Analysis
-
max time kernel
152s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
24-11-2022 00:27
Static task
static1
Behavioral task
behavioral1
Sample
3a05d5e25a465a553212056d9037d5c7b7e9565ba309961b57603457321cb01e.exe
Resource
win7-20220812-en
General
-
Target
3a05d5e25a465a553212056d9037d5c7b7e9565ba309961b57603457321cb01e.exe
-
Size
58KB
-
MD5
2fd8bd94ec8b0c1826993a7b51957810
-
SHA1
03fec5b4fae4b00f3a256d3d902f2a1562feb220
-
SHA256
3a05d5e25a465a553212056d9037d5c7b7e9565ba309961b57603457321cb01e
-
SHA512
1d1478a97805b2052b5bce6c13d1b254439bb4943dfce2ff8f25e2b214f6130028488b72cec78da4747dccf4aba7f56c8e1dd01aef7d3c09a463c767481d05d4
-
SSDEEP
1536:PnXyAaYzMXqtGNttyUn01Q78a4RiZ/7Xn1nlMtI:PnCAaY46tGNttyJQ7KRiZ/7X1+tI
Malware Config
Signatures
-
Drops file in Drivers directory 2 IoCs
Processes:
3a05d5e25a465a553212056d9037d5c7b7e9565ba309961b57603457321cb01e.exeLogo1_.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts 3a05d5e25a465a553212056d9037d5c7b7e9565ba309961b57603457321cb01e.exe File opened for modification C:\Windows\system32\drivers\etc\hosts Logo1_.exe -
Executes dropped EXE 2 IoCs
Processes:
Logo1_.exe3a05d5e25a465a553212056d9037d5c7b7e9565ba309961b57603457321cb01e.exepid process 1412 Logo1_.exe 4136 3a05d5e25a465a553212056d9037d5c7b7e9565ba309961b57603457321cb01e.exe -
Drops startup file 2 IoCs
Processes:
Logo1_.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Logo1_.exedescription ioc process File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\F: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
Processes:
Logo1_.exedescription ioc process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\hr-hr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\es-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\MEIPreload\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Cultures\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\tr-tr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\SetupMetrics\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fr-fr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\he-il\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ja-jp\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\uk\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\he-il\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\es-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\en-il\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ar-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\bin\jp2launcher.exe Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\defaults\pref\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Google\Temp\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\VisualElements\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\bin\java-rmi.exe Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\PROOF\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-ae\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\pt-br\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\pt-br\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\da-dk\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUEPRNT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\Windows Security\BrowserCore\en-US\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sl-si\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\tr-tr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\EdgeCore\104.0.1293.47\Installer\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\plugins\rhp\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\en-ae\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ru-ru\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ko-kr\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\plugins\access\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Photo Viewer\ImagingDevices.exe Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\it-it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-ae\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
Processes:
3a05d5e25a465a553212056d9037d5c7b7e9565ba309961b57603457321cb01e.exeLogo1_.exedescription ioc process File created C:\Windows\Logo1_.exe 3a05d5e25a465a553212056d9037d5c7b7e9565ba309961b57603457321cb01e.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\Dll.dll Logo1_.exe File created C:\Windows\rundl132.exe 3a05d5e25a465a553212056d9037d5c7b7e9565ba309961b57603457321cb01e.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
3a05d5e25a465a553212056d9037d5c7b7e9565ba309961b57603457321cb01e.exeLogo1_.exepid process 5004 3a05d5e25a465a553212056d9037d5c7b7e9565ba309961b57603457321cb01e.exe 5004 3a05d5e25a465a553212056d9037d5c7b7e9565ba309961b57603457321cb01e.exe 5004 3a05d5e25a465a553212056d9037d5c7b7e9565ba309961b57603457321cb01e.exe 5004 3a05d5e25a465a553212056d9037d5c7b7e9565ba309961b57603457321cb01e.exe 5004 3a05d5e25a465a553212056d9037d5c7b7e9565ba309961b57603457321cb01e.exe 5004 3a05d5e25a465a553212056d9037d5c7b7e9565ba309961b57603457321cb01e.exe 5004 3a05d5e25a465a553212056d9037d5c7b7e9565ba309961b57603457321cb01e.exe 5004 3a05d5e25a465a553212056d9037d5c7b7e9565ba309961b57603457321cb01e.exe 5004 3a05d5e25a465a553212056d9037d5c7b7e9565ba309961b57603457321cb01e.exe 5004 3a05d5e25a465a553212056d9037d5c7b7e9565ba309961b57603457321cb01e.exe 5004 3a05d5e25a465a553212056d9037d5c7b7e9565ba309961b57603457321cb01e.exe 5004 3a05d5e25a465a553212056d9037d5c7b7e9565ba309961b57603457321cb01e.exe 5004 3a05d5e25a465a553212056d9037d5c7b7e9565ba309961b57603457321cb01e.exe 5004 3a05d5e25a465a553212056d9037d5c7b7e9565ba309961b57603457321cb01e.exe 5004 3a05d5e25a465a553212056d9037d5c7b7e9565ba309961b57603457321cb01e.exe 5004 3a05d5e25a465a553212056d9037d5c7b7e9565ba309961b57603457321cb01e.exe 5004 3a05d5e25a465a553212056d9037d5c7b7e9565ba309961b57603457321cb01e.exe 5004 3a05d5e25a465a553212056d9037d5c7b7e9565ba309961b57603457321cb01e.exe 5004 3a05d5e25a465a553212056d9037d5c7b7e9565ba309961b57603457321cb01e.exe 5004 3a05d5e25a465a553212056d9037d5c7b7e9565ba309961b57603457321cb01e.exe 5004 3a05d5e25a465a553212056d9037d5c7b7e9565ba309961b57603457321cb01e.exe 5004 3a05d5e25a465a553212056d9037d5c7b7e9565ba309961b57603457321cb01e.exe 5004 3a05d5e25a465a553212056d9037d5c7b7e9565ba309961b57603457321cb01e.exe 5004 3a05d5e25a465a553212056d9037d5c7b7e9565ba309961b57603457321cb01e.exe 5004 3a05d5e25a465a553212056d9037d5c7b7e9565ba309961b57603457321cb01e.exe 5004 3a05d5e25a465a553212056d9037d5c7b7e9565ba309961b57603457321cb01e.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe 1412 Logo1_.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
3a05d5e25a465a553212056d9037d5c7b7e9565ba309961b57603457321cb01e.exenet.exeLogo1_.exenet.execmd.exenet.exedescription pid process target process PID 5004 wrote to memory of 4220 5004 3a05d5e25a465a553212056d9037d5c7b7e9565ba309961b57603457321cb01e.exe net.exe PID 5004 wrote to memory of 4220 5004 3a05d5e25a465a553212056d9037d5c7b7e9565ba309961b57603457321cb01e.exe net.exe PID 5004 wrote to memory of 4220 5004 3a05d5e25a465a553212056d9037d5c7b7e9565ba309961b57603457321cb01e.exe net.exe PID 5004 wrote to memory of 4484 5004 3a05d5e25a465a553212056d9037d5c7b7e9565ba309961b57603457321cb01e.exe cmd.exe PID 5004 wrote to memory of 4484 5004 3a05d5e25a465a553212056d9037d5c7b7e9565ba309961b57603457321cb01e.exe cmd.exe PID 5004 wrote to memory of 4484 5004 3a05d5e25a465a553212056d9037d5c7b7e9565ba309961b57603457321cb01e.exe cmd.exe PID 5004 wrote to memory of 1412 5004 3a05d5e25a465a553212056d9037d5c7b7e9565ba309961b57603457321cb01e.exe Logo1_.exe PID 5004 wrote to memory of 1412 5004 3a05d5e25a465a553212056d9037d5c7b7e9565ba309961b57603457321cb01e.exe Logo1_.exe PID 5004 wrote to memory of 1412 5004 3a05d5e25a465a553212056d9037d5c7b7e9565ba309961b57603457321cb01e.exe Logo1_.exe PID 4220 wrote to memory of 5112 4220 net.exe net1.exe PID 4220 wrote to memory of 5112 4220 net.exe net1.exe PID 4220 wrote to memory of 5112 4220 net.exe net1.exe PID 1412 wrote to memory of 5088 1412 Logo1_.exe net.exe PID 1412 wrote to memory of 5088 1412 Logo1_.exe net.exe PID 1412 wrote to memory of 5088 1412 Logo1_.exe net.exe PID 5088 wrote to memory of 1984 5088 net.exe net1.exe PID 5088 wrote to memory of 1984 5088 net.exe net1.exe PID 5088 wrote to memory of 1984 5088 net.exe net1.exe PID 4484 wrote to memory of 4136 4484 cmd.exe 3a05d5e25a465a553212056d9037d5c7b7e9565ba309961b57603457321cb01e.exe PID 4484 wrote to memory of 4136 4484 cmd.exe 3a05d5e25a465a553212056d9037d5c7b7e9565ba309961b57603457321cb01e.exe PID 4484 wrote to memory of 4136 4484 cmd.exe 3a05d5e25a465a553212056d9037d5c7b7e9565ba309961b57603457321cb01e.exe PID 1412 wrote to memory of 3956 1412 Logo1_.exe net.exe PID 1412 wrote to memory of 3956 1412 Logo1_.exe net.exe PID 1412 wrote to memory of 3956 1412 Logo1_.exe net.exe PID 3956 wrote to memory of 2340 3956 net.exe net1.exe PID 3956 wrote to memory of 2340 3956 net.exe net1.exe PID 3956 wrote to memory of 2340 3956 net.exe net1.exe PID 1412 wrote to memory of 760 1412 Logo1_.exe Explorer.EXE PID 1412 wrote to memory of 760 1412 Logo1_.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\3a05d5e25a465a553212056d9037d5c7b7e9565ba309961b57603457321cb01e.exe"C:\Users\Admin\AppData\Local\Temp\3a05d5e25a465a553212056d9037d5c7b7e9565ba309961b57603457321cb01e.exe"2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7ABE.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\3a05d5e25a465a553212056d9037d5c7b7e9565ba309961b57603457321cb01e.exe"C:\Users\Admin\AppData\Local\Temp\3a05d5e25a465a553212056d9037d5c7b7e9565ba309961b57603457321cb01e.exe"4⤵
- Executes dropped EXE
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Drops startup file
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\$$a7ABE.batFilesize
722B
MD5b4c9b73d30fd7dc892a9af0b4e978854
SHA169f05d1e260e7ca56065f597be90b63ca4fb747f
SHA2565c65ca9bedd30519cd115847c78b73c7cc87444c75e1c0707b7249dd95d2b84c
SHA512813a46950a6ca392f24f854647eed59149bd337ea3d10c8ba66120e32aacd6c56f80d18a6a9585cf05027d26fe278c2129b3c4ee65397b44f8e11df8df7bca89
-
C:\Users\Admin\AppData\Local\Temp\3a05d5e25a465a553212056d9037d5c7b7e9565ba309961b57603457321cb01e.exeFilesize
25KB
MD5123d872b188d32af8c3133250060b071
SHA126fdd3b97f1a48bbdf31dc2a2922a6817a956b3c
SHA25638aff1a95ee8fffb0c59670da15d6740ab855b106350cc428125a569c18b6fa2
SHA51267eeea2ca1508d84d21d46989c7530505247bbea497b4ff09c57228a599420754fd0bb78a993be19ad6d8d19777e8203f8ddfa9be05ea1bff7a0feea05d1a12c
-
C:\Users\Admin\AppData\Local\Temp\3a05d5e25a465a553212056d9037d5c7b7e9565ba309961b57603457321cb01e.exe.exeFilesize
25KB
MD5123d872b188d32af8c3133250060b071
SHA126fdd3b97f1a48bbdf31dc2a2922a6817a956b3c
SHA25638aff1a95ee8fffb0c59670da15d6740ab855b106350cc428125a569c18b6fa2
SHA51267eeea2ca1508d84d21d46989c7530505247bbea497b4ff09c57228a599420754fd0bb78a993be19ad6d8d19777e8203f8ddfa9be05ea1bff7a0feea05d1a12c
-
C:\Windows\Logo1_.exeFilesize
33KB
MD59bfb664a030be9c7e0b09b77b9544923
SHA1e0b5e4d2d089f71d13fb46607a76dac8ee96e5f3
SHA256e79be27d4144facf4b2189e8c51bb19ce8bc6b8e40012e557a943d5b75a41e85
SHA512c794bb95e6b591b1a877776e84bed36049c73ab05ab86869b4da3cd6db5a57c8b4e6816d8a1ca14b94c3e17e6a6aa29f8d736e5fe7930a175b31338883c89c92
-
C:\Windows\Logo1_.exeFilesize
33KB
MD59bfb664a030be9c7e0b09b77b9544923
SHA1e0b5e4d2d089f71d13fb46607a76dac8ee96e5f3
SHA256e79be27d4144facf4b2189e8c51bb19ce8bc6b8e40012e557a943d5b75a41e85
SHA512c794bb95e6b591b1a877776e84bed36049c73ab05ab86869b4da3cd6db5a57c8b4e6816d8a1ca14b94c3e17e6a6aa29f8d736e5fe7930a175b31338883c89c92
-
C:\Windows\rundl132.exeFilesize
33KB
MD59bfb664a030be9c7e0b09b77b9544923
SHA1e0b5e4d2d089f71d13fb46607a76dac8ee96e5f3
SHA256e79be27d4144facf4b2189e8c51bb19ce8bc6b8e40012e557a943d5b75a41e85
SHA512c794bb95e6b591b1a877776e84bed36049c73ab05ab86869b4da3cd6db5a57c8b4e6816d8a1ca14b94c3e17e6a6aa29f8d736e5fe7930a175b31338883c89c92
-
memory/1412-146-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1412-150-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/1412-135-0x0000000000000000-mapping.dmp
-
memory/1984-141-0x0000000000000000-mapping.dmp
-
memory/2340-149-0x0000000000000000-mapping.dmp
-
memory/3956-148-0x0000000000000000-mapping.dmp
-
memory/4136-144-0x0000000000000000-mapping.dmp
-
memory/4220-133-0x0000000000000000-mapping.dmp
-
memory/4484-134-0x0000000000000000-mapping.dmp
-
memory/5004-132-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5004-138-0x0000000000400000-0x000000000043E000-memory.dmpFilesize
248KB
-
memory/5088-140-0x0000000000000000-mapping.dmp
-
memory/5112-139-0x0000000000000000-mapping.dmp