Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20230703-en -
resource tags
arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system -
submitted
21/08/2023, 11:07
Static task
static1
Behavioral task
behavioral1
Sample
875ba49f3e52ed56b670a5d4e9d2094c2561ed7c4b8bfbf872cb7eede13db829.exe
Resource
win7-20230712-en
General
-
Target
875ba49f3e52ed56b670a5d4e9d2094c2561ed7c4b8bfbf872cb7eede13db829.exe
-
Size
104KB
-
MD5
4e68ebe262d74b58423c0e3010877fc0
-
SHA1
6d10225234e3b9fdc4fe5e1ee1ba1e5f73e84ed9
-
SHA256
875ba49f3e52ed56b670a5d4e9d2094c2561ed7c4b8bfbf872cb7eede13db829
-
SHA512
95f89b49d9e2d9e505c33819cdbe23b0d2d8ec425f48854d263373b3fb4aec04602cb6d34271c50351e059a8d65db15723779d86eeeb3e3c8ff1e36d509e2261
-
SSDEEP
1536:PFUaYzMXqtGNttyUn01Q78a4RLib6KSevQ1ztO9kRteb:PqaY46tGNttyJQ7KRGmKSevmpO9Wteb
Malware Config
Signatures
-
Drops file in Drivers directory 2 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts 875ba49f3e52ed56b670a5d4e9d2094c2561ed7c4b8bfbf872cb7eede13db829.exe File opened for modification C:\Windows\system32\drivers\etc\hosts Logo1_.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe -
Executes dropped EXE 2 IoCs
pid Process 4104 Logo1_.exe 1724 875ba49f3e52ed56b670a5d4e9d2094c2561ed7c4b8bfbf872cb7eede13db829.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ja-jp\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\cs-cz\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\sv-se\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ja-jp\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\nb-no\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Photo Viewer\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\7-Zip\7zG.exe Logo1_.exe File created C:\Program Files\Java\jdk1.8.0_66\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sl-sl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ru-ru\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\Updates\Apply\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nb-no\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-tw\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sl-si\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\sv-se\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fr-fr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows NT\TableTextService\en-US\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\mr\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ug\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ja-jp\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\fr-ma\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\cs-cz\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\zh-tw\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ko-kr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\collect_feedback\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ro-ro\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example1.Diagnostics\Diagnostics\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ro-ro\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\de-de\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ar-ae\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ca-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\tr-tr\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\core\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\Integrator.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\hu-hu\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ca-es\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mn\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\fi-fi\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ro-ro\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jjs.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nl-nl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\tr-tr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\tr-tr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\es-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-gb\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Photo Viewer\fr-FR\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\Updates\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\lua\http\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\Dll.dll Logo1_.exe File created C:\Windows\rundl132.exe 875ba49f3e52ed56b670a5d4e9d2094c2561ed7c4b8bfbf872cb7eede13db829.exe File created C:\Windows\Logo1_.exe 875ba49f3e52ed56b670a5d4e9d2094c2561ed7c4b8bfbf872cb7eede13db829.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4972 875ba49f3e52ed56b670a5d4e9d2094c2561ed7c4b8bfbf872cb7eede13db829.exe 4972 875ba49f3e52ed56b670a5d4e9d2094c2561ed7c4b8bfbf872cb7eede13db829.exe 4972 875ba49f3e52ed56b670a5d4e9d2094c2561ed7c4b8bfbf872cb7eede13db829.exe 4972 875ba49f3e52ed56b670a5d4e9d2094c2561ed7c4b8bfbf872cb7eede13db829.exe 4972 875ba49f3e52ed56b670a5d4e9d2094c2561ed7c4b8bfbf872cb7eede13db829.exe 4972 875ba49f3e52ed56b670a5d4e9d2094c2561ed7c4b8bfbf872cb7eede13db829.exe 4972 875ba49f3e52ed56b670a5d4e9d2094c2561ed7c4b8bfbf872cb7eede13db829.exe 4972 875ba49f3e52ed56b670a5d4e9d2094c2561ed7c4b8bfbf872cb7eede13db829.exe 4972 875ba49f3e52ed56b670a5d4e9d2094c2561ed7c4b8bfbf872cb7eede13db829.exe 4972 875ba49f3e52ed56b670a5d4e9d2094c2561ed7c4b8bfbf872cb7eede13db829.exe 4972 875ba49f3e52ed56b670a5d4e9d2094c2561ed7c4b8bfbf872cb7eede13db829.exe 4972 875ba49f3e52ed56b670a5d4e9d2094c2561ed7c4b8bfbf872cb7eede13db829.exe 4972 875ba49f3e52ed56b670a5d4e9d2094c2561ed7c4b8bfbf872cb7eede13db829.exe 4972 875ba49f3e52ed56b670a5d4e9d2094c2561ed7c4b8bfbf872cb7eede13db829.exe 4972 875ba49f3e52ed56b670a5d4e9d2094c2561ed7c4b8bfbf872cb7eede13db829.exe 4972 875ba49f3e52ed56b670a5d4e9d2094c2561ed7c4b8bfbf872cb7eede13db829.exe 4972 875ba49f3e52ed56b670a5d4e9d2094c2561ed7c4b8bfbf872cb7eede13db829.exe 4972 875ba49f3e52ed56b670a5d4e9d2094c2561ed7c4b8bfbf872cb7eede13db829.exe 4972 875ba49f3e52ed56b670a5d4e9d2094c2561ed7c4b8bfbf872cb7eede13db829.exe 4972 875ba49f3e52ed56b670a5d4e9d2094c2561ed7c4b8bfbf872cb7eede13db829.exe 4972 875ba49f3e52ed56b670a5d4e9d2094c2561ed7c4b8bfbf872cb7eede13db829.exe 4972 875ba49f3e52ed56b670a5d4e9d2094c2561ed7c4b8bfbf872cb7eede13db829.exe 4972 875ba49f3e52ed56b670a5d4e9d2094c2561ed7c4b8bfbf872cb7eede13db829.exe 4972 875ba49f3e52ed56b670a5d4e9d2094c2561ed7c4b8bfbf872cb7eede13db829.exe 4972 875ba49f3e52ed56b670a5d4e9d2094c2561ed7c4b8bfbf872cb7eede13db829.exe 4972 875ba49f3e52ed56b670a5d4e9d2094c2561ed7c4b8bfbf872cb7eede13db829.exe 4104 Logo1_.exe 4104 Logo1_.exe 4104 Logo1_.exe 4104 Logo1_.exe 4104 Logo1_.exe 4104 Logo1_.exe 4104 Logo1_.exe 4104 Logo1_.exe 4104 Logo1_.exe 4104 Logo1_.exe 4104 Logo1_.exe 4104 Logo1_.exe 4104 Logo1_.exe 4104 Logo1_.exe 4104 Logo1_.exe 4104 Logo1_.exe 4104 Logo1_.exe 4104 Logo1_.exe 4104 Logo1_.exe 4104 Logo1_.exe 4104 Logo1_.exe 4104 Logo1_.exe 4104 Logo1_.exe 4104 Logo1_.exe 4104 Logo1_.exe 4104 Logo1_.exe 4104 Logo1_.exe 4104 Logo1_.exe 4104 Logo1_.exe 4104 Logo1_.exe 4104 Logo1_.exe 4104 Logo1_.exe 4104 Logo1_.exe 4104 Logo1_.exe 4104 Logo1_.exe 4104 Logo1_.exe 4104 Logo1_.exe 4104 Logo1_.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 4972 wrote to memory of 2856 4972 875ba49f3e52ed56b670a5d4e9d2094c2561ed7c4b8bfbf872cb7eede13db829.exe 82 PID 4972 wrote to memory of 2856 4972 875ba49f3e52ed56b670a5d4e9d2094c2561ed7c4b8bfbf872cb7eede13db829.exe 82 PID 4972 wrote to memory of 2856 4972 875ba49f3e52ed56b670a5d4e9d2094c2561ed7c4b8bfbf872cb7eede13db829.exe 82 PID 2856 wrote to memory of 1908 2856 net.exe 84 PID 2856 wrote to memory of 1908 2856 net.exe 84 PID 2856 wrote to memory of 1908 2856 net.exe 84 PID 4972 wrote to memory of 3040 4972 875ba49f3e52ed56b670a5d4e9d2094c2561ed7c4b8bfbf872cb7eede13db829.exe 85 PID 4972 wrote to memory of 3040 4972 875ba49f3e52ed56b670a5d4e9d2094c2561ed7c4b8bfbf872cb7eede13db829.exe 85 PID 4972 wrote to memory of 3040 4972 875ba49f3e52ed56b670a5d4e9d2094c2561ed7c4b8bfbf872cb7eede13db829.exe 85 PID 4972 wrote to memory of 4104 4972 875ba49f3e52ed56b670a5d4e9d2094c2561ed7c4b8bfbf872cb7eede13db829.exe 87 PID 4972 wrote to memory of 4104 4972 875ba49f3e52ed56b670a5d4e9d2094c2561ed7c4b8bfbf872cb7eede13db829.exe 87 PID 4972 wrote to memory of 4104 4972 875ba49f3e52ed56b670a5d4e9d2094c2561ed7c4b8bfbf872cb7eede13db829.exe 87 PID 4104 wrote to memory of 1408 4104 Logo1_.exe 88 PID 4104 wrote to memory of 1408 4104 Logo1_.exe 88 PID 4104 wrote to memory of 1408 4104 Logo1_.exe 88 PID 1408 wrote to memory of 4396 1408 net.exe 90 PID 1408 wrote to memory of 4396 1408 net.exe 90 PID 1408 wrote to memory of 4396 1408 net.exe 90 PID 3040 wrote to memory of 1724 3040 cmd.exe 91 PID 3040 wrote to memory of 1724 3040 cmd.exe 91 PID 3040 wrote to memory of 1724 3040 cmd.exe 91 PID 4104 wrote to memory of 3736 4104 Logo1_.exe 92 PID 4104 wrote to memory of 3736 4104 Logo1_.exe 92 PID 4104 wrote to memory of 3736 4104 Logo1_.exe 92 PID 3736 wrote to memory of 4332 3736 net.exe 96 PID 3736 wrote to memory of 4332 3736 net.exe 96 PID 3736 wrote to memory of 4332 3736 net.exe 96 PID 4104 wrote to memory of 3140 4104 Logo1_.exe 33 PID 4104 wrote to memory of 3140 4104 Logo1_.exe 33
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3140
-
C:\Users\Admin\AppData\Local\Temp\875ba49f3e52ed56b670a5d4e9d2094c2561ed7c4b8bfbf872cb7eede13db829.exe"C:\Users\Admin\AppData\Local\Temp\875ba49f3e52ed56b670a5d4e9d2094c2561ed7c4b8bfbf872cb7eede13db829.exe"2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4972 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- Suspicious use of WriteProcessMemory
PID:2856 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵PID:1908
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8184.bat3⤵
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Users\Admin\AppData\Local\Temp\875ba49f3e52ed56b670a5d4e9d2094c2561ed7c4b8bfbf872cb7eede13db829.exe"C:\Users\Admin\AppData\Local\Temp\875ba49f3e52ed56b670a5d4e9d2094c2561ed7c4b8bfbf872cb7eede13db829.exe"4⤵
- Executes dropped EXE
PID:1724
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Drops file in Drivers directory
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4104 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:1408 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:4396
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:3736 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:4332
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
258KB
MD5eebb6b34707b1eeedd23105d53e503ce
SHA122ff62402827d6c2f66979b3ce5cc7c0ad97b8c3
SHA2563cb74f7da1abb15aa9e6638b1b8b94805a1170aa0b60ec377da02129cbd7638f
SHA512333bdfb90d26a4e486c1b96bb451dc7800821fd66a04ef634e1d6b3f50b705d7129cc7d1c22798eba7122a65b29baae4b97a94cf16b3e923723c2e23edd51892
-
Filesize
491KB
MD580ef7e6305da1ede5c2fab42f047fca9
SHA16ec5911582f64c7122194f81657ce33a59e9e357
SHA256aaec951179892f456d10f91e45d1ee53b38d234c010484863400de78d56654e3
SHA512a8ad5ccb54c847e18143deeaaf74977503f33c55cd4ca4f77bc0a2908a2261e1844d265c85b0419bd75c944d63cb892ba4430ce8a5b6d23a087f87d77f7dda78
-
Filesize
478KB
MD5c18303c8921ddfbd0e33104a92b76129
SHA196121cfdbfd34eecfbb7ac42fa04fd271c913134
SHA2560faa1e34de00fe1ab8bd1231b5bc0ce1e9dc6cd1bf705de8a8458e89764d6199
SHA512ce8ca6e430288ed8eaddb7f86eeea97dc462610f4c69d80bd833c0011d1c9a9d3f9b3683f97e6ea578ba0ffc44c6db4910a9c720f2243d1129c6d353afd2d218
-
Filesize
722B
MD55d2b2e4b82384e94617edd596e2f405d
SHA1df4371ebb31c1daa9b9346f690701b784605da1a
SHA256730284e04129cbf85bca3d697a7925bdde369b0c9450606fdbe051cae463bc7f
SHA5124e31b32d7f88d11602b5978a3938c5e2c3008fc9ac0a242bd0ba94db04062b879cb5fdecfa54512e8ffb3feac7b9f83bf511c4b708e977a032a3bd3145ecb837
-
C:\Users\Admin\AppData\Local\Temp\875ba49f3e52ed56b670a5d4e9d2094c2561ed7c4b8bfbf872cb7eede13db829.exe
Filesize70KB
MD5af77b501a5e2e19192a725eca65cce03
SHA122207b73e20df57318e1b0a39f45264106b4ff5f
SHA2561fcfc3f9bd6fb75c782f54e0a003671328ed0f30ee41d0ac836ac3b412bad5ab
SHA512ba115da1bba13d76ed62af698c1ab83f3acce7c010ab979a0998770655feba9ccfbc3b3a2169ee9e30eadef7bea2c58f29ea69446894dfdff50f221faed6bb79
-
C:\Users\Admin\AppData\Local\Temp\875ba49f3e52ed56b670a5d4e9d2094c2561ed7c4b8bfbf872cb7eede13db829.exe.exe
Filesize70KB
MD5af77b501a5e2e19192a725eca65cce03
SHA122207b73e20df57318e1b0a39f45264106b4ff5f
SHA2561fcfc3f9bd6fb75c782f54e0a003671328ed0f30ee41d0ac836ac3b412bad5ab
SHA512ba115da1bba13d76ed62af698c1ab83f3acce7c010ab979a0998770655feba9ccfbc3b3a2169ee9e30eadef7bea2c58f29ea69446894dfdff50f221faed6bb79
-
Filesize
33KB
MD5ab51cb2736dbaac184ad265dac786ec3
SHA1ab1a59764b9f4070091fb16ef51382c8ed4d94ab
SHA2569e53f4e87deee7f857e89de12fcc331a43abf7ebde438741ab349505e9863efc
SHA512644c866a76afaac5b06b44e8851542e449f035e22fab81dd0cace6bc7463f3919bb3f4405a4cb7d81f58b42e5c879c5e5be81b66a4cb863116ef541f9b83edb7
-
Filesize
33KB
MD5ab51cb2736dbaac184ad265dac786ec3
SHA1ab1a59764b9f4070091fb16ef51382c8ed4d94ab
SHA2569e53f4e87deee7f857e89de12fcc331a43abf7ebde438741ab349505e9863efc
SHA512644c866a76afaac5b06b44e8851542e449f035e22fab81dd0cace6bc7463f3919bb3f4405a4cb7d81f58b42e5c879c5e5be81b66a4cb863116ef541f9b83edb7
-
Filesize
33KB
MD5ab51cb2736dbaac184ad265dac786ec3
SHA1ab1a59764b9f4070091fb16ef51382c8ed4d94ab
SHA2569e53f4e87deee7f857e89de12fcc331a43abf7ebde438741ab349505e9863efc
SHA512644c866a76afaac5b06b44e8851542e449f035e22fab81dd0cace6bc7463f3919bb3f4405a4cb7d81f58b42e5c879c5e5be81b66a4cb863116ef541f9b83edb7
-
Filesize
842B
MD56f4adf207ef402d9ef40c6aa52ffd245
SHA14b05b495619c643f02e278dede8f5b1392555a57
SHA256d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e
SHA512a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47
-
Filesize
9B
MD5593e8b6c9f712af0d9df7697c909f72f
SHA14e34b370cacbb77b4012ff9ba2f24772896e861a
SHA256a90d0c2dba51385cb9bbc5e5bf80ee56aeebc60d2ac12aa360e75abdcf644e9d
SHA512791a05100478d1ad62a15759430734b37dddc20c5a09694d39095328c9a3c817f1a9f5a4570a295737cda037e6ac9b93c51d4548c2e850edf353802ebecab283