0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-09-2024 15:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
Size

26KB
MD5

e207b9fe562e784a003de76c8985e4b0
SHA1

a913efadc46fbea856276be5133f6e5f070cc582
SHA256

0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799
SHA512

8026fd862af1fdbb2486d05be17a2cd71bb54d6c6dc019ad8936aefbb1c601019486ad1e3b3b3b48820aa52da0fc06190f1a58c2292f4e898bc138a932538d32
SSDEEP

768:t1ODKAaDMG8H92RwZNQSwcfymNBg+g61GoLvC:rfgLdQAQfcfymN

Score

6^/10

discovery

Malware Config

Signatures

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\P:	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened (read-only)	\??\O:	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened (read-only)	\??\N:	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened (read-only)	\??\M:	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened (read-only)	\??\I:	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened (read-only)	\??\Z:	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened (read-only)	\??\S:	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened (read-only)	\??\R:	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened (read-only)	\??\L:	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened (read-only)	\??\E:	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened (read-only)	\??\Y:	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened (read-only)	\??\W:	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened (read-only)	\??\K:	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened (read-only)	\??\J:	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened (read-only)	\??\G:	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened (read-only)	\??\X:	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened (read-only)	\??\V:	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened (read-only)	\??\U:	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened (read-only)	\??\T:	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened (read-only)	\??\Q:	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened (read-only)	\??\H:	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tt\LC_MESSAGES\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENFR\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateSetup.exe	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\ja-JP\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\css\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmprph.exe	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File created	C:\Program Files\Microsoft Games\Hearts\de-DE\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File created	C:\Program Files\VideoLAN\VLC\locale\th\LC_MESSAGES\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File created	C:\Program Files\Java\jre7\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ta\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\de-DE\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File created	C:\Program Files (x86)\Adobe\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\de-DE\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lg\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA6\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\STS2\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ms\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\on_desktop\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File created	C:\Program Files (x86)\Windows Media Player\Network Sharing\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\MSTORE.EXE	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ja\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File created	C:\Program Files\Windows Journal\en-US\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EDGE\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened for modification	C:\Program Files\Mozilla Firefox\firefox.exe	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\video_output\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File created	C:\Program Files\Java\jre7\bin\plugin2\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\QuickStyles\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Antarctica\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\css\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1964	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
1964	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
1964	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
1964	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
1964	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
1964	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
1964	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
1964	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
1964	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
1964	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 2696	1964	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe	30
PID 1964 wrote to memory of 2696	1964	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe	30
PID 1964 wrote to memory of 2696	1964	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe	30
PID 1964 wrote to memory of 2696	1964	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe	30
PID 2696 wrote to memory of 1908	2696	net.exe	32
PID 2696 wrote to memory of 1908	2696	net.exe	32
PID 2696 wrote to memory of 1908	2696	net.exe	32
PID 2696 wrote to memory of 1908	2696	net.exe	32
PID 1964 wrote to memory of 1108	1964	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe	20
PID 1964 wrote to memory of 1108	1964	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe	20

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1108
- C:\Users\Admin\AppData\Local\Temp\0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
  "C:\Users\Admin\AppData\Local\Temp\0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe"
  2⤵
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1964
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
020dd361aee3b7ecae67da12b15ae361

SHA1
e3aa218a75213a2e7102add43d608636bfb7b7db

SHA256
186997192aa315c769688c76f07124978d7f5ecbbb5a5e04c10d7a5925c502e5

SHA512
06725449fdfd2b592749e9d6b97583881d7e285edca4f86fd54879577585cfa784cd7a9c32e7b681d8e2a37943a0bda844dafa24cb29a240d0cbcb2247af1da6

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
956KB

MD5
2f75721dd9bd9a7d43e28e21f6cf40af

SHA1
0d053ab5af7f8158f1b97395e5841254d421107d

SHA256
01b62b7a53b9d8089a23482e5c3dc8a6501813e85fb9ffd248a55e9aaea99781

SHA512
beca81525eb7972b9f34a9147c1d942e130857bd0438124473256dd639500e43f3bb124693e948fc4e7a2327e3cc7d57a0efab45077943a41ff7e84b40bd0510

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
28f6479e5c0b7a32e8ae773b9221a22a

SHA1
882e24734f4d42c4e0b95bb695c921ee66ae2042

SHA256
5ec41e0b29c00dd288859df2f583b0e771c11c01d8fd519fe2bd8921b3bed4f3

SHA512
d27c5c01bfe526652af0083bc17c4a3212fc00d594344b6a1a39999248623fba1ae14c79ec849c3567d1bf952cdf7e1e4fd5b22fde938227d89338529fb43685

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2872745919-2748461613-2989606286-1000\_desktop.ini

Filesize
9B

MD5
5412111268dd2c1fb1cf8697bfab9b6c

SHA1
16d0b289e83c74cb50a004edd7c5750ac706f321

SHA256
f3aa35be7048ddbf11fc581e5f9476745d75bcf097e121ba2915614e360a0cdc

SHA512
13fc5bf11faaf5471fde8a1bafdcc6d27521bad796e5e532c94d9c8232dd70088e70b6d5ac60c4c15d13e59926ac38e9a9e01b4dd4694a77d70bdd1ae7005ccf

Download Submit
memory/1108-5-0x0000000002CF0000-0x0000000002CF1000-memory.dmp

Filesize
4KB

Download
memory/1964-66-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1964-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1964-73-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1964-20-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1964-383-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1964-1849-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1964-14-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1964-3309-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1964-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download