b16b2bb2cf65357f42f046e187a668cc9ddaf564f0d14e766b55404be97c9686

Analysis

max time kernel
142s
max time network
149s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
03-07-2024 04:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

????.exe
Size

117.8MB
MD5

e4fb5b6879486628df824ce3dcc2e007
SHA1

d02c1ac09bf788a8708b8d8e35d9091756087415
SHA256

08442e8713ab66e3117f06372fbbda290e770630d79c5f46274d22af0caa5375
SHA512

37084049a706301ee19c6b3fe9ccacaed9b9e0dc4ecb58d9d0487c04c1e6029078ca0c3cec5c261dc28be5ad76590a25e24dc3b1ba4585c3c6412965165401e7
SSDEEP

1572864:Zbjpp6KvAbWqERVxLKeHbOnOO7uTss/iiwFTKlWOQsQxhEEkkiYvEX74BWpR9nai:bUXe8qhYvia1klj/

Score

8^/10

evasion execution persistence

Malware Config

Signatures

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

____.exe____.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\Geo\Nation	____.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Control Panel\International\Geo\Nation	____.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

____.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\electron.app.飞机加速 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\____.exe --openAsHidden"	____.exe

Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exe

pid process

2160 sc.exe
1124 sc.exe
348 sc.exe

pid	process
2160	sc.exe
1124	sc.exe
348	sc.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

____.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	____.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	____.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	____.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	____.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	____.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	____.exe

Runs net.exe
Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

____.exe____.exe____.exe____.exe____.exe____.exe

pid process

2576 ____.exe
2448 ____.exe
2532 ____.exe
2060 ____.exe
2056 ____.exe
2004 ____.exe
2004 ____.exe
Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

____.exe

pid process

2004 ____.exe
2004 ____.exe
Suspicious use of SendNotifyMessage 2 IoCs

Processes:

____.exe

pid process

2004 ____.exe
2004 ____.exe

pid	process
2576	____.exe
2448	____.exe
2532	____.exe
2060	____.exe
2056	____.exe
2004	____.exe
2004	____.exe

pid	process
2004	____.exe
2004	____.exe

pid	process
2004	____.exe
2004	____.exe

Suspicious use of WriteProcessMemory 52 IoCs

Processes:

____.execmd.exeapn_service.exenet.exe

description	pid	process	target process
PID 2004 wrote to memory of 1720	2004	____.exe	____.exe
PID 2004 wrote to memory of 1720	2004	____.exe	____.exe
PID 2004 wrote to memory of 1720	2004	____.exe	____.exe
PID 2004 wrote to memory of 1720	2004	____.exe	____.exe
PID 2004 wrote to memory of 2576	2004	____.exe	____.exe
PID 2004 wrote to memory of 2576	2004	____.exe	____.exe
PID 2004 wrote to memory of 2576	2004	____.exe	____.exe
PID 2004 wrote to memory of 2576	2004	____.exe	____.exe
PID 2004 wrote to memory of 2448	2004	____.exe	____.exe
PID 2004 wrote to memory of 2448	2004	____.exe	____.exe
PID 2004 wrote to memory of 2448	2004	____.exe	____.exe
PID 2004 wrote to memory of 2448	2004	____.exe	____.exe
PID 2004 wrote to memory of 2532	2004	____.exe	____.exe
PID 2004 wrote to memory of 2532	2004	____.exe	____.exe
PID 2004 wrote to memory of 2532	2004	____.exe	____.exe
PID 2004 wrote to memory of 2532	2004	____.exe	____.exe
PID 2004 wrote to memory of 1124	2004	____.exe	sc.exe
PID 2004 wrote to memory of 1124	2004	____.exe	sc.exe
PID 2004 wrote to memory of 1124	2004	____.exe	sc.exe
PID 2004 wrote to memory of 1124	2004	____.exe	sc.exe
PID 2004 wrote to memory of 348	2004	____.exe	sc.exe
PID 2004 wrote to memory of 348	2004	____.exe	sc.exe
PID 2004 wrote to memory of 348	2004	____.exe	sc.exe
PID 2004 wrote to memory of 348	2004	____.exe	sc.exe
PID 2004 wrote to memory of 2160	2004	____.exe	sc.exe
PID 2004 wrote to memory of 2160	2004	____.exe	sc.exe
PID 2004 wrote to memory of 2160	2004	____.exe	sc.exe
PID 2004 wrote to memory of 2160	2004	____.exe	sc.exe
PID 2004 wrote to memory of 2728	2004	____.exe	cmd.exe
PID 2004 wrote to memory of 2728	2004	____.exe	cmd.exe
PID 2004 wrote to memory of 2728	2004	____.exe	cmd.exe
PID 2004 wrote to memory of 2728	2004	____.exe	cmd.exe
PID 2728 wrote to memory of 2340	2728	cmd.exe	apn_service.exe
PID 2728 wrote to memory of 2340	2728	cmd.exe	apn_service.exe
PID 2728 wrote to memory of 2340	2728	cmd.exe	apn_service.exe
PID 2728 wrote to memory of 2340	2728	cmd.exe	apn_service.exe
PID 2340 wrote to memory of 1216	2340	apn_service.exe	net.exe
PID 2340 wrote to memory of 1216	2340	apn_service.exe	net.exe
PID 2340 wrote to memory of 1216	2340	apn_service.exe	net.exe
PID 2340 wrote to memory of 1216	2340	apn_service.exe	net.exe
PID 1216 wrote to memory of 2508	1216	net.exe	net1.exe
PID 1216 wrote to memory of 2508	1216	net.exe	net1.exe
PID 1216 wrote to memory of 2508	1216	net.exe	net1.exe
PID 1216 wrote to memory of 2508	1216	net.exe	net1.exe
PID 2004 wrote to memory of 2060	2004	____.exe	____.exe
PID 2004 wrote to memory of 2060	2004	____.exe	____.exe
PID 2004 wrote to memory of 2060	2004	____.exe	____.exe
PID 2004 wrote to memory of 2060	2004	____.exe	____.exe
PID 2004 wrote to memory of 2056	2004	____.exe	____.exe
PID 2004 wrote to memory of 2056	2004	____.exe	____.exe
PID 2004 wrote to memory of 2056	2004	____.exe	____.exe
PID 2004 wrote to memory of 2056	2004	____.exe	____.exe

C:\Users\Admin\AppData\Local\Temp\____.exe
"C:\Users\Admin\AppData\Local\Temp\____.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2004

C:\Users\Admin\AppData\Local\Temp\____.exe
C:\Users\Admin\AppData\Local\Temp\____.exe --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Roaming\apnetwork /prefetch:7 --no-rate-limit --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Roaming\apnetwork\Crashpad --annotation=_productName=apnetwork --annotation=_version=0.0.14 --annotation=prod=Electron --annotation=ver=16.2.1 --initial-client-data=0x2f0,0x2f4,0x2f8,0x2e8,0x2fc,0x7c3a970,0x7c3a980,0x7c3a98c
2⤵
PID:1720

C:\Users\Admin\AppData\Local\Temp\____.exe
"C:\Users\Admin\AppData\Local\Temp\____.exe" --type=gpu-process --field-trial-handle=1040,14932913364263753142,4448301679050599968,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Roaming\apnetwork" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAANAAAAEAAAAAAAAAABAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1052 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2576

C:\Users\Admin\AppData\Local\Temp\____.exe
"C:\Users\Admin\AppData\Local\Temp\____.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1040,14932913364263753142,4448301679050599968,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=none --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Roaming\apnetwork" --mojo-platform-channel-handle=1216 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2448

C:\Users\Admin\AppData\Local\Temp\____.exe
"C:\Users\Admin\AppData\Local\Temp\____.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\apnetwork" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --no-sandbox --no-zygote --no-sandbox --field-trial-handle=1040,14932913364263753142,4448301679050599968,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=1420 /prefetch:1
2⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
PID:2532

C:\Windows\SysWOW64\sc.exe
sc delete FadeService
2⤵
- Launches sc.exe
PID:1124

C:\Windows\SysWOW64\sc.exe
sc delete APNetworkService
2⤵
- Launches sc.exe
PID:348

C:\Windows\SysWOW64\sc.exe
sc queryex APNetworkService
2⤵
- Launches sc.exe
PID:2160

C:\Windows\SysWOW64\cmd.exe
cmd.exe /d /s /c ""C:\Users\Admin\AppData\Local\Temp\resources\extraResources\apn_service.exe" /install"
2⤵
- Suspicious use of WriteProcessMemory
PID:2728

C:\Users\Admin\AppData\Local\Temp\resources\extraResources\apn_service.exe
"C:\Users\Admin\AppData\Local\Temp\resources\extraResources\apn_service.exe" /install
3⤵
- Suspicious use of WriteProcessMemory
PID:2340

C:\Windows\SysWOW64\net.exe
net start APNetworkService
4⤵
- Suspicious use of WriteProcessMemory
PID:1216

C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 start APNetworkService
5⤵
PID:2508

C:\Users\Admin\AppData\Local\Temp\____.exe
"C:\Users\Admin\AppData\Local\Temp\____.exe" --type=gpu-process --field-trial-handle=1040,14932913364263753142,4448301679050599968,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Roaming\apnetwork" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAANAAAAEAAAAAAAAAABAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1052 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2060

C:\Users\Admin\AppData\Local\Temp\____.exe
"C:\Users\Admin\AppData\Local\Temp\____.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1040,14932913364263753142,4448301679050599968,131072 --disable-features=PlzServiceWorker,SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=audio --no-sandbox --user-data-dir="C:\Users\Admin\AppData\Roaming\apnetwork" --mojo-platform-channel-handle=1532 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2056

C:\Users\Admin\AppData\Local\Temp\resources\extraResources\apn_service.exe
C:\Users\Admin\AppData\Local\Temp\resources\extraResources\apn_service.exe
1⤵
PID:1264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6e30494b9253130ad41b395ab4a7ceb6

SHA1
ccd5241edcaeb2c36ff24bd640d8d71448952261

SHA256
4a785127067962a240810d972c53a0c9cc3131ad6124999af5dc454e7475550f

SHA512
e141fc55f72faceb5ec5d08cf00428d9cb2be56e77ca9ecf7fb5b552ee8c4b2b1d91bcd4299ea5363e02261483b9e454c9f3555452bd4b2b608843b2a952c11f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab25BB.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar262D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Roaming\apnetwork\Crashpad\settings.dat

Filesize
40B

MD5
93f7bb9bee6d25c3d614d6a14ec74fbd

SHA1
f967856698114db9d5543f8a080e2826b9125172

SHA256
b112c0566b0581df693549e1cd4fa492aa063e2767fe29a0a113ee48e46e2bee

SHA512
b04e58d11afd6129071c36b746cc58ed8ddca579a802be10896368f6eab0be2515a562e9860758e09d171171e402948c7d82788fbc2c8945c1ac41344ac11305

Download Submit
C:\Users\Admin\AppData\Roaming\apnetwork\Session Storage\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Roaming\apnetwork\config.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Roaming\apnetwork\config.json

Filesize
29B

MD5
0799ca7d102110a905ca21b94611a6bb

SHA1
95a4c4747e5d602e2974fe61e5c6e1d86f8ca5fa

SHA256
5274b4d9db541cc217801862c8caf3bb075979b25dd5ced8ea4506aba43664fa

SHA512
eb8ed75921c4d5c8fc9b932ff5651cb45bb788ab233ee8d6093b12768a320a0b76b528d814fabcd4034b06e69465e930bb9e54a058cd242064480de76911281d

Download Submit
\??\pipe\crashpad_2004_OVPAMBHQCNXXQXRQ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1264-249-0x0000000063D40000-0x0000000063D4F000-memory.dmp

Filesize
60KB

Download