Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
18/08/2023, 01:39
Static task
static1
Behavioral task
behavioral1
Sample
040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe
Resource
win7-20230712-en
General
-
Target
040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe
-
Size
66KB
-
MD5
b0740d80c3b9d5106fe78701189af31f
-
SHA1
a269636c61fa84ab72b59a5a06b4e0d7b9cc886c
-
SHA256
040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b
-
SHA512
5af31140dd0766e97e9306ba1c92c5843518977eb09929747a96abf7541fd298ccbd05f70091f33b721150d312d351da2fa11b809ca2f7bfacfa1c8d6ce42c71
-
SSDEEP
1536:Ai4srz8dOBN9aunrxb4yzwC132n6RbK1A:A48oBN9aulb4yzjRbaA
Malware Config
Signatures
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe -
Executes dropped EXE 2 IoCs
pid Process 2476 Logo1_.exe 4404 040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-gb\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\pt-br\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\themes\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-ma\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fr-fr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\Diagnostics\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ar-ae\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SATIN\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\Diagnostics\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-cn\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\themes\dark\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EVRGREEN\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ko-kr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\pl-pl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-il\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Calculator\_desktop.ini Logo1_.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\jre\lib\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\Licenses\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sl-si\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\tnameserv.exe Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\lua\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\es-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\en-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\pt-br\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\tr-tr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\en-il\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\etc\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ja-jp\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\WATER\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\16\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\UIThemes\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\hr-hr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ca-es\_desktop.ini Logo1_.exe File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\Dll.dll Logo1_.exe File created C:\Windows\rundl132.exe 040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe File created C:\Windows\Logo1_.exe 040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2468 040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe 2468 040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe 2468 040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe 2468 040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe 2468 040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe 2468 040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe 2468 040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe 2468 040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe 2468 040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe 2468 040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe 2468 040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe 2468 040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe 2468 040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe 2468 040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe 2468 040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe 2468 040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe 2468 040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe 2468 040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe 2468 040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe 2468 040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe 2468 040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe 2468 040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe 2468 040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe 2468 040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe 2468 040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe 2468 040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe 2476 Logo1_.exe 2476 Logo1_.exe 2476 Logo1_.exe 2476 Logo1_.exe 2476 Logo1_.exe 2476 Logo1_.exe 2476 Logo1_.exe 2476 Logo1_.exe 2476 Logo1_.exe 2476 Logo1_.exe 2476 Logo1_.exe 2476 Logo1_.exe 2476 Logo1_.exe 2476 Logo1_.exe 2476 Logo1_.exe 2476 Logo1_.exe 2476 Logo1_.exe 2476 Logo1_.exe 2476 Logo1_.exe 2476 Logo1_.exe 2476 Logo1_.exe 2476 Logo1_.exe 2476 Logo1_.exe 2476 Logo1_.exe 2476 Logo1_.exe 2476 Logo1_.exe 2476 Logo1_.exe 2476 Logo1_.exe 2476 Logo1_.exe 2476 Logo1_.exe 2476 Logo1_.exe 2476 Logo1_.exe 2476 Logo1_.exe 2476 Logo1_.exe 2476 Logo1_.exe 2476 Logo1_.exe 2476 Logo1_.exe 2476 Logo1_.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 2468 wrote to memory of 3868 2468 040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe 82 PID 2468 wrote to memory of 3868 2468 040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe 82 PID 2468 wrote to memory of 3868 2468 040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe 82 PID 3868 wrote to memory of 4316 3868 net.exe 84 PID 3868 wrote to memory of 4316 3868 net.exe 84 PID 3868 wrote to memory of 4316 3868 net.exe 84 PID 2468 wrote to memory of 3456 2468 040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe 85 PID 2468 wrote to memory of 3456 2468 040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe 85 PID 2468 wrote to memory of 3456 2468 040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe 85 PID 2468 wrote to memory of 2476 2468 040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe 87 PID 2468 wrote to memory of 2476 2468 040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe 87 PID 2468 wrote to memory of 2476 2468 040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe 87 PID 2476 wrote to memory of 3684 2476 Logo1_.exe 89 PID 2476 wrote to memory of 3684 2476 Logo1_.exe 89 PID 2476 wrote to memory of 3684 2476 Logo1_.exe 89 PID 3684 wrote to memory of 4644 3684 net.exe 90 PID 3684 wrote to memory of 4644 3684 net.exe 90 PID 3684 wrote to memory of 4644 3684 net.exe 90 PID 3456 wrote to memory of 4404 3456 cmd.exe 91 PID 3456 wrote to memory of 4404 3456 cmd.exe 91 PID 3456 wrote to memory of 4404 3456 cmd.exe 91 PID 2476 wrote to memory of 3824 2476 Logo1_.exe 93 PID 2476 wrote to memory of 3824 2476 Logo1_.exe 93 PID 2476 wrote to memory of 3824 2476 Logo1_.exe 93 PID 3824 wrote to memory of 4092 3824 net.exe 95 PID 3824 wrote to memory of 4092 3824 net.exe 95 PID 3824 wrote to memory of 4092 3824 net.exe 95 PID 2476 wrote to memory of 3152 2476 Logo1_.exe 50 PID 2476 wrote to memory of 3152 2476 Logo1_.exe 50
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3152
-
C:\Users\Admin\AppData\Local\Temp\040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe"C:\Users\Admin\AppData\Local\Temp\040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- Suspicious use of WriteProcessMemory
PID:3868 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵PID:4316
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD958.bat3⤵
- Suspicious use of WriteProcessMemory
PID:3456 -
C:\Users\Admin\AppData\Local\Temp\040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe"C:\Users\Admin\AppData\Local\Temp\040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe"4⤵
- Executes dropped EXE
PID:4404
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2476 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:4644
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:3824 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:4092
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
258KB
MD53d85e6d92ac7be70637f958dde2b011e
SHA1de203840649525f16e0bca64ac03d6288a1b7316
SHA2567d1496ae1660972107f77423879bcf3dbd8c4d4feed5690d8a756d1aadc5ded7
SHA5127744e7e7570e10113f07b2f576679642a16269979978edac66a3e311171635dadc407d08533761e97231f77fc37684b6b7aca655b7d6a6d95fd4ac6764e34afd
-
Filesize
619KB
MD56960486b0b15bbc16ebd4880d6d8cf53
SHA1a6e64425f1f3a00497bcfaa1b19f77795a457645
SHA256eb2550f51212b4aff4fb87768a016dba7b9a32e1d4d317a815614c751444cd41
SHA5120063c2899f173dd5bf8824e39ea74eda931cbc7a4a69d4805239eb0b3e574849787ea3542568c3096504836c3d08c7713e599b8239eeb3c6d0894693287ab02b
-
Filesize
478KB
MD5f42c7fca4a74677fc3f9dff9c92bc66a
SHA1485aefa513bd7cf9546571c9d5bbfaea2e2aa761
SHA256a762874c0c4e1b60ae4dd0d93778af865eceff9edb71debfc90b7827cec0665f
SHA512afd338ea3b920930eb18853143277705d7a481611d207c732bbaea188e289481c42f80a48af4d2712e823424d993346a01b148aa64583198e4dbf2bf75c791f4
-
Filesize
722B
MD575adc8799a9ca60b428dddf402b5d3bc
SHA18ead366ecded946e6d93007058d7325a8cd8f78e
SHA25684a38e45e38f6e231b6a4b55dc60fd1b0f32e1821286adc92827e983959ad6c1
SHA512652202d59686b7a770eb49a8b915a3b308e74885dd61006f1948e442b457a6b0eaeb21845a2dad1c56b0ba7b9b42123d0c9e0ca2d13f33136ccdf42d3937ef3b
-
C:\Users\Admin\AppData\Local\Temp\040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe
Filesize33KB
MD552886e1f39689e26425482ee3a448ec2
SHA1ac125f76ce72cc9afb6d45a9d416f414d89aa526
SHA2566ec5438e178d75a9598cc4a56f3a91975537bc7357d42dd7a95b663cc45ecb1c
SHA512f3c4e4513bdd3b420320c38383b7fc41d0d0a16ba023db47cd48ba5803e86103e9ac134cddf9b0d9deef076819784f77bbd8c8c24aef4293bed9803ad3e85508
-
C:\Users\Admin\AppData\Local\Temp\040c5e40ee70b77f45308c0db5fcfb14a3d2933ae638ef7b3d1e6c9f937c996b.exe.exe
Filesize33KB
MD552886e1f39689e26425482ee3a448ec2
SHA1ac125f76ce72cc9afb6d45a9d416f414d89aa526
SHA2566ec5438e178d75a9598cc4a56f3a91975537bc7357d42dd7a95b663cc45ecb1c
SHA512f3c4e4513bdd3b420320c38383b7fc41d0d0a16ba023db47cd48ba5803e86103e9ac134cddf9b0d9deef076819784f77bbd8c8c24aef4293bed9803ad3e85508
-
Filesize
33KB
MD54b8d5611897671cb722c88a92fea57cd
SHA1d2bd76334c02d3aff4a8dfe3477162c85f8c14c9
SHA2560a05a55fa316d55995d50de7a9ebcde75cbedee25846d320bffaef1eec6b34a2
SHA512821aaadb27a1d2f0ac1b2fd3c9da43dc65ad00481d18f4a4c660b1bf0065dbe8ba1a736c713c40923b98ad8858f14e5c50efa21530efbe430db54a477b9075a8
-
Filesize
33KB
MD54b8d5611897671cb722c88a92fea57cd
SHA1d2bd76334c02d3aff4a8dfe3477162c85f8c14c9
SHA2560a05a55fa316d55995d50de7a9ebcde75cbedee25846d320bffaef1eec6b34a2
SHA512821aaadb27a1d2f0ac1b2fd3c9da43dc65ad00481d18f4a4c660b1bf0065dbe8ba1a736c713c40923b98ad8858f14e5c50efa21530efbe430db54a477b9075a8
-
Filesize
33KB
MD54b8d5611897671cb722c88a92fea57cd
SHA1d2bd76334c02d3aff4a8dfe3477162c85f8c14c9
SHA2560a05a55fa316d55995d50de7a9ebcde75cbedee25846d320bffaef1eec6b34a2
SHA512821aaadb27a1d2f0ac1b2fd3c9da43dc65ad00481d18f4a4c660b1bf0065dbe8ba1a736c713c40923b98ad8858f14e5c50efa21530efbe430db54a477b9075a8
-
Filesize
9B
MD516548fefb55deef0a354259a11e1cc14
SHA16e4f38c24333eb1c8bcc91e4e4042ce600a44c4f
SHA256f6d78c8a802bfc4dded630ac9f8d33fb335ab11d45bb742fac993f8d42ea327c
SHA5121fcd0a93c383bf38b97073a84ac50c78149cd1160299e71676fc5a3a6f655affac3a0e2433cf5bc4c145cda0ec44a23d13e1da953e15feefb0b9cefd84204271