Analysis
-
max time kernel
150s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
09/09/2024, 14:53
Static task
static1
Behavioral task
behavioral1
Sample
c16080fcc2b6c83e0092b93d46158da83c855920da62c6205b64035ba690500a.exe
Resource
win7-20240903-en
General
-
Target
c16080fcc2b6c83e0092b93d46158da83c855920da62c6205b64035ba690500a.exe
-
Size
72KB
-
MD5
5dd18ff4345abfe77af08f42d954cd63
-
SHA1
8a513783bc18aab4fa066e67718f638519144a1e
-
SHA256
c16080fcc2b6c83e0092b93d46158da83c855920da62c6205b64035ba690500a
-
SHA512
25413e9a76a1e77bedd62c3bf0b34cdcd016c5076f2bb53596d8d5fb83110ed19246fc61358bc2b1830afda74661e23d524e142136f7bf56ab2b25ea346f1906
-
SSDEEP
1536:8Ze+Zk7VJbwlYXjPrsqrZMYR5p8wUawuzXv4exFRKs9uhh:8Ze+azbRPrlr9RXFUawuzX+kuX
Malware Config
Signatures
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe -
Executes dropped EXE 2 IoCs
pid Process 2680 Logo1_.exe 4964 c16080fcc2b6c83e0092b93d46158da83c855920da62c6205b64035ba690500a.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA6\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Sigma\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\ext\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\eu-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ro-ro\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\host\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\or_IN\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\sw\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fi-fi\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\sv-se\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ru-ru\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\uk-ua\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sl-sl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\da-dk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sv-se\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ar-ae\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\1033\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ta\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\nl-nl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\de-de\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdate.exe Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\uk-ua\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\win_x64\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe Logo1_.exe File opened for modification C:\Program Files\Windows Defender\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\tr-tr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\hr-hr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\nb-no\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\uk-ua\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\da-dk\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Internet Explorer\de-DE\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\root\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sl-sl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sv-se\_desktop.ini Logo1_.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk-1.8\legal\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\hr-hr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\zh-tw\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ja-jp\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\zh-cn\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\nl-nl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Photo Viewer\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\amd64\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\access\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\meta_engine\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x64\_desktop.ini Logo1_.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\nl-nl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\pl-pl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ar-ae\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\zh_CN\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\da-dk\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe c16080fcc2b6c83e0092b93d46158da83c855920da62c6205b64035ba690500a.exe File created C:\Windows\Logo1_.exe c16080fcc2b6c83e0092b93d46158da83c855920da62c6205b64035ba690500a.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\Dll.dll Logo1_.exe -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Logo1_.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language c16080fcc2b6c83e0092b93d46158da83c855920da62c6205b64035ba690500a.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5048 c16080fcc2b6c83e0092b93d46158da83c855920da62c6205b64035ba690500a.exe 5048 c16080fcc2b6c83e0092b93d46158da83c855920da62c6205b64035ba690500a.exe 5048 c16080fcc2b6c83e0092b93d46158da83c855920da62c6205b64035ba690500a.exe 5048 c16080fcc2b6c83e0092b93d46158da83c855920da62c6205b64035ba690500a.exe 5048 c16080fcc2b6c83e0092b93d46158da83c855920da62c6205b64035ba690500a.exe 5048 c16080fcc2b6c83e0092b93d46158da83c855920da62c6205b64035ba690500a.exe 5048 c16080fcc2b6c83e0092b93d46158da83c855920da62c6205b64035ba690500a.exe 5048 c16080fcc2b6c83e0092b93d46158da83c855920da62c6205b64035ba690500a.exe 5048 c16080fcc2b6c83e0092b93d46158da83c855920da62c6205b64035ba690500a.exe 5048 c16080fcc2b6c83e0092b93d46158da83c855920da62c6205b64035ba690500a.exe 5048 c16080fcc2b6c83e0092b93d46158da83c855920da62c6205b64035ba690500a.exe 5048 c16080fcc2b6c83e0092b93d46158da83c855920da62c6205b64035ba690500a.exe 5048 c16080fcc2b6c83e0092b93d46158da83c855920da62c6205b64035ba690500a.exe 5048 c16080fcc2b6c83e0092b93d46158da83c855920da62c6205b64035ba690500a.exe 5048 c16080fcc2b6c83e0092b93d46158da83c855920da62c6205b64035ba690500a.exe 5048 c16080fcc2b6c83e0092b93d46158da83c855920da62c6205b64035ba690500a.exe 5048 c16080fcc2b6c83e0092b93d46158da83c855920da62c6205b64035ba690500a.exe 5048 c16080fcc2b6c83e0092b93d46158da83c855920da62c6205b64035ba690500a.exe 5048 c16080fcc2b6c83e0092b93d46158da83c855920da62c6205b64035ba690500a.exe 5048 c16080fcc2b6c83e0092b93d46158da83c855920da62c6205b64035ba690500a.exe 5048 c16080fcc2b6c83e0092b93d46158da83c855920da62c6205b64035ba690500a.exe 5048 c16080fcc2b6c83e0092b93d46158da83c855920da62c6205b64035ba690500a.exe 5048 c16080fcc2b6c83e0092b93d46158da83c855920da62c6205b64035ba690500a.exe 5048 c16080fcc2b6c83e0092b93d46158da83c855920da62c6205b64035ba690500a.exe 5048 c16080fcc2b6c83e0092b93d46158da83c855920da62c6205b64035ba690500a.exe 5048 c16080fcc2b6c83e0092b93d46158da83c855920da62c6205b64035ba690500a.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe 2680 Logo1_.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 5048 wrote to memory of 4324 5048 c16080fcc2b6c83e0092b93d46158da83c855920da62c6205b64035ba690500a.exe 83 PID 5048 wrote to memory of 4324 5048 c16080fcc2b6c83e0092b93d46158da83c855920da62c6205b64035ba690500a.exe 83 PID 5048 wrote to memory of 4324 5048 c16080fcc2b6c83e0092b93d46158da83c855920da62c6205b64035ba690500a.exe 83 PID 4324 wrote to memory of 4812 4324 net.exe 85 PID 4324 wrote to memory of 4812 4324 net.exe 85 PID 4324 wrote to memory of 4812 4324 net.exe 85 PID 5048 wrote to memory of 3252 5048 c16080fcc2b6c83e0092b93d46158da83c855920da62c6205b64035ba690500a.exe 89 PID 5048 wrote to memory of 3252 5048 c16080fcc2b6c83e0092b93d46158da83c855920da62c6205b64035ba690500a.exe 89 PID 5048 wrote to memory of 3252 5048 c16080fcc2b6c83e0092b93d46158da83c855920da62c6205b64035ba690500a.exe 89 PID 5048 wrote to memory of 2680 5048 c16080fcc2b6c83e0092b93d46158da83c855920da62c6205b64035ba690500a.exe 90 PID 5048 wrote to memory of 2680 5048 c16080fcc2b6c83e0092b93d46158da83c855920da62c6205b64035ba690500a.exe 90 PID 5048 wrote to memory of 2680 5048 c16080fcc2b6c83e0092b93d46158da83c855920da62c6205b64035ba690500a.exe 90 PID 3252 wrote to memory of 4964 3252 cmd.exe 92 PID 3252 wrote to memory of 4964 3252 cmd.exe 92 PID 3252 wrote to memory of 4964 3252 cmd.exe 92 PID 2680 wrote to memory of 2000 2680 Logo1_.exe 93 PID 2680 wrote to memory of 2000 2680 Logo1_.exe 93 PID 2680 wrote to memory of 2000 2680 Logo1_.exe 93 PID 2000 wrote to memory of 4728 2000 net.exe 95 PID 2000 wrote to memory of 4728 2000 net.exe 95 PID 2000 wrote to memory of 4728 2000 net.exe 95 PID 2680 wrote to memory of 3968 2680 Logo1_.exe 97 PID 2680 wrote to memory of 3968 2680 Logo1_.exe 97 PID 2680 wrote to memory of 3968 2680 Logo1_.exe 97 PID 3968 wrote to memory of 3932 3968 net.exe 99 PID 3968 wrote to memory of 3932 3968 net.exe 99 PID 3968 wrote to memory of 3932 3968 net.exe 99 PID 2680 wrote to memory of 3524 2680 Logo1_.exe 56 PID 2680 wrote to memory of 3524 2680 Logo1_.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3524
-
C:\Users\Admin\AppData\Local\Temp\c16080fcc2b6c83e0092b93d46158da83c855920da62c6205b64035ba690500a.exe"C:\Users\Admin\AppData\Local\Temp\c16080fcc2b6c83e0092b93d46158da83c855920da62c6205b64035ba690500a.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4324 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
PID:4812
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a9FBA.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3252 -
C:\Users\Admin\AppData\Local\Temp\c16080fcc2b6c83e0092b93d46158da83c855920da62c6205b64035ba690500a.exe"C:\Users\Admin\AppData\Local\Temp\c16080fcc2b6c83e0092b93d46158da83c855920da62c6205b64035ba690500a.exe"4⤵
- Executes dropped EXE
PID:4964
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2680 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2000 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
- System Location Discovery: System Language Discovery
PID:4728
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
- System Location Discovery: System Language Discovery
PID:3932
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257KB
MD59a19679e0aff03d437832959348567bd
SHA1644e058dd1f1616c5f9575ce93c415fe49c445c4
SHA25629ab3d95ebcaeabd9ca42fe04994633e0b8f40676d6b5f326d30a01d22207fbb
SHA512b4d3cd88b702ce4dcad56c2e154e6d3d3120e3ca37e72dba0b07c40c89762831ce10b039cb624e5cf7278834458681781e7ccf417925d50bfdcdd9c1711b9d1f
-
Filesize
615KB
MD5bcdb20c4c2f2ecb07bbc025c7afafa68
SHA14055651e94381b3cfdbd3d785f9d9184a63d3822
SHA256a0599a4c881b723f5f737a7abadcd03d2d76f37598cb131c31e7e148137cd916
SHA5120c5fa71b5bb5ea49a8e01c74956a2ec42e38da2ce32716b566032757d609ea50aeaa1fb753c8fe5b91957cd80cad5926e85d4d734c21b6a6de29416d4fe50d59
-
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize649KB
MD53e7cc0550b3e262224a01196dcffca48
SHA184b97784946a4f4edc8528690aee26cff4a5c35d
SHA256df205fe7ab5dd6c98547afe872f5b3bb66028f2cb14696fbc45610b0ef4723bf
SHA512864943da2a29d2e8aaca17a10ed791f22b3387c85fe19c19dea1ab3b89b3d6540dbd187f867742967a696ba0b76ce6e576a2825cc9147d77ab79f3a4f2a4ab6a
-
Filesize
722B
MD5947a4deab6520cb9af5c4305a0064734
SHA16fc705acfa56f99b2a2a9a09016f58f3abab2d50
SHA256266ced9b95ba8ac0aeeab107f35c9ef5f1d8fae9395fd83026a05c1d8345ffcf
SHA512135502ab60472ca6c3571ab8456ff33a3ac5891e1363edd49dd2f384ef65994e6d9cdc1f5ef856a8cfdf48d99d58c79c06514da7245cacdee2e16e64bcb9fbec
-
C:\Users\Admin\AppData\Local\Temp\c16080fcc2b6c83e0092b93d46158da83c855920da62c6205b64035ba690500a.exe.exe
Filesize33KB
MD51af55e19c1bd264d635aa202f0b3e628
SHA1e7cc75ca40566fc257974340b611ba24ed09b3f3
SHA256e2bbf624927463534b2757974ef38f453faee9564736e4672e1481273f6cfc48
SHA512bb967372d392f4e320490212053fbb09637b472b3636443c7dfd1dde993ee91a7033a4c48ac9e25ebaf20d72c9f3dcb9d497d6b153ee7bdf65389caa81996f71
-
Filesize
39KB
MD5f35e32a3178395fde5c2c5e175b803d8
SHA1eccedf8d29589cd2ad9373d0aacac048ed606db9
SHA256058f3ceaaeee9cee06b5a049dd92851472f140dc5a634014242471698301d73e
SHA512f2edb5bd0899f34b6b2da7c115fea3b2d9e0812934ed71a183a8ca0a2a61a484d5213f54908148c309396fdabfc054af8fa9387997aa8cce991da927c33fb6f7
-
Filesize
8B
MD55d65d1288c9ecedfd5f28d17a01a30bc
SHA1e5bb89b8ad5c73516abf7e3baeaf1855154381dc
SHA2563501728ad227b52ce4d4f85ddd0e6d28dfa7acce977ae27f1e337be209825a5f
SHA5126177ce001dd535382c3bae5e8c3cfda85d8d8b76b68bce10fa8e5e1e748fd1512a531ffc93fef1316f2c27d93b5b4a5b60a6391f0e131ccc5cc0a65c2755868e