Analysis
-
max time kernel
150s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
13/09/2024, 06:04
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3c4a7e22d5344ad877e69e97e99474cb4242d5fd1c2121dcd28056405a4181be.exe
Resource
win7-20240708-en
windows7-x64
12 signatures
150 seconds
General
-
Target
3c4a7e22d5344ad877e69e97e99474cb4242d5fd1c2121dcd28056405a4181be.exe
-
Size
1.1MB
-
MD5
f4926ba34c279f8f111d959725a34d63
-
SHA1
9546c63e4a77640758391206dba5083bb532feb9
-
SHA256
3c4a7e22d5344ad877e69e97e99474cb4242d5fd1c2121dcd28056405a4181be
-
SHA512
2e4c9d72609430e4955d8e089b726225f471572a182d0bc8a7b71269a783108d108968d5baff2d8a1e4c88ca36dd32401a665782f945685f4deca1b5a6311405
-
SSDEEP
24576:nBvf9AiKGpEoQpkN2C4McuKo0GTNJpyT5RGeQa0s:nBv+GtCi27mVHyT+a0s
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 3636 Logo1_.exe 3976 3c4a7e22d5344ad877e69e97e99474cb4242d5fd1c2121dcd28056405a4181be.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\default_apps\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ar-ae\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\dc-annotations\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\sl-si\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\hu-hu\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sl-si\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ca-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\cmm\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_splitter\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sv-se\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Cartridges\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\access\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\root\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\nl-nl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\cs-cz\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Internet Explorer\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nl-nl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ko-kr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\fi-fi\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\fr-ma\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Resources\1033\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sv-se\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\sv-se\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\hu-hu\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Google\Update\1.3.36.371\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access_output\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\pt-br\_desktop.ini Logo1_.exe File created C:\Program Files\Internet Explorer\de-DE\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\fa\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\it-it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\sk-sk\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\eu-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-il\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\es-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nl-nl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-il\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\ja-jp\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\dotnet.exe Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ie\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\da-dk\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\zh-cn\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\eqnedt32.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\cs-cz\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sk\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Defender\uk-UA\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hu-hu\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\ja-jp\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\Dll.dll Logo1_.exe File created C:\Windows\rundl132.exe 3c4a7e22d5344ad877e69e97e99474cb4242d5fd1c2121dcd28056405a4181be.exe File created C:\Windows\Logo1_.exe 3c4a7e22d5344ad877e69e97e99474cb4242d5fd1c2121dcd28056405a4181be.exe -
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 3c4a7e22d5344ad877e69e97e99474cb4242d5fd1c2121dcd28056405a4181be.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Logo1_.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4652 3c4a7e22d5344ad877e69e97e99474cb4242d5fd1c2121dcd28056405a4181be.exe 4652 3c4a7e22d5344ad877e69e97e99474cb4242d5fd1c2121dcd28056405a4181be.exe 4652 3c4a7e22d5344ad877e69e97e99474cb4242d5fd1c2121dcd28056405a4181be.exe 4652 3c4a7e22d5344ad877e69e97e99474cb4242d5fd1c2121dcd28056405a4181be.exe 4652 3c4a7e22d5344ad877e69e97e99474cb4242d5fd1c2121dcd28056405a4181be.exe 4652 3c4a7e22d5344ad877e69e97e99474cb4242d5fd1c2121dcd28056405a4181be.exe 4652 3c4a7e22d5344ad877e69e97e99474cb4242d5fd1c2121dcd28056405a4181be.exe 4652 3c4a7e22d5344ad877e69e97e99474cb4242d5fd1c2121dcd28056405a4181be.exe 4652 3c4a7e22d5344ad877e69e97e99474cb4242d5fd1c2121dcd28056405a4181be.exe 4652 3c4a7e22d5344ad877e69e97e99474cb4242d5fd1c2121dcd28056405a4181be.exe 4652 3c4a7e22d5344ad877e69e97e99474cb4242d5fd1c2121dcd28056405a4181be.exe 4652 3c4a7e22d5344ad877e69e97e99474cb4242d5fd1c2121dcd28056405a4181be.exe 4652 3c4a7e22d5344ad877e69e97e99474cb4242d5fd1c2121dcd28056405a4181be.exe 4652 3c4a7e22d5344ad877e69e97e99474cb4242d5fd1c2121dcd28056405a4181be.exe 4652 3c4a7e22d5344ad877e69e97e99474cb4242d5fd1c2121dcd28056405a4181be.exe 4652 3c4a7e22d5344ad877e69e97e99474cb4242d5fd1c2121dcd28056405a4181be.exe 4652 3c4a7e22d5344ad877e69e97e99474cb4242d5fd1c2121dcd28056405a4181be.exe 4652 3c4a7e22d5344ad877e69e97e99474cb4242d5fd1c2121dcd28056405a4181be.exe 4652 3c4a7e22d5344ad877e69e97e99474cb4242d5fd1c2121dcd28056405a4181be.exe 4652 3c4a7e22d5344ad877e69e97e99474cb4242d5fd1c2121dcd28056405a4181be.exe 4652 3c4a7e22d5344ad877e69e97e99474cb4242d5fd1c2121dcd28056405a4181be.exe 4652 3c4a7e22d5344ad877e69e97e99474cb4242d5fd1c2121dcd28056405a4181be.exe 4652 3c4a7e22d5344ad877e69e97e99474cb4242d5fd1c2121dcd28056405a4181be.exe 4652 3c4a7e22d5344ad877e69e97e99474cb4242d5fd1c2121dcd28056405a4181be.exe 4652 3c4a7e22d5344ad877e69e97e99474cb4242d5fd1c2121dcd28056405a4181be.exe 4652 3c4a7e22d5344ad877e69e97e99474cb4242d5fd1c2121dcd28056405a4181be.exe 3636 Logo1_.exe 3636 Logo1_.exe 3636 Logo1_.exe 3636 Logo1_.exe 3636 Logo1_.exe 3636 Logo1_.exe 3636 Logo1_.exe 3636 Logo1_.exe 3636 Logo1_.exe 3636 Logo1_.exe 3636 Logo1_.exe 3636 Logo1_.exe 3636 Logo1_.exe 3636 Logo1_.exe 3636 Logo1_.exe 3636 Logo1_.exe 3636 Logo1_.exe 3636 Logo1_.exe 3636 Logo1_.exe 3636 Logo1_.exe 3636 Logo1_.exe 3636 Logo1_.exe 3636 Logo1_.exe 3636 Logo1_.exe 3636 Logo1_.exe 3636 Logo1_.exe 3636 Logo1_.exe 3636 Logo1_.exe 3636 Logo1_.exe 3636 Logo1_.exe 3636 Logo1_.exe 3636 Logo1_.exe 3636 Logo1_.exe 3636 Logo1_.exe 3636 Logo1_.exe 3636 Logo1_.exe 3636 Logo1_.exe 3636 Logo1_.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 4652 wrote to memory of 2740 4652 3c4a7e22d5344ad877e69e97e99474cb4242d5fd1c2121dcd28056405a4181be.exe 83 PID 4652 wrote to memory of 2740 4652 3c4a7e22d5344ad877e69e97e99474cb4242d5fd1c2121dcd28056405a4181be.exe 83 PID 4652 wrote to memory of 2740 4652 3c4a7e22d5344ad877e69e97e99474cb4242d5fd1c2121dcd28056405a4181be.exe 83 PID 2740 wrote to memory of 1488 2740 net.exe 85 PID 2740 wrote to memory of 1488 2740 net.exe 85 PID 2740 wrote to memory of 1488 2740 net.exe 85 PID 4652 wrote to memory of 768 4652 3c4a7e22d5344ad877e69e97e99474cb4242d5fd1c2121dcd28056405a4181be.exe 89 PID 4652 wrote to memory of 768 4652 3c4a7e22d5344ad877e69e97e99474cb4242d5fd1c2121dcd28056405a4181be.exe 89 PID 4652 wrote to memory of 768 4652 3c4a7e22d5344ad877e69e97e99474cb4242d5fd1c2121dcd28056405a4181be.exe 89 PID 4652 wrote to memory of 3636 4652 3c4a7e22d5344ad877e69e97e99474cb4242d5fd1c2121dcd28056405a4181be.exe 90 PID 4652 wrote to memory of 3636 4652 3c4a7e22d5344ad877e69e97e99474cb4242d5fd1c2121dcd28056405a4181be.exe 90 PID 4652 wrote to memory of 3636 4652 3c4a7e22d5344ad877e69e97e99474cb4242d5fd1c2121dcd28056405a4181be.exe 90 PID 3636 wrote to memory of 2328 3636 Logo1_.exe 92 PID 3636 wrote to memory of 2328 3636 Logo1_.exe 92 PID 3636 wrote to memory of 2328 3636 Logo1_.exe 92 PID 2328 wrote to memory of 2004 2328 net.exe 94 PID 2328 wrote to memory of 2004 2328 net.exe 94 PID 2328 wrote to memory of 2004 2328 net.exe 94 PID 768 wrote to memory of 3976 768 cmd.exe 95 PID 768 wrote to memory of 3976 768 cmd.exe 95 PID 3636 wrote to memory of 2348 3636 Logo1_.exe 97 PID 3636 wrote to memory of 2348 3636 Logo1_.exe 97 PID 3636 wrote to memory of 2348 3636 Logo1_.exe 97 PID 2348 wrote to memory of 1440 2348 net.exe 99 PID 2348 wrote to memory of 1440 2348 net.exe 99 PID 2348 wrote to memory of 1440 2348 net.exe 99 PID 3636 wrote to memory of 3460 3636 Logo1_.exe 56 PID 3636 wrote to memory of 3460 3636 Logo1_.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3460
-
C:\Users\Admin\AppData\Local\Temp\3c4a7e22d5344ad877e69e97e99474cb4242d5fd1c2121dcd28056405a4181be.exe"C:\Users\Admin\AppData\Local\Temp\3c4a7e22d5344ad877e69e97e99474cb4242d5fd1c2121dcd28056405a4181be.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2740 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
PID:1488
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6EE6.bat3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:768 -
C:\Users\Admin\AppData\Local\Temp\3c4a7e22d5344ad877e69e97e99474cb4242d5fd1c2121dcd28056405a4181be.exe"C:\Users\Admin\AppData\Local\Temp\3c4a7e22d5344ad877e69e97e99474cb4242d5fd1c2121dcd28056405a4181be.exe"4⤵
- Executes dropped EXE
PID:3976
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
- System Location Discovery: System Language Discovery
PID:2004
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
- System Location Discovery: System Language Discovery
PID:1440
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
250KB
MD585288899f47f812de0920f0415e414f1
SHA108e9d96816a8f396b304e69edaf65972ca8fad20
SHA2569cabae29a7cf9d995268c718d32dcee7e8d3d8965ebc6b561eba6db24de2d0bb
SHA512bbd4b0a0faf889098fee026e3a68ca2c1739079559c7bed1c90c36a453b8ddac08a0887279f9d13a5f2520fd13535bd71ee77e6129e016aaa5d29199984572a7
-
Filesize
577KB
MD5a6001b34878a0c9038926295609aeb20
SHA1de581a97239e5e2729f3569e4150955ca29d9777
SHA256147f7b327359fbef3ecd9197f0fb6cd7776e5b2de23ec6eef6c3043e1db2b36d
SHA512167207ceabe2c9605fb2da9dea09ea723d766f7237769e0124abdbc2e62272300db493a60efeeafd07f39828ed2386661949b0e05e91bd77109ad275cc7be05d
-
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize643KB
MD529bab5fa7dbfd951e1c8290a8f4c2ba7
SHA17b86728d64cef9686bd45f2ff6fdc818c11a1bbb
SHA256dda333d8aed86ba750f669280e458ad2fb8d8ad5700a5fe0df584a1c818c481b
SHA5125bb37bffffe297653f91e0601f17b507659bcfe78567e6e1d10506d3c3bea737e7d6374224ecc01f421cff8f74b299eba8fe3152742b2b1c228966a630de1339
-
Filesize
722B
MD5ba08056444686c5e03c781564f2deb96
SHA1d1a495aeba81b53a4cd87d8d7423639291047e2d
SHA256923e64128dcce455023b5c3acb26dac09484588ffc5322298ba54ce50c992d82
SHA5127687ca6a6c534b25671cd54ac8572b5e977a1c3a8c6c8649b21c79c16fdd874ac2390ff97e24fa9bf3695aed155aafa99bcecae69a9b5b0448a28bbf81ed8537
-
C:\Users\Admin\AppData\Local\Temp\3c4a7e22d5344ad877e69e97e99474cb4242d5fd1c2121dcd28056405a4181be.exe.exe
Filesize1.1MB
MD509239e688ff75cd636ac932100b243f9
SHA12a7964c81b9a34bb77c4e3676e7d31b7d2668297
SHA256a36ef4c18a08ee8d8c0d10d96ab37a0c3ce22a8f328733af8c0451579e4edcb1
SHA512686708321d8756ddcfa2d1585ca7261be0ece33bd9d134888cdb4655b8484c727b34b4ac7f12d919184e85ab65088bc565549c262289cb64f9aeca0508290825
-
Filesize
33KB
MD50fa99b8acf13f45b95bacb99fad6efef
SHA1d6271ca22be5d6bbfba2ef4229dca71182d43892
SHA256c41ba3c322874847191377fd1671808aff7f2aac06b0ad1a8d1e81679e498b01
SHA512efdbb5b56a621d6bffe454cf860483a21a64d59ece212cbc42f45f6a2259f5afd99621b88253b8808af5429b7e67d69136dc5fa63b304389e3e2ac090495cc31
-
Filesize
9B
MD5475984718232cf008bb73666d834f1f4
SHA112f23c9301c222f599a279e02a811d274d0f4abc
SHA256a5b32591119f87eb3c8a00c0c39e26ea6d6414aa9887d85fcb4903e1c14921b5
SHA51280235dc2560b7991d79f9550cdeca6ac02c00cee6bf186f8f20d4ff3fbd7718be937b73ab768d71c4027e153557b08bbfd95ea88d2e0857a7c70cf1da6fa9937