Analysis
-
max time kernel
149s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
26-10-2024 04:22
Static task
static1
Behavioral task
behavioral1
Sample
ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe
Resource
win7-20241010-en
General
-
Target
ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe
-
Size
488KB
-
MD5
de4f99d33c3138d156d2227d1b33c300
-
SHA1
539dffd0a2747a2476194ea4622ce811b777d2c9
-
SHA256
ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e
-
SHA512
4db6e5810373d94603df13bbac362ef5e0d76a5b5400aac1d3d132706058fd69b58b5423ecfd811efe2f925d91fdf137b5a009b6d22a0a8d5fbcf9e300d3b7e0
-
SSDEEP
12288:CX1m03qIOkU8AMXE9B7PElZlP41N+4PUWfo:o1meBOkUhMXcBwc04nA
Malware Config
Signatures
-
Deletes itself 1 IoCs
pid Process 2848 cmd.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe -
Executes dropped EXE 3 IoCs
pid Process 2880 Logo1_.exe 2972 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe 2816 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe -
Loads dropped DLL 3 IoCs
pid Process 2848 cmd.exe 2972 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe 2816 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\js\_desktop.ini Logo1_.exe File created C:\Program Files\DVD Maker\Shared\DvdStyles\Push\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mn\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\skins\fonts\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\js\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\REFINED\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SPRING\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\js\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Defender\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\lt\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Internet Explorer\en-US\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Photo Viewer\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Games\FreeCell\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\lua\sd\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PIXEL\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jre7\lib\zi\Africa\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Mail\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\nn\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FRAR\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Triedit\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Media Player\wmlaunch.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\DVD Maker\Shared\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\keystore\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Mail\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\en-US\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Logo1_.exe ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\Dll.dll Logo1_.exe File created C:\Windows\rundl132.exe ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe -
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Logo1_.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 43 IoCs
pid Process 3052 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe 3052 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe 3052 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe 3052 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe 3052 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe 3052 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe 3052 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe 3052 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe 3052 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe 3052 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe 3052 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe 3052 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe 3052 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe 2880 Logo1_.exe 2880 Logo1_.exe 2880 Logo1_.exe 2880 Logo1_.exe 2880 Logo1_.exe 2880 Logo1_.exe 2880 Logo1_.exe 2880 Logo1_.exe 2880 Logo1_.exe 2880 Logo1_.exe 2880 Logo1_.exe 2880 Logo1_.exe 2880 Logo1_.exe 2880 Logo1_.exe 2880 Logo1_.exe 2880 Logo1_.exe 2880 Logo1_.exe 2880 Logo1_.exe 2880 Logo1_.exe 2880 Logo1_.exe 2880 Logo1_.exe 2880 Logo1_.exe 2880 Logo1_.exe 2880 Logo1_.exe 2880 Logo1_.exe 2880 Logo1_.exe 2880 Logo1_.exe 2880 Logo1_.exe 2880 Logo1_.exe 2880 Logo1_.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 3052 wrote to memory of 1824 3052 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe 30 PID 3052 wrote to memory of 1824 3052 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe 30 PID 3052 wrote to memory of 1824 3052 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe 30 PID 3052 wrote to memory of 1824 3052 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe 30 PID 1824 wrote to memory of 2072 1824 net.exe 32 PID 1824 wrote to memory of 2072 1824 net.exe 32 PID 1824 wrote to memory of 2072 1824 net.exe 32 PID 1824 wrote to memory of 2072 1824 net.exe 32 PID 3052 wrote to memory of 2848 3052 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe 33 PID 3052 wrote to memory of 2848 3052 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe 33 PID 3052 wrote to memory of 2848 3052 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe 33 PID 3052 wrote to memory of 2848 3052 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe 33 PID 3052 wrote to memory of 2880 3052 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe 34 PID 3052 wrote to memory of 2880 3052 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe 34 PID 3052 wrote to memory of 2880 3052 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe 34 PID 3052 wrote to memory of 2880 3052 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe 34 PID 2880 wrote to memory of 2988 2880 Logo1_.exe 36 PID 2880 wrote to memory of 2988 2880 Logo1_.exe 36 PID 2880 wrote to memory of 2988 2880 Logo1_.exe 36 PID 2880 wrote to memory of 2988 2880 Logo1_.exe 36 PID 2988 wrote to memory of 2888 2988 net.exe 38 PID 2988 wrote to memory of 2888 2988 net.exe 38 PID 2988 wrote to memory of 2888 2988 net.exe 38 PID 2988 wrote to memory of 2888 2988 net.exe 38 PID 2848 wrote to memory of 2972 2848 cmd.exe 39 PID 2848 wrote to memory of 2972 2848 cmd.exe 39 PID 2848 wrote to memory of 2972 2848 cmd.exe 39 PID 2848 wrote to memory of 2972 2848 cmd.exe 39 PID 2848 wrote to memory of 2972 2848 cmd.exe 39 PID 2848 wrote to memory of 2972 2848 cmd.exe 39 PID 2848 wrote to memory of 2972 2848 cmd.exe 39 PID 2972 wrote to memory of 2816 2972 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe 40 PID 2972 wrote to memory of 2816 2972 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe 40 PID 2972 wrote to memory of 2816 2972 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe 40 PID 2972 wrote to memory of 2816 2972 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe 40 PID 2972 wrote to memory of 2816 2972 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe 40 PID 2972 wrote to memory of 2816 2972 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe 40 PID 2972 wrote to memory of 2816 2972 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe 40 PID 2880 wrote to memory of 3068 2880 Logo1_.exe 41 PID 2880 wrote to memory of 3068 2880 Logo1_.exe 41 PID 2880 wrote to memory of 3068 2880 Logo1_.exe 41 PID 2880 wrote to memory of 3068 2880 Logo1_.exe 41 PID 3068 wrote to memory of 1612 3068 net.exe 43 PID 3068 wrote to memory of 1612 3068 net.exe 43 PID 3068 wrote to memory of 1612 3068 net.exe 43 PID 3068 wrote to memory of 1612 3068 net.exe 43 PID 2880 wrote to memory of 1200 2880 Logo1_.exe 21 PID 2880 wrote to memory of 1200 2880 Logo1_.exe 21
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1200
-
C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe"C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe"2⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3052 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1824 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
PID:2072
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\$$a23D6.bat3⤵
- Deletes itself
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2848 -
C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe"C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2972 -
C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe"C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe" -burn.unelevated BurnPipe.{BB4368DF-C969-4901-A263-66C86651B7BE} {6E737B87-834A-4687-946E-190C6731BF8C} 29725⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2816
-
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2880 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
- System Location Discovery: System Language Discovery
PID:2888
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3068 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
- System Location Discovery: System Language Discovery
PID:1612
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
258KB
MD5dd5f511ac42d9719d30a69ad45d2efd4
SHA16a74d19c5f70b2950a01f54d6526ed1e1db4dd42
SHA256b209a195049e7e6704c77e5856589ab1a257bb70f6457099a5a39cd9531d81bb
SHA512f1aae77e9af1cccdd44936477504d7d1e92a093b9755d555eaa1510f66e5ed4e96b25c7a8b6f2cb79bd39537d1aae368d6af0176be563885ef61d4e7d752ffaa
-
Filesize
722B
MD5a57dce8cdf720faae68f74bec1501b1f
SHA114b2c3db472d25d134c77d7dda654f963cb2f9b8
SHA2568eb6a3c899db46f9fb4febd592517e4c859b9b0759133843252c4093e114d6cf
SHA5126cf20d2e8fb45c329c16bef63320543e34f68e4c0eec06fcd53cdc7ec9f09e8ea8622de7d99d4a8c6a280ce1eb451bd93c01f4f6912c454f6dd7385bb5447025
-
C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe.exe
Filesize455KB
MD56503c081f51457300e9bdef49253b867
SHA19313190893fdb4b732a5890845bd2337ea05366e
SHA2565ebba234b1d2ff66d4797e2334f97e0ed38f066df15403db241ca9feb92730ea
SHA5124477dbcee202971973786d62a8c22f889ea1f95b76a7279f0f11c315216d7e0f9e57018eabf2cf09fda0b58cae2178c14dcb70e2dee7efd3705c8b857f9d3901
-
Filesize
1KB
MD5d6bd210f227442b3362493d046cea233
SHA1ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b
-
Filesize
33KB
MD5dd7de04b7104a93e35fb3a577b5b621b
SHA14d84ff8b82f359e1c303d9d68dda6dc503848ad6
SHA256fc02df6a818f176e9499cda422291726b9e3d37d6e381dd5629295df031cde03
SHA512569116a84fd5d09c06c4967d466de2f6a7be71b77edaa28bef11836d0eb5fa20eef5c9c415540a8f5f785cdbe0e059f21a835952b81ac97b5e620a52bf56a921
-
Filesize
10B
MD528a582403dbb209b6c5cb7bada9c918d
SHA1db58560be63032a4cbd738d2d639e5bf764d6277
SHA256b5a9fa3acde4d9499ea08a6d9ff193fc9cda57f04141f82d2422a4008f451200
SHA512511b4d3886d671d01c66d2509b784a199e68a00f2597d311d8d0770f0b1030680136ee450343a8d6c4b51d9de8448bafdde44dc1a1c6e62bccde47d5af03fbae
-
Filesize
117KB
MD5a52e5220efb60813b31a82d101a97dcb
SHA156e16e4df0944cb07e73a01301886644f062d79b
SHA256e7c8e7edd9112137895820e789baaaeca41626b01fb99fede82968ddb66d02cf
SHA512d6565ba18b5b9795d6bde3ef94d8f7cd77bf8bb69ba3fe7adefb80fc7c5d888cdfdc79238d86a0839846aea4a1e51fc0caed3d62f7054885e8b15fad9f6c654e