c6fa
SHA512ac3dd8b3089d45eb2dc808deb81e67028a41810c4e9344fe8f1376d88896c92dc252f1b69ae814015501eed48b1bc0037a67c40bba21da7b0fdd640fb9f13168
-
Filesize
722B
MD5ab5000203fb9810bc4c37937dc0395f9
SHA132df5c6156a81dd11b1c44d5223406edb2eb26b4
SHA2567f30f147744e14b1173012160787d745accc17c7bca48afbc7bc462e59978b73
SHA512e486cfe8e64140ad8c1421ecf312d7ab925eafeeb242929c56c4847c6c78ae0b1b269718cbf9a82848e16e45e4224cee69c6e13cf742602975494126de689a54
-
Filesize
722B
MD5e0fdf05be61eadb47ad729ddf4351976
SHA100d200f7a52d93915b66285239713636dab8c1a4
SHA256699cbec6354b8e913136c24f2e86e3694b52bc5c4c59bc2af0b136ac14b5ac42
SHA51206a8006f24cd712e4ed10407d0e211d4b24496cc2e98f093f7f6bd9aafd4ca2d40eb0febb6459e6093449fc55ee45aa5b609377d087e2c780b8d6ec8604529fa
-
Filesize
722B
MD5689ef6fa6c685faada62de8dea624216
SHA13a93d747e531576d891d391b4f85fb3f1e944d7b
SHA2565a27dd4b53036804bed6a65b2a4bbffd06a5ec303b988709f746ea93d5b3476a
SHA512cfa749b46107d0afe485d2d08d72bbbf6993a837b15f4eea685c010a27e1b0ff3c724692f19bd2418810aff8888c22ce94490e7db9993da480e545aba02b41ac
-
Filesize
722B
MD5cc6d4b80a9d1d4caec77b917cec970d7
SHA120a5a23090e00a75a81801e43380355e12606eee
SHA256864d50c979efa73678d1c4859b9930946fc255123547cf13a8eb71a0ebe209cd
SHA5126bddbc03e64a27b851a07a4c4811754aea37979962d098251fe88c072720fbf4a8f645213502c503a930325dc82657eca98399aa39dd508f40154c5ce0a0ddff
-
Filesize
722B
MD51acbcc3cb99774ace144712c685b5fea
SHA117f5554b81ce08041c80d2f6f796fe8f54615044
SHA256ecf79ed9406b62a875cde24f1558fea55f1bee90eb2fd35c9d8b35dfc392fb32
SHA5125875ee990930642ceb1e1fd4f2286b0ff9faa7708dde262e29b875c9226bc9389f7e3afd36f2d5f6b3fdec0652da80afe12b4942112cd628927f404adf914fee
-
Filesize
722B
MD51910bded7f9460f6f8fbbefce57fcf1f
SHA11d4643ae848f9c9bb493f1f961f3e8f04dbcc365
SHA256e16ad08173af1c429c11ac430446a17b0f7be49fe95b7ae219878633086ef5db
SHA5123c5f8fdbab3e4faced2ff5373e280832aa982a2170a5282327c7a2b311833f757044965dc1b66589d22cd576af43f09d16aa929403410c22d39b84b066975f95
-
C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe
Filesize287KB
MD556cf1234d82b459b0d4b0e91312d62da
SHA118c24408609bb6546b66e41bd6e8dfbd013563fe
SHA256c11d5b1dc931fd3aaf644df9fd7d8febb921c71a918a221202d0f48a105831d0
SHA51257d70544604eda2438d4a18cc3a87fdb948ff62e15296a8525bf127e1758ae045bf3fe2b4c46c3196d07ae5ad50ef296169c99fec8c93f2bb93b39798feea6f3
-
C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe
Filesize60KB
MD573d597a2b90c7d4d2e90ca08c39d2f99
SHA1d6788d79477f3f0da9b0c5229ce6834136d91a59
SHA256d45bba35a13db84260f7981f247ff1a75cf3065ac993ae1a13708a542a19280e
SHA512ec5e70b7db46d6c298052ffe9a7c89c5b7ba6de67551e36262d84fcd3e4930dfde9ab29b23845bcc54d76d67530b6455a3f422b3349032ab41915676730a01ce
-
C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe.exe
Filesize547KB
MD50137dec43c77f401659bcd7a4032702c
SHA1e40ab90e560caa2734ba3e46c5cd5aaa684b3eea
SHA2566cb9ea30ccbbd5f19396010e30c7e4aca6cba55894014a64412a43511ada433d
SHA512c434bcd9e0beb61137a55fdb11b17d3ce0445f058791923bac3dd326d658db319b35f2226d7c450d1b7baad6f24c53637b14fede37b173cb672ffc5a46e9e740
-
C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe.exe
Filesize384KB
MD5a353218f7897ca4ea7b1ff4416fe1817
SHA184d8a5c89b0193eac2f74bd315811c68022946d2
SHA256ff4695e69b9c508b085d5dedf5fd3cac436076f56dc5b098920713418dac3c89
SHA512df38221aa63a6c0d4575dddcb51ae00373dfcd566f09d90748aa4aec661359f64e81ac4feffa8280068abc35c512dc15f343989ce769074d88b5f744e03aaaac
-
C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe.exe
Filesize514KB
MD5f0866c2d2ab43b833b957787b4a08526
SHA11410b5b5faf130cf22160968238aab93bb3c960b
SHA256ebd70e789f272064e045929c7d1d0bce6f64a5a5c056ea2e70ab1542ab3ce1ae
SHA5126a4813362a23f390922388eb8123aa81af797cb6435dbe6ded1dc281d54135c93ee5b6567f55586210808384f27052e76eb07bcc3641a9906294f88f4a499a2c
-
C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe.exe
Filesize482KB
MD547db56aa979056f9beba80adc63e72ea
SHA11dc36f048b9ed9f98f7f9ef069f26193dea713b8
SHA256bc1183cf270c5164bd3e4c6ad4c1fc32a729fe5aba53784e52d76238d7f873e8
SHA512f2f520e95283a73a009eb3b8be439c386dd921cd008b68a78594df744053611057b7e7f6794388edf63d93cc4ba1349d2cca9415a9c2e317fcd5047d0e12adb9
-
C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe.exe
Filesize319KB
MD5e9d499bb915d58a3a58429209eb00b7d
SHA18715af16ec2efe464f486eefd15a5d248e3caebb
SHA256f6baf3ee157e1e1798836bbd3ef63de56d4573c6c81f1fb68a3f64c8d5fdf992
SHA512b9a408171b0827496f81490e9351401943e5de79c19c3da234b05fc543dde913c0f2928f73d5a207d8e5df30954b320f5006faf70a5591ae93de84ca659fcce6
-
C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe.exe
Filesize449KB
MD56d9545c6556a236a67207db368fcdce2
SHA1b44856864eeb77f2d73d71fbfd323f006363c3fb
SHA25627d02f0a88d28829a83f1cb05a90fd47798e1ff91591029793a9ccfb6d8d14da
SHA512344bb66f4200dc7b91ec12c6dd73f8a5c9bf6f0942fa12ba65be2d8f7081efa723defad4f604a4b907a39282fe80ed97433b84601f5e4abb40ed09905da72a5f
-
C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe.exe
Filesize417KB
MD5a5e603ffd2f00e966f2230590c221c66
SHA1297c2d9fdc76fefca09dac5bf5b20b7ab9510890
SHA2569bf22ad59d805cd058457dc980c7d66388923ef0c00bf60fbd2d28933f621737
SHA512632725977a5452af0cb57085bb49833cd9f99c05f81c3477bdbc39c1d3198b8227a862f711e95740729e2c7fdef1ceb1562da8bab5dad4da7df932dafe9b0f2f
-
C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe.exe
Filesize254KB
MD57d5a6de393b9a9d8b97e5f85f8d96ef6
SHA127ee54c58fd5133e5e53dfdc09bcc4a921cac422
SHA2564af8e75dfddfde4ce118b847e95e77fad7f775aa6e0824e586932c4807059e7f
SHA512ac397a542daa97822d06b763217b55da2663c4c73c01b70a335844278a4fe60e4b1b00a31fe2f7b5954cc9ac4d46f0a8cd5f9d639ad64b260e5f4cfb2642550e
-
C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe.exe
Filesize352KB
MD500428256f70551c84c7321970cdc53cd
SHA1ea6d64e78c991a1978fc8018928b4a82a4d1564d
SHA25641b8de82fa304213245bbaf54a95d9bf62a621478b8918576309fb6e89eda97c
SHA512b9c20a134a1fadf59fdf7ad6638f6ef7882c68f8d68b539e2bd75ce4df31430ced6cc270b4dba47fa037faefce4209374d27118bd759e6d81aa5091d1bdae1be
-
C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe.exe
Filesize189KB
MD524521e0e4ff80ec026b26bd91fb35814
SHA11cf942e47978651e2007d6bcfa0858ae8e061a09
SHA256a8988f6abaf68f2de8ec718b12647c0c1d3eaec8d6b7da90bb54b52d790308d4
SHA51283a95155ff8f5cae0a8f51217a846b99f15e565983a9adf25f0eae9e5776b33ac8ca2532098012dc3a8117593ac4173d4f4a7faadc3fb73297a2ee1bc2e0fc9f
-
C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe.exe
Filesize124KB
MD5bec23ed6f40d2d0aa004ba48bdddd1f0
SHA1ccac53c8c930a857bd8ddad248a16d5f601efd47
SHA25690e041311b6fc3b92306ba38e98431d874c77369e1e3cffe1e7247948fe78a4e
SHA512d8ec7da14addc5ca5d5bc22c1aa5b54f4ef66cbf8102342a2818b9456e5cb8b8461b83523f0b6b9c46ccf09d2e3b0585382acf0b39dbe7eb8d408123094225c5
-
C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe.exe
Filesize222KB
MD56a063093130a94dde2ed4ed5190f4591
SHA114a584a3198ce15445293c447b64e40f175778b2
SHA256ec166e0c3a4b1d10e131ef693df960038a838e853993e554157e25902710f7d5
SHA51252abb8a99086804f5d119aec5e2d3e65c60e8b24a18e774b7513ea2da80f10b0e4a00f3be8c79ac82249da3eb53d8a0b0c1957f502d8ec316f898de80501948d
-
C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe.exe
Filesize157KB
MD572fe255af046de79ac4650cb4a4332fa
SHA1f4908b352614c56263742f28152579b5f3099693
SHA256a72d5f83151a25cb339c78fd98048d9779b50529ece3e8a38ac93bc294645f5d
SHA5121bafa57faa6168588db7aa79ac3b234b6c89f985d62aacb8581f7cdf51226698ba6efa538d0e5759167dab8a07d475f08731706ecd3c9a481ce5be107edafee7
-
C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe.exe
Filesize92KB
MD5c3c940432ca2448b87397ac5dfaf98ef
SHA11e569cee32fcc218269305aaffd71f1c257a8eab
SHA2569bc1dda9d5b4bdaf8156830b0199fd580cd80a7d19b91041e72b5be0b1d47bbd
SHA512be7ca7f7dd31167198243e9007a0e772f8899c411ee0574af7757efd87464e604a58a827826f4ae179d36f20b5d4cdca08ddbb686215b7887c8d2f580e2400e6
-
Filesize
32KB
MD5cdaabb480b7d3c10c6f4f451c8c08d69
SHA1667ce007c73b1d663decd86d730227569d23acbb
SHA256f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842
SHA512389083da42235678a2d2b3420729fd46be6c0139b9177dc39108252cbbc24881d610e0637f12980f86c042ec79abcf0bdbac7d94610ab11269f8b0f44a6bbc31
-
Filesize
9B
MD58d5d367ed8a2afc1fc0b8fc7d14da98c
SHA1fddfad39cd8b448d0d3dbb6e9c67752999568783
SHA25693740c0db50f557803e16032194380e92e586f9cd845c4543eae2c3aa97d95f6
SHA5123215518f650fe697fa80054e2e7e98a55a23832309347704985d502ecf46726048291ace0a619b669726fda404c9235047a21563971a238864ee3523f5bbe96b