Analysis
-
max time kernel
150s -
max time network
96s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
09/09/2024, 18:45
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a0b1f03ea7685264b2995860d6dff1bc7c045f7f9d9e76ee5a09c675f7f5f509.exe
Resource
win7-20240903-en
windows7-x64
10 signatures
150 seconds
General
-
Target
a0b1f03ea7685264b2995860d6dff1bc7c045f7f9d9e76ee5a09c675f7f5f509.exe
-
Size
37KB
-
MD5
91655cf58ff9d2338433f7d2e2c0fab2
-
SHA1
c97e280b563a30fda99bf41a8b792017e7a45a83
-
SHA256
a0b1f03ea7685264b2995860d6dff1bc7c045f7f9d9e76ee5a09c675f7f5f509
-
SHA512
b9968aa3b5ea598b8579f5024d6983e02b7c018830b68e466e9eb72db405f17351d26dd66bc04c7ed46ea33e4786db83d1f34100d7c72841c001e77340fe7570
-
SSDEEP
768:mYBPLze+Vxr1x5cE9Fl5pz8UOutDlMXaoSunjXWNNCn3:/B3esrz8VuJlMXaDuiNE
Malware Config
Signatures
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe -
Executes dropped EXE 1 IoCs
pid Process 5032 Logo1_.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\es-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sk-sk\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\hu-hu\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\pt-br\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\et\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\de\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\it-it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sk-sk\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\en-il\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\it\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\de-de\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\pl-pl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\zh-tw\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mn\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\si\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\gu\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Media Player\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hu-hu\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ro-ro\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\zh-cn\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\fr-fr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\zu\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\stream_out\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\it-it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\hr-hr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\pl-pl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\it-it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\Updates\Download\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\hr-hr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\he-il\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STRTEDGE\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\1033\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\1033\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\PSReadline\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nl-nl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\uk-ua\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\zh-cn\_desktop.ini Logo1_.exe File created C:\Program Files\Google\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\en-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\ja-jp\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\sl-si\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sk-sk\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\pl-pl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\cs-cz\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe Logo1_.exe File created C:\Program Files\VideoLAN\VLC\hrtfs\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk-1.8\bin\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe a0b1f03ea7685264b2995860d6dff1bc7c045f7f9d9e76ee5a09c675f7f5f509.exe File created C:\Windows\Logo1_.exe a0b1f03ea7685264b2995860d6dff1bc7c045f7f9d9e76ee5a09c675f7f5f509.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\Dll.dll Logo1_.exe -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Logo1_.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language a0b1f03ea7685264b2995860d6dff1bc7c045f7f9d9e76ee5a09c675f7f5f509.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2616 a0b1f03ea7685264b2995860d6dff1bc7c045f7f9d9e76ee5a09c675f7f5f509.exe 2616 a0b1f03ea7685264b2995860d6dff1bc7c045f7f9d9e76ee5a09c675f7f5f509.exe 2616 a0b1f03ea7685264b2995860d6dff1bc7c045f7f9d9e76ee5a09c675f7f5f509.exe 2616 a0b1f03ea7685264b2995860d6dff1bc7c045f7f9d9e76ee5a09c675f7f5f509.exe 2616 a0b1f03ea7685264b2995860d6dff1bc7c045f7f9d9e76ee5a09c675f7f5f509.exe 2616 a0b1f03ea7685264b2995860d6dff1bc7c045f7f9d9e76ee5a09c675f7f5f509.exe 2616 a0b1f03ea7685264b2995860d6dff1bc7c045f7f9d9e76ee5a09c675f7f5f509.exe 2616 a0b1f03ea7685264b2995860d6dff1bc7c045f7f9d9e76ee5a09c675f7f5f509.exe 2616 a0b1f03ea7685264b2995860d6dff1bc7c045f7f9d9e76ee5a09c675f7f5f509.exe 2616 a0b1f03ea7685264b2995860d6dff1bc7c045f7f9d9e76ee5a09c675f7f5f509.exe 2616 a0b1f03ea7685264b2995860d6dff1bc7c045f7f9d9e76ee5a09c675f7f5f509.exe 2616 a0b1f03ea7685264b2995860d6dff1bc7c045f7f9d9e76ee5a09c675f7f5f509.exe 2616 a0b1f03ea7685264b2995860d6dff1bc7c045f7f9d9e76ee5a09c675f7f5f509.exe 2616 a0b1f03ea7685264b2995860d6dff1bc7c045f7f9d9e76ee5a09c675f7f5f509.exe 2616 a0b1f03ea7685264b2995860d6dff1bc7c045f7f9d9e76ee5a09c675f7f5f509.exe 2616 a0b1f03ea7685264b2995860d6dff1bc7c045f7f9d9e76ee5a09c675f7f5f509.exe 2616 a0b1f03ea7685264b2995860d6dff1bc7c045f7f9d9e76ee5a09c675f7f5f509.exe 2616 a0b1f03ea7685264b2995860d6dff1bc7c045f7f9d9e76ee5a09c675f7f5f509.exe 2616 a0b1f03ea7685264b2995860d6dff1bc7c045f7f9d9e76ee5a09c675f7f5f509.exe 2616 a0b1f03ea7685264b2995860d6dff1bc7c045f7f9d9e76ee5a09c675f7f5f509.exe 2616 a0b1f03ea7685264b2995860d6dff1bc7c045f7f9d9e76ee5a09c675f7f5f509.exe 2616 a0b1f03ea7685264b2995860d6dff1bc7c045f7f9d9e76ee5a09c675f7f5f509.exe 2616 a0b1f03ea7685264b2995860d6dff1bc7c045f7f9d9e76ee5a09c675f7f5f509.exe 2616 a0b1f03ea7685264b2995860d6dff1bc7c045f7f9d9e76ee5a09c675f7f5f509.exe 2616 a0b1f03ea7685264b2995860d6dff1bc7c045f7f9d9e76ee5a09c675f7f5f509.exe 2616 a0b1f03ea7685264b2995860d6dff1bc7c045f7f9d9e76ee5a09c675f7f5f509.exe 5032 Logo1_.exe 5032 Logo1_.exe 5032 Logo1_.exe 5032 Logo1_.exe 5032 Logo1_.exe 5032 Logo1_.exe 5032 Logo1_.exe 5032 Logo1_.exe 5032 Logo1_.exe 5032 Logo1_.exe 5032 Logo1_.exe 5032 Logo1_.exe 5032 Logo1_.exe 5032 Logo1_.exe 5032 Logo1_.exe 5032 Logo1_.exe 5032 Logo1_.exe 5032 Logo1_.exe 5032 Logo1_.exe 5032 Logo1_.exe 5032 Logo1_.exe 5032 Logo1_.exe 5032 Logo1_.exe 5032 Logo1_.exe 5032 Logo1_.exe 5032 Logo1_.exe 5032 Logo1_.exe 5032 Logo1_.exe 5032 Logo1_.exe 5032 Logo1_.exe 5032 Logo1_.exe 5032 Logo1_.exe 5032 Logo1_.exe 5032 Logo1_.exe 5032 Logo1_.exe 5032 Logo1_.exe 5032 Logo1_.exe 5032 Logo1_.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 2616 wrote to memory of 1060 2616 a0b1f03ea7685264b2995860d6dff1bc7c045f7f9d9e76ee5a09c675f7f5f509.exe 83 PID 2616 wrote to memory of 1060 2616 a0b1f03ea7685264b2995860d6dff1bc7c045f7f9d9e76ee5a09c675f7f5f509.exe 83 PID 2616 wrote to memory of 1060 2616 a0b1f03ea7685264b2995860d6dff1bc7c045f7f9d9e76ee5a09c675f7f5f509.exe 83 PID 1060 wrote to memory of 2008 1060 net.exe 85 PID 1060 wrote to memory of 2008 1060 net.exe 85 PID 1060 wrote to memory of 2008 1060 net.exe 85 PID 2616 wrote to memory of 408 2616 a0b1f03ea7685264b2995860d6dff1bc7c045f7f9d9e76ee5a09c675f7f5f509.exe 89 PID 2616 wrote to memory of 408 2616 a0b1f03ea7685264b2995860d6dff1bc7c045f7f9d9e76ee5a09c675f7f5f509.exe 89 PID 2616 wrote to memory of 408 2616 a0b1f03ea7685264b2995860d6dff1bc7c045f7f9d9e76ee5a09c675f7f5f509.exe 89 PID 2616 wrote to memory of 5032 2616 a0b1f03ea7685264b2995860d6dff1bc7c045f7f9d9e76ee5a09c675f7f5f509.exe 91 PID 2616 wrote to memory of 5032 2616 a0b1f03ea7685264b2995860d6dff1bc7c045f7f9d9e76ee5a09c675f7f5f509.exe 91 PID 2616 wrote to memory of 5032 2616 a0b1f03ea7685264b2995860d6dff1bc7c045f7f9d9e76ee5a09c675f7f5f509.exe 91 PID 5032 wrote to memory of 4176 5032 Logo1_.exe 92 PID 5032 wrote to memory of 4176 5032 Logo1_.exe 92 PID 5032 wrote to memory of 4176 5032 Logo1_.exe 92 PID 4176 wrote to memory of 2368 4176 net.exe 95 PID 4176 wrote to memory of 2368 4176 net.exe 95 PID 4176 wrote to memory of 2368 4176 net.exe 95 PID 5032 wrote to memory of 2400 5032 Logo1_.exe 96 PID 5032 wrote to memory of 2400 5032 Logo1_.exe 96 PID 5032 wrote to memory of 2400 5032 Logo1_.exe 96 PID 2400 wrote to memory of 4624 2400 net.exe 98 PID 2400 wrote to memory of 4624 2400 net.exe 98 PID 2400 wrote to memory of 4624 2400 net.exe 98 PID 5032 wrote to memory of 3424 5032 Logo1_.exe 56 PID 5032 wrote to memory of 3424 5032 Logo1_.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3424
-
C:\Users\Admin\AppData\Local\Temp\a0b1f03ea7685264b2995860d6dff1bc7c045f7f9d9e76ee5a09c675f7f5f509.exe"C:\Users\Admin\AppData\Local\Temp\a0b1f03ea7685264b2995860d6dff1bc7c045f7f9d9e76ee5a09c675f7f5f509.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
PID:2008
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8482.bat3⤵
- System Location Discovery: System Language Discovery
PID:408
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5032 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4176 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
- System Location Discovery: System Language Discovery
PID:2368
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
- System Location Discovery: System Language Discovery
PID:4624
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD545b8c2961d446e32271525fe7f5708c2
SHA196e86a21767116d457e02d2337eeef5bc663ec10
SHA256e4eec557603adcb1d11e45ccb817ca357c72ab1a820b32d328393471ce7da7f0
SHA5122375dbf2aa6ccaa10cff817c2c68d093954041d546703c98030a34ee4051e4b7d54e3821331be04a5b74800e86ecdd7941aeacd8934b3c9d715af515a0e820c0
-
Filesize
577KB
MD5cb63ba27bed95f0e88239c414ce4c135
SHA1f8705182b5a8fc2487c4a3ddbd4add74d2f803b1
SHA2565b7a0027f9c62b4a4509f1896797b08389f922880c8e4ba55d7bb65266edee1c
SHA512b3107fc5f0d008e30063f532f3790e738d2d1c2645830628113e1b9895396a1fd8a95c0c99540d5fc138ed641af3999ee4be57d20bf01f532329a73550607cfa
-
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize644KB
MD5f9bda517f882e3c2636d44cfa30c8ef0
SHA106822afcd175307e76db635fa14c80b4708458ba
SHA256cb3149e29fc3c22b6ed7a427146780eb251e10b54153139535f6999b33037de8
SHA512e6c867020f86944f79cb768de9a01c60c36bbbf2937cf8cecb096ad578d06a2a37a3976665f2063da1e3e3be62ff26b520abe26d442e084e0b496d5ab08e1050
-
Filesize
722B
MD55677ab761f140cd23f84b85d23e2d95d
SHA1a142511b380154f6195cb6a9a0e805aa05b19503
SHA25640de632347f53ac498cdbc65cffec74d718e5cecfcf99bd0e613bd67808b6f8b
SHA5128d05a0fb9ce44a2b35433141da1a8967024d66a753c1e62f15c4308779b867c80a10fd23df83026ba29c9a34abaaadddc990b16b82a8f54ede0e5f63617327bd
-
C:\Users\Admin\AppData\Local\Temp\a0b1f03ea7685264b2995860d6dff1bc7c045f7f9d9e76ee5a09c675f7f5f509.exe.exe
Filesize4KB
MD599b96f7f497e9e216da4b7c9979810e5
SHA12c424f82747581db2b35673eb22ba321d573944b
SHA2567c3300179b3d9ab57042a5f026a69fac3b0e2e783e94853ff109a29d2d3f541b
SHA51290a0b888f474fa5505f39ca7575635a7ea839e4e23cf9d573c99d7b3b226036fb0b82e17900012aed9fe1c8b4985488e22df0421ad66dbff9d4fcf4be0455212
-
Filesize
33KB
MD5bb11dab5fe4276495d89786d8ebad6d3
SHA1c374fd62c76134ff418f699bf3ae286bbb2c76f6
SHA2563bab9934c381ac4f93475f2451aa1dfe618e4735ac13a26b578c6983c5f1b649
SHA5121d56859363025f43d3b531ac68ae63546ed01fe7e11082d11e9b209b76b9048ad9fd3f7c5ff2f7ab092737f2f98ccc0c56d54b4901f6d0a0262de4e49caabb87
-
Filesize
8B
MD55d65d1288c9ecedfd5f28d17a01a30bc
SHA1e5bb89b8ad5c73516abf7e3baeaf1855154381dc
SHA2563501728ad227b52ce4d4f85ddd0e6d28dfa7acce977ae27f1e337be209825a5f
SHA5126177ce001dd535382c3bae5e8c3cfda85d8d8b76b68bce10fa8e5e1e748fd1512a531ffc93fef1316f2c27d93b5b4a5b60a6391f0e131ccc5cc0a65c2755868e