Analysis
-
max time kernel
142s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
20/10/2022, 22:48
Static task
static1
Behavioral task
behavioral1
Sample
4682ad39fef4157aeaa497ffc0cd8e9f61915c1aff83d28f47306c9a97d152b9.exe
Resource
win7-20220812-en
General
-
Target
4682ad39fef4157aeaa497ffc0cd8e9f61915c1aff83d28f47306c9a97d152b9.exe
-
Size
479KB
-
MD5
4401e035c0f3d776a854ef3cd3cd9080
-
SHA1
af7eb0ba46b6aae5c5b64c52e3e8a0cceb228de5
-
SHA256
4682ad39fef4157aeaa497ffc0cd8e9f61915c1aff83d28f47306c9a97d152b9
-
SHA512
037af2948cc83d17a9f660a91b03fb63e47fdff6b0652161b343307932928136ae91a2be21519e19517c38578b6fa630caaeaa90ccf2bf214f97a87a1bb4877f
-
SSDEEP
3072:i1e+aX3K1fOHoqnPzErBJQCObI9bjI95xt5YZ3iV1cebaf4xmVoqiCiRSpnzIpTX:L+aX36WHoqnauRb0czOy/
Malware Config
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 4016 Logo1_.exe 1932 4682ad39fef4157aeaa497ffc0cd8e9f61915c1aff83d28f47306c9a97d152b9.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\F: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\it-it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Google\Temp\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\rmiregistry.exe Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\he\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\tr-tr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\eu-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ko-kr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ko-kr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ca-es\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\uk-ua\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Photo Viewer\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\uk-ua\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\DESIGNER\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ar-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\zh-tw\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ar-ae\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\en-gb\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ro-ro\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\Fonts\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fr-fr\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\et\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\it-it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\VisualElements\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\uk-ua\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\hu-hu\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ro-ro\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sl-si\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sv\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\hr-hr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ar-ae\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\it-it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\da-dk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\HelpCfg\en_US\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\de-de\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\themes\dark\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\nl-nl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ro-ro\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\en-gb\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Configuration\Registration\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\it-it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-fr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fr-ma\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\css\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe 4682ad39fef4157aeaa497ffc0cd8e9f61915c1aff83d28f47306c9a97d152b9.exe File created C:\Windows\Logo1_.exe 4682ad39fef4157aeaa497ffc0cd8e9f61915c1aff83d28f47306c9a97d152b9.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\Dll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1512 4682ad39fef4157aeaa497ffc0cd8e9f61915c1aff83d28f47306c9a97d152b9.exe 1512 4682ad39fef4157aeaa497ffc0cd8e9f61915c1aff83d28f47306c9a97d152b9.exe 1512 4682ad39fef4157aeaa497ffc0cd8e9f61915c1aff83d28f47306c9a97d152b9.exe 1512 4682ad39fef4157aeaa497ffc0cd8e9f61915c1aff83d28f47306c9a97d152b9.exe 1512 4682ad39fef4157aeaa497ffc0cd8e9f61915c1aff83d28f47306c9a97d152b9.exe 1512 4682ad39fef4157aeaa497ffc0cd8e9f61915c1aff83d28f47306c9a97d152b9.exe 1512 4682ad39fef4157aeaa497ffc0cd8e9f61915c1aff83d28f47306c9a97d152b9.exe 1512 4682ad39fef4157aeaa497ffc0cd8e9f61915c1aff83d28f47306c9a97d152b9.exe 1512 4682ad39fef4157aeaa497ffc0cd8e9f61915c1aff83d28f47306c9a97d152b9.exe 1512 4682ad39fef4157aeaa497ffc0cd8e9f61915c1aff83d28f47306c9a97d152b9.exe 1512 4682ad39fef4157aeaa497ffc0cd8e9f61915c1aff83d28f47306c9a97d152b9.exe 1512 4682ad39fef4157aeaa497ffc0cd8e9f61915c1aff83d28f47306c9a97d152b9.exe 1512 4682ad39fef4157aeaa497ffc0cd8e9f61915c1aff83d28f47306c9a97d152b9.exe 1512 4682ad39fef4157aeaa497ffc0cd8e9f61915c1aff83d28f47306c9a97d152b9.exe 1512 4682ad39fef4157aeaa497ffc0cd8e9f61915c1aff83d28f47306c9a97d152b9.exe 1512 4682ad39fef4157aeaa497ffc0cd8e9f61915c1aff83d28f47306c9a97d152b9.exe 1512 4682ad39fef4157aeaa497ffc0cd8e9f61915c1aff83d28f47306c9a97d152b9.exe 1512 4682ad39fef4157aeaa497ffc0cd8e9f61915c1aff83d28f47306c9a97d152b9.exe 1512 4682ad39fef4157aeaa497ffc0cd8e9f61915c1aff83d28f47306c9a97d152b9.exe 1512 4682ad39fef4157aeaa497ffc0cd8e9f61915c1aff83d28f47306c9a97d152b9.exe 1512 4682ad39fef4157aeaa497ffc0cd8e9f61915c1aff83d28f47306c9a97d152b9.exe 1512 4682ad39fef4157aeaa497ffc0cd8e9f61915c1aff83d28f47306c9a97d152b9.exe 1512 4682ad39fef4157aeaa497ffc0cd8e9f61915c1aff83d28f47306c9a97d152b9.exe 1512 4682ad39fef4157aeaa497ffc0cd8e9f61915c1aff83d28f47306c9a97d152b9.exe 1512 4682ad39fef4157aeaa497ffc0cd8e9f61915c1aff83d28f47306c9a97d152b9.exe 1512 4682ad39fef4157aeaa497ffc0cd8e9f61915c1aff83d28f47306c9a97d152b9.exe 4016 Logo1_.exe 4016 Logo1_.exe 4016 Logo1_.exe 4016 Logo1_.exe 4016 Logo1_.exe 4016 Logo1_.exe 4016 Logo1_.exe 4016 Logo1_.exe 4016 Logo1_.exe 4016 Logo1_.exe 4016 Logo1_.exe 4016 Logo1_.exe 4016 Logo1_.exe 4016 Logo1_.exe 4016 Logo1_.exe 4016 Logo1_.exe 4016 Logo1_.exe 4016 Logo1_.exe 4016 Logo1_.exe 4016 Logo1_.exe 4016 Logo1_.exe 4016 Logo1_.exe 4016 Logo1_.exe 4016 Logo1_.exe 4016 Logo1_.exe 4016 Logo1_.exe 4016 Logo1_.exe 4016 Logo1_.exe 4016 Logo1_.exe 4016 Logo1_.exe 4016 Logo1_.exe 4016 Logo1_.exe 4016 Logo1_.exe 4016 Logo1_.exe 4016 Logo1_.exe 4016 Logo1_.exe 4016 Logo1_.exe 4016 Logo1_.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 1512 wrote to memory of 1768 1512 4682ad39fef4157aeaa497ffc0cd8e9f61915c1aff83d28f47306c9a97d152b9.exe 82 PID 1512 wrote to memory of 1768 1512 4682ad39fef4157aeaa497ffc0cd8e9f61915c1aff83d28f47306c9a97d152b9.exe 82 PID 1512 wrote to memory of 1768 1512 4682ad39fef4157aeaa497ffc0cd8e9f61915c1aff83d28f47306c9a97d152b9.exe 82 PID 1768 wrote to memory of 4824 1768 net.exe 84 PID 1768 wrote to memory of 4824 1768 net.exe 84 PID 1768 wrote to memory of 4824 1768 net.exe 84 PID 1512 wrote to memory of 5076 1512 4682ad39fef4157aeaa497ffc0cd8e9f61915c1aff83d28f47306c9a97d152b9.exe 85 PID 1512 wrote to memory of 5076 1512 4682ad39fef4157aeaa497ffc0cd8e9f61915c1aff83d28f47306c9a97d152b9.exe 85 PID 1512 wrote to memory of 5076 1512 4682ad39fef4157aeaa497ffc0cd8e9f61915c1aff83d28f47306c9a97d152b9.exe 85 PID 1512 wrote to memory of 4016 1512 4682ad39fef4157aeaa497ffc0cd8e9f61915c1aff83d28f47306c9a97d152b9.exe 86 PID 1512 wrote to memory of 4016 1512 4682ad39fef4157aeaa497ffc0cd8e9f61915c1aff83d28f47306c9a97d152b9.exe 86 PID 1512 wrote to memory of 4016 1512 4682ad39fef4157aeaa497ffc0cd8e9f61915c1aff83d28f47306c9a97d152b9.exe 86 PID 4016 wrote to memory of 5068 4016 Logo1_.exe 88 PID 4016 wrote to memory of 5068 4016 Logo1_.exe 88 PID 4016 wrote to memory of 5068 4016 Logo1_.exe 88 PID 5068 wrote to memory of 2208 5068 net.exe 90 PID 5068 wrote to memory of 2208 5068 net.exe 90 PID 5068 wrote to memory of 2208 5068 net.exe 90 PID 5076 wrote to memory of 1932 5076 cmd.exe 91 PID 5076 wrote to memory of 1932 5076 cmd.exe 91 PID 5076 wrote to memory of 1932 5076 cmd.exe 91 PID 4016 wrote to memory of 2752 4016 Logo1_.exe 92 PID 4016 wrote to memory of 2752 4016 Logo1_.exe 92 PID 4016 wrote to memory of 2752 4016 Logo1_.exe 92 PID 2752 wrote to memory of 4356 2752 net.exe 94 PID 2752 wrote to memory of 4356 2752 net.exe 94 PID 2752 wrote to memory of 4356 2752 net.exe 94 PID 4016 wrote to memory of 380 4016 Logo1_.exe 40 PID 4016 wrote to memory of 380 4016 Logo1_.exe 40
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:380
-
C:\Users\Admin\AppData\Local\Temp\4682ad39fef4157aeaa497ffc0cd8e9f61915c1aff83d28f47306c9a97d152b9.exe"C:\Users\Admin\AppData\Local\Temp\4682ad39fef4157aeaa497ffc0cd8e9f61915c1aff83d28f47306c9a97d152b9.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵PID:4824
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aB635.bat3⤵
- Suspicious use of WriteProcessMemory
PID:5076 -
C:\Users\Admin\AppData\Local\Temp\4682ad39fef4157aeaa497ffc0cd8e9f61915c1aff83d28f47306c9a97d152b9.exe"C:\Users\Admin\AppData\Local\Temp\4682ad39fef4157aeaa497ffc0cd8e9f61915c1aff83d28f47306c9a97d152b9.exe"4⤵
- Executes dropped EXE
PID:1932
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Executes dropped EXE
- Drops startup file
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:5068 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2208
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2752 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:4356
-
-
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
722B
MD5a419572de6d6e0e57cf6ea6de083c0f6
SHA11b8501a858bf7ca4fe0f34f1bd8200391c2831ee
SHA2565260dde4bbdcd87535d7f537fe73d8e914f593fd80366656c217478a001d8473
SHA5126b7aec2a6faf709bd03800af6261e1a04b977f8477430cb7aa8f487356d940b1e114e48ea68c1d72c5c40707b1188396e0a7a4e6e2d7e2b6edc552ced641996d
-
C:\Users\Admin\AppData\Local\Temp\4682ad39fef4157aeaa497ffc0cd8e9f61915c1aff83d28f47306c9a97d152b9.exe
Filesize446KB
MD58cb298752db9d1788ba28b747f436fd7
SHA11b829fd918fb40a3a436546605a376a5b825ed93
SHA256601f7fbdb1d3b011b91fed9e569917c47d940e30bb14f4ff3a833e2ce33d6537
SHA512743bde8a1337b32750ef96b955a6a8866550e6e8147625daffb4bc6e0d428825441cd1112b97ddeb0c1b0127b3760367507a8bf58b0f142e123b9429b0a09abb
-
C:\Users\Admin\AppData\Local\Temp\4682ad39fef4157aeaa497ffc0cd8e9f61915c1aff83d28f47306c9a97d152b9.exe.exe
Filesize446KB
MD58cb298752db9d1788ba28b747f436fd7
SHA11b829fd918fb40a3a436546605a376a5b825ed93
SHA256601f7fbdb1d3b011b91fed9e569917c47d940e30bb14f4ff3a833e2ce33d6537
SHA512743bde8a1337b32750ef96b955a6a8866550e6e8147625daffb4bc6e0d428825441cd1112b97ddeb0c1b0127b3760367507a8bf58b0f142e123b9429b0a09abb
-
Filesize
33KB
MD5f1042a7378ce88282deb18ef35670908
SHA1818edb3673dc52f46cf7fb5b82b6e47101b91038
SHA25655a0d9ff019371432587496f3ce7228def8bd7b6d5365f883663afa1af7348cb
SHA512cec7f1256c29c6805ffd1e0e2643318e7bfe447089317a3ae117fc762c3cb20cc08bcbd92435592a16b47a1999fd84e20f7f3734319d4dba186a0c28e9323079
-
Filesize
33KB
MD5f1042a7378ce88282deb18ef35670908
SHA1818edb3673dc52f46cf7fb5b82b6e47101b91038
SHA25655a0d9ff019371432587496f3ce7228def8bd7b6d5365f883663afa1af7348cb
SHA512cec7f1256c29c6805ffd1e0e2643318e7bfe447089317a3ae117fc762c3cb20cc08bcbd92435592a16b47a1999fd84e20f7f3734319d4dba186a0c28e9323079
-
Filesize
33KB
MD5f1042a7378ce88282deb18ef35670908
SHA1818edb3673dc52f46cf7fb5b82b6e47101b91038
SHA25655a0d9ff019371432587496f3ce7228def8bd7b6d5365f883663afa1af7348cb
SHA512cec7f1256c29c6805ffd1e0e2643318e7bfe447089317a3ae117fc762c3cb20cc08bcbd92435592a16b47a1999fd84e20f7f3734319d4dba186a0c28e9323079