Analysis
-
max time kernel
150s -
max time network
102s -
platform
windows11-21h2_x64 -
resource
win11-20250619-en -
resource tags
arch:x64arch:x86image:win11-20250619-enlocale:en-usos:windows11-21h2-x64system -
submitted
30/06/2025, 17:42
Static task
static1
Behavioral task
behavioral1
Sample
d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe
Resource
win10v2004-20250619-en
Behavioral task
behavioral2
Sample
d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe
Resource
win11-20250619-en
General
-
Target
d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe
-
Size
579KB
-
MD5
28bd5c3abf0b5b887d65baf1994b56a6
-
SHA1
86102826cbdc7e7801eae5ab3c51f67c88411eef
-
SHA256
d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91
-
SHA512
1e2446e3e68c6038a9a8ead218942dde6bec49cd3d311ccd94f15c94a769fcea5d8433d22ec8ea9ab065acdeeea8ad30be9bd9daf4f9ffa50fa28fd06e38c186
-
SSDEEP
12288:VjiSjjiSjjiSjjiSjjiSjjiSjjiSjjiSjjiSjjiSjjiSjjiSjjiSjjiSjjiSjji2:kfffffffffffffffji
Malware Config
Signatures
-
Modifies visibility of file extensions in Explorer 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-707770698-2523217751-1187874351-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe Set value (int) \REGISTRY\USER\S-1-5-21-707770698-2523217751-1187874351-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1" C9862.com -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe -
Executes dropped EXE 18 IoCs
pid Process 2736 Logo1_.exe 3400 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 3452 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 3368 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 4936 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 4140 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 5328 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 3328 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 4968 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 4620 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 4252 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 5320 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 3460 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 1856 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 5268 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 5896 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 5152 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 748 C9862.com -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TempCom = "C:\\WINDOWS\\FONTS\\C9862.com" d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe -
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ko-kr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ro-ro\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\fi-fi\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\root\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\edge_feedback\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\ADDINS\Power Map Excel Add-in\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\lua\http\images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\Extensions\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example1.Diagnostics\Diagnostics\_desktop.ini Logo1_.exe File created C:\Program Files\7-Zip\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\lua\extensions\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\da-dk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\pl\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\my\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-gb\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\eu-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ja-jp\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\en-gb\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\sv-se\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\INDUST\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\access_output\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example1.Diagnostics\Diagnostics\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sl-sl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\loc\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\zh_TW\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\pt-br\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\hu-hu\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\bn_IN\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ja-jp\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ca-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\meta\art\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\da-dk\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\he-il\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account-select\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\hu-hu\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sl-si\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\de-de\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ko-kr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\nl-nl\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\Office16\_desktop.ini Logo1_.exe File created C:\Program Files\MSBuild\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sl-si\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\nl-nl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Google\GoogleUpdater\134.0.6985.0\Crashpad\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ru-ru\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\sv-se\_desktop.ini Logo1_.exe -
Drops file in Windows directory 21 IoCs
description ioc Process File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\Logo1_.exe d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe File created C:\Windows\Logo1_.exe d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe File created C:\Windows\Logo1_.exe d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe File created C:\Windows\Logo1_.exe d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe File created C:\Windows\Logo1_.exe d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe File created C:\Windows\Logo1_.exe d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe File created C:\WINDOWS\FONTS\C9862.com d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe File opened for modification C:\WINDOWS\FONTS\C9862.com d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe File created C:\Windows\rundl132.exe d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe File created C:\Windows\Logo1_.exe d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe File created C:\Windows\Logo1_.exe d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe File created C:\Windows\Logo1_.exe d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe File created C:\Windows\Logo1_.exe d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe File created C:\Windows\Logo1_.exe d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe File created C:\Windows\Logo1_.exe d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe File created C:\Windows\Logo1_.exe d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe File created C:\Windows\Logo1_.exe d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe File created C:\Windows\Logo1_.exe d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe File created C:\Windows\Dll.dll Logo1_.exe File created C:\Windows\Logo1_.exe d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe -
System Location Discovery: System Language Discovery 1 TTPs 37 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Logo1_.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C9862.com Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 62 IoCs
pid Process 5840 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 5840 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 5840 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 5840 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 5840 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 5840 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 5840 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 5840 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 5840 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 5840 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 5840 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 5840 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 5840 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 5840 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 5840 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 5840 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 5840 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 5840 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 2736 Logo1_.exe 2736 Logo1_.exe 2736 Logo1_.exe 2736 Logo1_.exe 2736 Logo1_.exe 2736 Logo1_.exe 2736 Logo1_.exe 2736 Logo1_.exe 2736 Logo1_.exe 2736 Logo1_.exe 2736 Logo1_.exe 2736 Logo1_.exe 2736 Logo1_.exe 2736 Logo1_.exe 2736 Logo1_.exe 2736 Logo1_.exe 2736 Logo1_.exe 2736 Logo1_.exe 2736 Logo1_.exe 2736 Logo1_.exe 2736 Logo1_.exe 2736 Logo1_.exe 2736 Logo1_.exe 2736 Logo1_.exe 2736 Logo1_.exe 2736 Logo1_.exe 2736 Logo1_.exe 2736 Logo1_.exe 2736 Logo1_.exe 2736 Logo1_.exe 2736 Logo1_.exe 2736 Logo1_.exe 2736 Logo1_.exe 2736 Logo1_.exe 2736 Logo1_.exe 2736 Logo1_.exe 2736 Logo1_.exe 2736 Logo1_.exe 2736 Logo1_.exe 2736 Logo1_.exe 2736 Logo1_.exe 2736 Logo1_.exe 2736 Logo1_.exe 2736 Logo1_.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 748 C9862.com -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 5152 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 748 C9862.com -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5840 wrote to memory of 5372 5840 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 78 PID 5840 wrote to memory of 5372 5840 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 78 PID 5840 wrote to memory of 5372 5840 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 78 PID 5840 wrote to memory of 2736 5840 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 79 PID 5840 wrote to memory of 2736 5840 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 79 PID 5840 wrote to memory of 2736 5840 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 79 PID 2736 wrote to memory of 5348 2736 Logo1_.exe 81 PID 2736 wrote to memory of 5348 2736 Logo1_.exe 81 PID 2736 wrote to memory of 5348 2736 Logo1_.exe 81 PID 5348 wrote to memory of 2856 5348 net.exe 83 PID 5348 wrote to memory of 2856 5348 net.exe 83 PID 5348 wrote to memory of 2856 5348 net.exe 83 PID 5372 wrote to memory of 3400 5372 cmd.exe 84 PID 5372 wrote to memory of 3400 5372 cmd.exe 84 PID 5372 wrote to memory of 3400 5372 cmd.exe 84 PID 3400 wrote to memory of 3512 3400 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 85 PID 3400 wrote to memory of 3512 3400 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 85 PID 3400 wrote to memory of 3512 3400 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 85 PID 3512 wrote to memory of 3452 3512 cmd.exe 87 PID 3512 wrote to memory of 3452 3512 cmd.exe 87 PID 3512 wrote to memory of 3452 3512 cmd.exe 87 PID 3452 wrote to memory of 3404 3452 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 88 PID 3452 wrote to memory of 3404 3452 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 88 PID 3452 wrote to memory of 3404 3452 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 88 PID 3404 wrote to memory of 3368 3404 cmd.exe 90 PID 3404 wrote to memory of 3368 3404 cmd.exe 90 PID 3404 wrote to memory of 3368 3404 cmd.exe 90 PID 3368 wrote to memory of 4636 3368 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 91 PID 3368 wrote to memory of 4636 3368 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 91 PID 3368 wrote to memory of 4636 3368 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 91 PID 4636 wrote to memory of 4936 4636 cmd.exe 93 PID 4636 wrote to memory of 4936 4636 cmd.exe 93 PID 4636 wrote to memory of 4936 4636 cmd.exe 93 PID 4936 wrote to memory of 4900 4936 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 94 PID 4936 wrote to memory of 4900 4936 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 94 PID 4936 wrote to memory of 4900 4936 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 94 PID 4900 wrote to memory of 4140 4900 cmd.exe 96 PID 4900 wrote to memory of 4140 4900 cmd.exe 96 PID 4900 wrote to memory of 4140 4900 cmd.exe 96 PID 4140 wrote to memory of 4440 4140 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 97 PID 4140 wrote to memory of 4440 4140 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 97 PID 4140 wrote to memory of 4440 4140 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 97 PID 4440 wrote to memory of 5328 4440 cmd.exe 99 PID 4440 wrote to memory of 5328 4440 cmd.exe 99 PID 4440 wrote to memory of 5328 4440 cmd.exe 99 PID 5328 wrote to memory of 5036 5328 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 100 PID 5328 wrote to memory of 5036 5328 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 100 PID 5328 wrote to memory of 5036 5328 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 100 PID 5036 wrote to memory of 3328 5036 cmd.exe 102 PID 5036 wrote to memory of 3328 5036 cmd.exe 102 PID 5036 wrote to memory of 3328 5036 cmd.exe 102 PID 3328 wrote to memory of 5624 3328 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 103 PID 3328 wrote to memory of 5624 3328 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 103 PID 3328 wrote to memory of 5624 3328 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 103 PID 5624 wrote to memory of 4968 5624 cmd.exe 105 PID 5624 wrote to memory of 4968 5624 cmd.exe 105 PID 5624 wrote to memory of 4968 5624 cmd.exe 105 PID 4968 wrote to memory of 4836 4968 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 106 PID 4968 wrote to memory of 4836 4968 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 106 PID 4968 wrote to memory of 4836 4968 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 106 PID 4836 wrote to memory of 4620 4836 cmd.exe 108 PID 4836 wrote to memory of 4620 4836 cmd.exe 108 PID 4836 wrote to memory of 4620 4836 cmd.exe 108 PID 4620 wrote to memory of 3124 4620 d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe 109
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3332
-
C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5840 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a72DE.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5372 -
C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"4⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3400 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7445.bat5⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3512 -
C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"6⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3452 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a74A3.bat7⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3404 -
C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"8⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3368 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7511.bat9⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4636 -
C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"10⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4936 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a754F.bat11⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4900 -
C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"12⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a759D.bat13⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"14⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5328 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7649.bat15⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5036 -
C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"16⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3328 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a76B6.bat17⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5624 -
C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"18⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4968 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7743.bat19⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4836 -
C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"20⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4620 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a77DF.bat21⤵
- System Location Discovery: System Language Discovery
PID:3124 -
C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"22⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:4252 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a781E.bat23⤵
- System Location Discovery: System Language Discovery
PID:4724 -
C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"24⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5320 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a78AA.bat25⤵
- System Location Discovery: System Language Discovery
PID:3692 -
C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"26⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3460 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7918.bat27⤵
- System Location Discovery: System Language Discovery
PID:1060 -
C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"28⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:1856 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7985.bat29⤵
- System Location Discovery: System Language Discovery
PID:4716 -
C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"30⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5268 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a79D3.bat31⤵
- System Location Discovery: System Language Discovery
PID:3620 -
C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"32⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:5896 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7A21.bat33⤵
- System Location Discovery: System Language Discovery
PID:3740 -
C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe"34⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:5152
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5348 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
- System Location Discovery: System Language Discovery
PID:2856
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\WINDOWS\FONTS\C9862.com2⤵PID:5536
-
C:\WINDOWS\FONTS\C9862.comC:\WINDOWS\FONTS\C9862.com3⤵
- Modifies visibility of file extensions in Explorer
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:748
-
-
Network
MITRE ATT&CK Enterprise v16
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
722B
MD5dde91f3e7e39fc387353686479ccd8f2
SHA1128a9427001d4f774f3af8a7f4865773e2dc2202
SHA256bb2d94ec9deb84694f01262efc87519b3cd977448a6b297ecc1c05961ea279a8
SHA5128446c00ccac0ec43eb4c5b7cb78f8368e36cac6f4b49684f3baa587b0ab00a9a8d38ec231b0c9b91d3f41a477d661ed6ce6153a58b3340e0cfb0719257e11792
-
Filesize
722B
MD51713312160f6571f0c77e4642714c011
SHA1ef8d6a7392f9310ca87730bec09c8079fef2c90d
SHA2569a7e3cf524f3dc34a5833b33415864e3d8eaa2be90a824fa40d510b6c8ac2299
SHA512fff9e25d2daf24f900a05611b810090959733b8094131cfbe5702ac88c9f4552514301bd13e5d04a1e45a3d08fb740b7a9690322eb4e22b8ed4a2d8106ff73c6
-
Filesize
722B
MD54f4226a825f10b87ad6e60ea21d40cb1
SHA186cfe56952d22d2a6ed19f4f6390bf5d058e018f
SHA256a3266b9d9d46c1785ccf81192d1dd96db91f8fdf45b3abc77e649e0e3a3a3495
SHA5120dbf4f19dc5c3275900c90020fc76c8fe14b97493459ef61476701a6eee9b212d7b5905bf441d692cd7c49b5a3a67eb26343e376eed695bcb4479b53edeec62f
-
Filesize
722B
MD5bd61413cb7272deb724607bbc474d5c3
SHA14a81f8e4bf53a20dcbb1aa223f6ab4882b53fbcf
SHA25676db142c98ebb07620fef2ebe6d126350e9250109e5837ec3ef692cc241b0061
SHA512ec8f7ef56534d1c77d66abaaa865f416ccbec352c5407cf2ba443ecef0b23bb8ec976d726e034df030e7e1901f48bf28658e3a6222f6efdad4816f854c09de9d
-
Filesize
722B
MD5d87f8eaa4b5342bec7493e02a2b91e2d
SHA15ca9d706fbd544fe9b8db2d238e409b5c73c49de
SHA25694fbfe40345b81ea7aa3713ccf863a1a6485aa0ae365d7d5ad6571f284d60308
SHA5121a9884d84929ab649ba326be17d2b52cb85168d0fca402e744e57af88ab16c943e4fe6db703117fcd0ebdaf4a037b25c0fefe282cce0c90ac149939d891fca79
-
Filesize
722B
MD57a1d9a49adc58989c92b55710baf1d6d
SHA1b8c267f686297a239173461fd617839e088ac91c
SHA256cf05c9cf1e0de80cea18907b74780da2f1694b65ba4f3675b30daf1e1f5d010a
SHA5121f80229a62bb4e55d73afb257f18bc133e0c95bc22c3e92767c209af4c06081c09383f1b28ebef2fd9947ec0bd5005a87b888cbbb4cf437633e9388ecd7d2120
-
Filesize
722B
MD583f616e4aa04205bff600b5b04a3d4ef
SHA191ecf3bcb5eb2188050d8cb9f73cec5bfeb96b03
SHA256d3176abdf80e4165a56a8816ea3c8aae2b68ea0f569c97e1c1aa32892661b38f
SHA512dc5fc5851ea8ded28dc286e39fc4ba3e3124467ddff3acace08162eef20ac6b1ae2c6fa31f52e7794765931e04a8d82458994c517dd4b21e65b201ce020064b3
-
Filesize
722B
MD572d85dcc0bf812ec72bfc34467667652
SHA1d420e0254b3aa9778ef6b015a495ec8fa2de0f08
SHA25650184d9c1e0d5d4793f3a6277180c46c17ebd3bb5e570e5d1cd2cb400769e876
SHA51225e89a96d896c086ae0f3568d3cafc2481cc26cff690fc97ba027ade431bf8221e7037ed44dd19cb8beb16c61e48c39bafacd5d8a33f3f004c824d7f1bdf763c
-
Filesize
722B
MD577e483938bc45b10d8b87d2808ec9c11
SHA173b58486710c75c6c0f16309d395809669f46f5e
SHA256bb36536c525698eab004ac98e999388483febc08fec7f1eff2ae7e03f342b6ae
SHA51292a65b352a6233225e8e0d9bab45d098472bee1f507bc77872469addce45ed015cac079b37473d8c00cdc8e9c87c88d9546d3db57396c611cce9ca050f8d8d22
-
Filesize
722B
MD537f39737e5bd8020155c54c39c418b1b
SHA1408e0b0190004eca4869e96a62ef8472a362fff0
SHA2568c34cfa7a7b9ff6085c122157f7f00a0444221e5280954958b27480cc995d2e0
SHA512a41f75ee4ec3df681edf70f4a73dce5f40895816a1aaf811960464f5ea748c15fdde000a317973ab156e07c0f1a6258ca9b22acd126fd75af934be289fdb5a65
-
Filesize
722B
MD5894f8ab14aec4c01c6f52a9c8872d66f
SHA1eb9e4b35c456e063302f7bbfef3aefb725db5ed2
SHA256eae8e3a7e9825f85b32c27cf2d024705947584cafd50873806c7bf6b78b25820
SHA5122079e73f795ce8def610ec0b1a839a03d7e9d7608ca4805312cd868b173bba8411682816bfd34c9c644102ac9b49b4115111cce137c71d083a6d51ec9ccc8a33
-
Filesize
722B
MD53a990b85816b2b6a08e1dd674df27811
SHA159b9b735d227e789859c18b46ed567e0a8b6c645
SHA25618a7e0eadadb317f19e1ab27e7c63667f57676c16afb877a670ae3f0dd319c85
SHA51226bc4c68a0266acc545b2268cf888bd23aaf4932006738bb683fae2ac0e34b687a3321bb1a5b82adf53a0abc189911f8adbfa7187b618539c201f8765524d8d8
-
Filesize
722B
MD510c628e560dc222ff817c4d29731163f
SHA197b3ef2e30935fee7cc067fa56cfaa7c44eaecc3
SHA2561c57102251383103cf5df4b72112ee33c70b5e9a72723334131fa59c77c93623
SHA512f3882441d2f7f2e0a24e7e32c3990fc54f920fa66b30c07af4fcf6177902c766897f22dfac4344514abfbfa6e98d2cac9ec98d51767df412dc851ef5bc5abe4a
-
Filesize
722B
MD504ad59c5dac859befa79e464b48303a5
SHA1d1d7bcb97a4d717c3e32b6dce1cd7cb318245f4e
SHA2560ac90ff8030653a7b918ff7cddd0dd7a627f0dedcf8e96043ed35b9af7d93cb1
SHA51200efa386e8cc5642fddacece5fb57f53de8f4c90b1ad10768960627a1a257fa26afa98ef97300cb55bdd6fee56792ae8878d258af80c136f4785513c37b85dc9
-
Filesize
722B
MD507d7343ee6acd92cdf84b4fd433f1c31
SHA11665537c2d792496bc964d3bfbdb5459c542f777
SHA256953855d61a090a44b12b8b8774714302490b0d1fc12ded639d936eab53e7b1af
SHA512529047ea83c9878eb71a5303da9a19bd8afb1356c4bbf7ee5c3a4edb3d750661b49c7961118f72007bd812c56ee64a21887defdc9680e6d3c21159758348bbc4
-
Filesize
722B
MD5c707156727041046cac029c3c74f1f03
SHA1f1a976493eb9a2855bef856e552f2b1e37172bbc
SHA256380c5b6c859651b9016224b829d656173ed891dbd60760d265c6f801259f0921
SHA512d9e97f912ae15d8401e5a1a31bd411b28d9cab296a60a72fae255d897824d5ecbd8eeb6e754c9e8f9dff07ea0fdaa9e06b05402f40fd481b9b97d3ae0e7e6c01
-
C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe.exe
Filesize547KB
MD50137dec43c77f401659bcd7a4032702c
SHA1e40ab90e560caa2734ba3e46c5cd5aaa684b3eea
SHA2566cb9ea30ccbbd5f19396010e30c7e4aca6cba55894014a64412a43511ada433d
SHA512c434bcd9e0beb61137a55fdb11b17d3ce0445f058791923bac3dd326d658db319b35f2226d7c450d1b7baad6f24c53637b14fede37b173cb672ffc5a46e9e740
-
C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe.exe
Filesize514KB
MD5f0866c2d2ab43b833b957787b4a08526
SHA11410b5b5faf130cf22160968238aab93bb3c960b
SHA256ebd70e789f272064e045929c7d1d0bce6f64a5a5c056ea2e70ab1542ab3ce1ae
SHA5126a4813362a23f390922388eb8123aa81af797cb6435dbe6ded1dc281d54135c93ee5b6567f55586210808384f27052e76eb07bcc3641a9906294f88f4a499a2c
-
C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe.exe
Filesize482KB
MD547db56aa979056f9beba80adc63e72ea
SHA11dc36f048b9ed9f98f7f9ef069f26193dea713b8
SHA256bc1183cf270c5164bd3e4c6ad4c1fc32a729fe5aba53784e52d76238d7f873e8
SHA512f2f520e95283a73a009eb3b8be439c386dd921cd008b68a78594df744053611057b7e7f6794388edf63d93cc4ba1349d2cca9415a9c2e317fcd5047d0e12adb9
-
C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe.exe
Filesize449KB
MD56d9545c6556a236a67207db368fcdce2
SHA1b44856864eeb77f2d73d71fbfd323f006363c3fb
SHA25627d02f0a88d28829a83f1cb05a90fd47798e1ff91591029793a9ccfb6d8d14da
SHA512344bb66f4200dc7b91ec12c6dd73f8a5c9bf6f0942fa12ba65be2d8f7081efa723defad4f604a4b907a39282fe80ed97433b84601f5e4abb40ed09905da72a5f
-
C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe.exe
Filesize417KB
MD5a5e603ffd2f00e966f2230590c221c66
SHA1297c2d9fdc76fefca09dac5bf5b20b7ab9510890
SHA2569bf22ad59d805cd058457dc980c7d66388923ef0c00bf60fbd2d28933f621737
SHA512632725977a5452af0cb57085bb49833cd9f99c05f81c3477bdbc39c1d3198b8227a862f711e95740729e2c7fdef1ceb1562da8bab5dad4da7df932dafe9b0f2f
-
C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe.exe
Filesize384KB
MD5a353218f7897ca4ea7b1ff4416fe1817
SHA184d8a5c89b0193eac2f74bd315811c68022946d2
SHA256ff4695e69b9c508b085d5dedf5fd3cac436076f56dc5b098920713418dac3c89
SHA512df38221aa63a6c0d4575dddcb51ae00373dfcd566f09d90748aa4aec661359f64e81ac4feffa8280068abc35c512dc15f343989ce769074d88b5f744e03aaaac
-
C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe.exe
Filesize352KB
MD500428256f70551c84c7321970cdc53cd
SHA1ea6d64e78c991a1978fc8018928b4a82a4d1564d
SHA25641b8de82fa304213245bbaf54a95d9bf62a621478b8918576309fb6e89eda97c
SHA512b9c20a134a1fadf59fdf7ad6638f6ef7882c68f8d68b539e2bd75ce4df31430ced6cc270b4dba47fa037faefce4209374d27118bd759e6d81aa5091d1bdae1be
-
C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe.exe
Filesize319KB
MD5e9d499bb915d58a3a58429209eb00b7d
SHA18715af16ec2efe464f486eefd15a5d248e3caebb
SHA256f6baf3ee157e1e1798836bbd3ef63de56d4573c6c81f1fb68a3f64c8d5fdf992
SHA512b9a408171b0827496f81490e9351401943e5de79c19c3da234b05fc543dde913c0f2928f73d5a207d8e5df30954b320f5006faf70a5591ae93de84ca659fcce6
-
C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe.exe
Filesize287KB
MD556cf1234d82b459b0d4b0e91312d62da
SHA118c24408609bb6546b66e41bd6e8dfbd013563fe
SHA256c11d5b1dc931fd3aaf644df9fd7d8febb921c71a918a221202d0f48a105831d0
SHA51257d70544604eda2438d4a18cc3a87fdb948ff62e15296a8525bf127e1758ae045bf3fe2b4c46c3196d07ae5ad50ef296169c99fec8c93f2bb93b39798feea6f3
-
C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe.exe
Filesize254KB
MD57d5a6de393b9a9d8b97e5f85f8d96ef6
SHA127ee54c58fd5133e5e53dfdc09bcc4a921cac422
SHA2564af8e75dfddfde4ce118b847e95e77fad7f775aa6e0824e586932c4807059e7f
SHA512ac397a542daa97822d06b763217b55da2663c4c73c01b70a335844278a4fe60e4b1b00a31fe2f7b5954cc9ac4d46f0a8cd5f9d639ad64b260e5f4cfb2642550e
-
C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe.exe
Filesize222KB
MD56a063093130a94dde2ed4ed5190f4591
SHA114a584a3198ce15445293c447b64e40f175778b2
SHA256ec166e0c3a4b1d10e131ef693df960038a838e853993e554157e25902710f7d5
SHA51252abb8a99086804f5d119aec5e2d3e65c60e8b24a18e774b7513ea2da80f10b0e4a00f3be8c79ac82249da3eb53d8a0b0c1957f502d8ec316f898de80501948d
-
C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe.exe
Filesize189KB
MD524521e0e4ff80ec026b26bd91fb35814
SHA11cf942e47978651e2007d6bcfa0858ae8e061a09
SHA256a8988f6abaf68f2de8ec718b12647c0c1d3eaec8d6b7da90bb54b52d790308d4
SHA51283a95155ff8f5cae0a8f51217a846b99f15e565983a9adf25f0eae9e5776b33ac8ca2532098012dc3a8117593ac4173d4f4a7faadc3fb73297a2ee1bc2e0fc9f
-
C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe.exe
Filesize157KB
MD572fe255af046de79ac4650cb4a4332fa
SHA1f4908b352614c56263742f28152579b5f3099693
SHA256a72d5f83151a25cb339c78fd98048d9779b50529ece3e8a38ac93bc294645f5d
SHA5121bafa57faa6168588db7aa79ac3b234b6c89f985d62aacb8581f7cdf51226698ba6efa538d0e5759167dab8a07d475f08731706ecd3c9a481ce5be107edafee7
-
C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe.exe
Filesize124KB
MD5bec23ed6f40d2d0aa004ba48bdddd1f0
SHA1ccac53c8c930a857bd8ddad248a16d5f601efd47
SHA25690e041311b6fc3b92306ba38e98431d874c77369e1e3cffe1e7247948fe78a4e
SHA512d8ec7da14addc5ca5d5bc22c1aa5b54f4ef66cbf8102342a2818b9456e5cb8b8461b83523f0b6b9c46ccf09d2e3b0585382acf0b39dbe7eb8d408123094225c5
-
C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe.exe
Filesize92KB
MD5c3c940432ca2448b87397ac5dfaf98ef
SHA11e569cee32fcc218269305aaffd71f1c257a8eab
SHA2569bc1dda9d5b4bdaf8156830b0199fd580cd80a7d19b91041e72b5be0b1d47bbd
SHA512be7ca7f7dd31167198243e9007a0e772f8899c411ee0574af7757efd87464e604a58a827826f4ae179d36f20b5d4cdca08ddbb686215b7887c8d2f580e2400e6
-
C:\Users\Admin\AppData\Local\Temp\d005def8310c290fb4677342f7d0687c2510171caec59d4a24a79cdc0d84dc91.exe.exe
Filesize60KB
MD573d597a2b90c7d4d2e90ca08c39d2f99
SHA1d6788d79477f3f0da9b0c5229ce6834136d91a59
SHA256d45bba35a13db84260f7981f247ff1a75cf3065ac993ae1a13708a542a19280e
SHA512ec5e70b7db46d6c298052ffe9a7c89c5b7ba6de67551e36262d84fcd3e4930dfde9ab29b23845bcc54d76d67530b6455a3f422b3349032ab41915676730a01ce
-
Filesize
32KB
MD5cdaabb480b7d3c10c6f4f451c8c08d69
SHA1667ce007c73b1d663decd86d730227569d23acbb
SHA256f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842
SHA512389083da42235678a2d2b3420729fd46be6c0139b9177dc39108252cbbc24881d610e0637f12980f86c042ec79abcf0bdbac7d94610ab11269f8b0f44a6bbc31
-
Filesize
9B
MD58d5d367ed8a2afc1fc0b8fc7d14da98c
SHA1fddfad39cd8b448d0d3dbb6e9c67752999568783
SHA25693740c0db50f557803e16032194380e92e586f9cd845c4543eae2c3aa97d95f6
SHA5123215518f650fe697fa80054e2e7e98a55a23832309347704985d502ecf46726048291ace0a619b669726fda404c9235047a21563971a238864ee3523f5bbe96b