Analysis
-
max time kernel
149s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
26-10-2024 04:20
Static task
static1
Behavioral task
behavioral1
Sample
f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe
Resource
win7-20241010-en
General
-
Target
f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe
-
Size
478KB
-
MD5
28959031896021bc7ca9f579de2cc456
-
SHA1
3577f294e56af20384c17c2e6b30043d3fb467ce
-
SHA256
f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec
-
SHA512
8ccc791701cbf875cff76feb50e78391fdc4375e0bd78c59111a657059e2f4c8c91b8603755bd5cfc1feb1abcc98b3eda6e3f810de8e8d60eb35090eecb21020
-
SSDEEP
12288:CX1m0iZc0IursYCYQeSnyZJiqlEbXSb9NtCGOF2O27MVzy:o1mfMYenGJiKEbXWtfOkUy
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2916 cmd.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe -
Executes dropped EXE 3 IoCs
pid Process 2960 Logo1_.exe 2656 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe 2752 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe -
Loads dropped DLL 3 IoCs
pid Process 2916 cmd.exe 2656 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe 2752 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\en_GB\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\DVD Maker\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe Logo1_.exe File opened for modification C:\Program Files\Windows Journal\Journal.exe Logo1_.exe File opened for modification C:\Program Files\Windows Mail\wabmig.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ARFR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\EURO\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\br\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\brx\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\DVD Maker\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre7\bin\kinit.exe Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\meta\art\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\mk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Journal\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\NETWORK\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\css\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Analysis Services\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre7\bin\server\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\VC\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\_desktop.ini Logo1_.exe File created C:\Program Files\Mozilla Firefox\uninstall\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\demux\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EVRGREEN\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Games\Minesweeper\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe File created C:\Windows\Logo1_.exe f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\Dll.dll Logo1_.exe -
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Logo1_.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 43 IoCs
pid Process 2776 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe 2776 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe 2776 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe 2776 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe 2776 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe 2776 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe 2776 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe 2776 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe 2776 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe 2776 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe 2776 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe 2776 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe 2776 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe 2960 Logo1_.exe 2960 Logo1_.exe 2960 Logo1_.exe 2960 Logo1_.exe 2960 Logo1_.exe 2960 Logo1_.exe 2960 Logo1_.exe 2960 Logo1_.exe 2960 Logo1_.exe 2960 Logo1_.exe 2960 Logo1_.exe 2960 Logo1_.exe 2960 Logo1_.exe 2960 Logo1_.exe 2960 Logo1_.exe 2960 Logo1_.exe 2960 Logo1_.exe 2960 Logo1_.exe 2960 Logo1_.exe 2960 Logo1_.exe 2960 Logo1_.exe 2960 Logo1_.exe 2960 Logo1_.exe 2960 Logo1_.exe 2960 Logo1_.exe 2960 Logo1_.exe 2960 Logo1_.exe 2960 Logo1_.exe 2960 Logo1_.exe 2960 Logo1_.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2752 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 2776 wrote to memory of 2848 2776 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe 30 PID 2776 wrote to memory of 2848 2776 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe 30 PID 2776 wrote to memory of 2848 2776 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe 30 PID 2776 wrote to memory of 2848 2776 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe 30 PID 2848 wrote to memory of 2180 2848 net.exe 32 PID 2848 wrote to memory of 2180 2848 net.exe 32 PID 2848 wrote to memory of 2180 2848 net.exe 32 PID 2848 wrote to memory of 2180 2848 net.exe 32 PID 2776 wrote to memory of 2916 2776 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe 33 PID 2776 wrote to memory of 2916 2776 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe 33 PID 2776 wrote to memory of 2916 2776 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe 33 PID 2776 wrote to memory of 2916 2776 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe 33 PID 2776 wrote to memory of 2960 2776 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe 35 PID 2776 wrote to memory of 2960 2776 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe 35 PID 2776 wrote to memory of 2960 2776 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe 35 PID 2776 wrote to memory of 2960 2776 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe 35 PID 2960 wrote to memory of 2060 2960 Logo1_.exe 36 PID 2960 wrote to memory of 2060 2960 Logo1_.exe 36 PID 2960 wrote to memory of 2060 2960 Logo1_.exe 36 PID 2960 wrote to memory of 2060 2960 Logo1_.exe 36 PID 2916 wrote to memory of 2656 2916 cmd.exe 38 PID 2916 wrote to memory of 2656 2916 cmd.exe 38 PID 2916 wrote to memory of 2656 2916 cmd.exe 38 PID 2916 wrote to memory of 2656 2916 cmd.exe 38 PID 2916 wrote to memory of 2656 2916 cmd.exe 38 PID 2916 wrote to memory of 2656 2916 cmd.exe 38 PID 2916 wrote to memory of 2656 2916 cmd.exe 38 PID 2060 wrote to memory of 2680 2060 net.exe 39 PID 2060 wrote to memory of 2680 2060 net.exe 39 PID 2060 wrote to memory of 2680 2060 net.exe 39 PID 2060 wrote to memory of 2680 2060 net.exe 39 PID 2656 wrote to memory of 2752 2656 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe 40 PID 2656 wrote to memory of 2752 2656 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe 40 PID 2656 wrote to memory of 2752 2656 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe 40 PID 2656 wrote to memory of 2752 2656 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe 40 PID 2656 wrote to memory of 2752 2656 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe 40 PID 2656 wrote to memory of 2752 2656 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe 40 PID 2656 wrote to memory of 2752 2656 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe 40 PID 2960 wrote to memory of 2424 2960 Logo1_.exe 41 PID 2960 wrote to memory of 2424 2960 Logo1_.exe 41 PID 2960 wrote to memory of 2424 2960 Logo1_.exe 41 PID 2960 wrote to memory of 2424 2960 Logo1_.exe 41 PID 2424 wrote to memory of 2608 2424 net.exe 43 PID 2424 wrote to memory of 2608 2424 net.exe 43 PID 2424 wrote to memory of 2608 2424 net.exe 43 PID 2424 wrote to memory of 2608 2424 net.exe 43 PID 2960 wrote to memory of 1188 2960 Logo1_.exe 21 PID 2960 wrote to memory of 1188 2960 Logo1_.exe 21
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1188
-
C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe"C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2776 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
PID:2180
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$a3CF1.bat3⤵
- Deletes itself
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2916 -
C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe"C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe"C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe" -burn.unelevated BurnPipe.{867ADDB3-92A1-4389-9562-99DA3A07396D} {A5907949-362F-43AA-9C83-109F92F26009} 26565⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
PID:2752
-
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2960 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
- System Location Discovery: System Language Discovery
PID:2680
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2424 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
- System Location Discovery: System Language Discovery
PID:2608
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
258KB
MD5dd5f511ac42d9719d30a69ad45d2efd4
SHA16a74d19c5f70b2950a01f54d6526ed1e1db4dd42
SHA256b209a195049e7e6704c77e5856589ab1a257bb70f6457099a5a39cd9531d81bb
SHA512f1aae77e9af1cccdd44936477504d7d1e92a093b9755d555eaa1510f66e5ed4e96b25c7a8b6f2cb79bd39537d1aae368d6af0176be563885ef61d4e7d752ffaa
-
Filesize
722B
MD5c862d0940f612bd83874e5bfc6dead17
SHA1ce556fd27b35bc6a5f9a9df7b5bae434f823b9a7
SHA2565eae0d6cf0a4b102a18caede39fd279dd4d2ccb9087b35a5a20f9e9fd56d263b
SHA51227f2289791e82c139b0e39e1744c4f5b38a0d1e7f97ce7eef8f66b8aa6880f2a7fd79f7e7ab0831501a36f5b11524700f09cd5ad82ccf542f8c4c05e17245650
-
C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe.exe
Filesize444KB
MD52b48f69517044d82e1ee675b1690c08b
SHA183ca22c8a8e9355d2b184c516e58b5400d8343e0
SHA256507bdc3ab5a6d9ddba2df68aff6f59572180134252f5eb8cb46f9bb23006b496
SHA51297d9b130a483263ddf59c35baceba999d7c8db4effc97bcb935cb57acc7c8d46d3681c95e24975a099e701997330c6c6175e834ddb16abc48d5e9827c74a325b
-
Filesize
1KB
MD5d6bd210f227442b3362493d046cea233
SHA1ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b
-
Filesize
33KB
MD5dd7de04b7104a93e35fb3a577b5b621b
SHA14d84ff8b82f359e1c303d9d68dda6dc503848ad6
SHA256fc02df6a818f176e9499cda422291726b9e3d37d6e381dd5629295df031cde03
SHA512569116a84fd5d09c06c4967d466de2f6a7be71b77edaa28bef11836d0eb5fa20eef5c9c415540a8f5f785cdbe0e059f21a835952b81ac97b5e620a52bf56a921
-
Filesize
10B
MD528a582403dbb209b6c5cb7bada9c918d
SHA1db58560be63032a4cbd738d2d639e5bf764d6277
SHA256b5a9fa3acde4d9499ea08a6d9ff193fc9cda57f04141f82d2422a4008f451200
SHA512511b4d3886d671d01c66d2509b784a199e68a00f2597d311d8d0770f0b1030680136ee450343a8d6c4b51d9de8448bafdde44dc1a1c6e62bccde47d5af03fbae
-
Filesize
126KB
MD5d7bf29763354eda154aad637017b5483
SHA1dfa7d296bfeecde738ef4708aaabfebec6bc1e48
SHA2567f5f8fcfd84132579f07e395e65b44e1b031fe01a299bce0e3dd590131c5cb93
SHA5121c76175732fe68b9b12cb46077daa21e086041adbd65401717a9a1b5f3c516e03c35a90897c22c7281647d6af4a1a5ffb3fbd5706ea376d8f6e574d27396019c