Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-04-2024 17:58
Static task
static1
Behavioral task
behavioral1
Sample
8cec4d595be46302cab935e68b275aa07d1bd4989fb05290c12563c15e2dabf1.exe
Resource
win7-20240215-en
General
-
Target
8cec4d595be46302cab935e68b275aa07d1bd4989fb05290c12563c15e2dabf1.exe
-
Size
93KB
-
MD5
08bcf0df6b84711e9beea3d56b2c7980
-
SHA1
236484c2cc770445cb857022e926207870ac35b0
-
SHA256
8cec4d595be46302cab935e68b275aa07d1bd4989fb05290c12563c15e2dabf1
-
SHA512
9e8fd5993a8dd62e2cc59dceb570770c482766b54eb7be7237d0132abfcdf8a5608562ccb91d84457fe9d2b98372e1fc4ea7bfed554ac8af3366fad3cf540373
-
SSDEEP
1536:PVaYzMXqtGNttyUn01Q78a4Rqyapmebn4ddJZeY86iLflLJYEIs67rxo:PVaY46tGNttyJQ7KR/LK4ddJMY86ipmU
Malware Config
Signatures
-
Drops file in Drivers directory 2 IoCs
Processes:
8cec4d595be46302cab935e68b275aa07d1bd4989fb05290c12563c15e2dabf1.exeLogo1_.exedescription ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts 8cec4d595be46302cab935e68b275aa07d1bd4989fb05290c12563c15e2dabf1.exe File opened for modification C:\Windows\system32\drivers\etc\hosts Logo1_.exe -
Drops startup file 2 IoCs
Processes:
Logo1_.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe -
Executes dropped EXE 2 IoCs
Processes:
Logo1_.exe8cec4d595be46302cab935e68b275aa07d1bd4989fb05290c12563c15e2dabf1.exepid Process 3964 Logo1_.exe 692 8cec4d595be46302cab935e68b275aa07d1bd4989fb05290c12563c15e2dabf1.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Logo1_.exedescription ioc Process File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
Processes:
Logo1_.exedescription ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\it-it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\en\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-ma\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pl-pl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\cs-cz\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\JOURNAL\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\hy\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\tr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fi-fi\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\cs-cz\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\sv-se\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\fr-fr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-il\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ja-jp\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\lua\playlist\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\tr-tr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ko-kr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ko-kr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ru-ru\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\plugins\rhp\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sv-se\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\fy\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\lua\sd\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-gb\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\pt-br\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\fi-fi\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\pt_PT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\de-de\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\pt-br\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ro-ro\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\cs-cz\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sl-si\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Photo Viewer\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\en-US\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sl-sl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Internet Explorer\ja-JP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-cn\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\de-de\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sk-sk\_desktop.ini Logo1_.exe File created C:\Program Files\Java\jre-1.8\lib\deploy\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\PROOF\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ar-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\sv\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\pl-pl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
Processes:
8cec4d595be46302cab935e68b275aa07d1bd4989fb05290c12563c15e2dabf1.exeLogo1_.exedescription ioc Process File created C:\Windows\rundl132.exe 8cec4d595be46302cab935e68b275aa07d1bd4989fb05290c12563c15e2dabf1.exe File created C:\Windows\Logo1_.exe 8cec4d595be46302cab935e68b275aa07d1bd4989fb05290c12563c15e2dabf1.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\Dll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
8cec4d595be46302cab935e68b275aa07d1bd4989fb05290c12563c15e2dabf1.exeLogo1_.exepid Process 836 8cec4d595be46302cab935e68b275aa07d1bd4989fb05290c12563c15e2dabf1.exe 836 8cec4d595be46302cab935e68b275aa07d1bd4989fb05290c12563c15e2dabf1.exe 836 8cec4d595be46302cab935e68b275aa07d1bd4989fb05290c12563c15e2dabf1.exe 836 8cec4d595be46302cab935e68b275aa07d1bd4989fb05290c12563c15e2dabf1.exe 836 8cec4d595be46302cab935e68b275aa07d1bd4989fb05290c12563c15e2dabf1.exe 836 8cec4d595be46302cab935e68b275aa07d1bd4989fb05290c12563c15e2dabf1.exe 836 8cec4d595be46302cab935e68b275aa07d1bd4989fb05290c12563c15e2dabf1.exe 836 8cec4d595be46302cab935e68b275aa07d1bd4989fb05290c12563c15e2dabf1.exe 836 8cec4d595be46302cab935e68b275aa07d1bd4989fb05290c12563c15e2dabf1.exe 836 8cec4d595be46302cab935e68b275aa07d1bd4989fb05290c12563c15e2dabf1.exe 836 8cec4d595be46302cab935e68b275aa07d1bd4989fb05290c12563c15e2dabf1.exe 836 8cec4d595be46302cab935e68b275aa07d1bd4989fb05290c12563c15e2dabf1.exe 836 8cec4d595be46302cab935e68b275aa07d1bd4989fb05290c12563c15e2dabf1.exe 836 8cec4d595be46302cab935e68b275aa07d1bd4989fb05290c12563c15e2dabf1.exe 836 8cec4d595be46302cab935e68b275aa07d1bd4989fb05290c12563c15e2dabf1.exe 836 8cec4d595be46302cab935e68b275aa07d1bd4989fb05290c12563c15e2dabf1.exe 836 8cec4d595be46302cab935e68b275aa07d1bd4989fb05290c12563c15e2dabf1.exe 836 8cec4d595be46302cab935e68b275aa07d1bd4989fb05290c12563c15e2dabf1.exe 836 8cec4d595be46302cab935e68b275aa07d1bd4989fb05290c12563c15e2dabf1.exe 836 8cec4d595be46302cab935e68b275aa07d1bd4989fb05290c12563c15e2dabf1.exe 836 8cec4d595be46302cab935e68b275aa07d1bd4989fb05290c12563c15e2dabf1.exe 836 8cec4d595be46302cab935e68b275aa07d1bd4989fb05290c12563c15e2dabf1.exe 836 8cec4d595be46302cab935e68b275aa07d1bd4989fb05290c12563c15e2dabf1.exe 836 8cec4d595be46302cab935e68b275aa07d1bd4989fb05290c12563c15e2dabf1.exe 836 8cec4d595be46302cab935e68b275aa07d1bd4989fb05290c12563c15e2dabf1.exe 836 8cec4d595be46302cab935e68b275aa07d1bd4989fb05290c12563c15e2dabf1.exe 3964 Logo1_.exe 3964 Logo1_.exe 3964 Logo1_.exe 3964 Logo1_.exe 3964 Logo1_.exe 3964 Logo1_.exe 3964 Logo1_.exe 3964 Logo1_.exe 3964 Logo1_.exe 3964 Logo1_.exe 3964 Logo1_.exe 3964 Logo1_.exe 3964 Logo1_.exe 3964 Logo1_.exe 3964 Logo1_.exe 3964 Logo1_.exe 3964 Logo1_.exe 3964 Logo1_.exe 3964 Logo1_.exe 3964 Logo1_.exe 3964 Logo1_.exe 3964 Logo1_.exe 3964 Logo1_.exe 3964 Logo1_.exe 3964 Logo1_.exe 3964 Logo1_.exe 3964 Logo1_.exe 3964 Logo1_.exe 3964 Logo1_.exe 3964 Logo1_.exe 3964 Logo1_.exe 3964 Logo1_.exe 3964 Logo1_.exe 3964 Logo1_.exe 3964 Logo1_.exe 3964 Logo1_.exe 3964 Logo1_.exe 3964 Logo1_.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
8cec4d595be46302cab935e68b275aa07d1bd4989fb05290c12563c15e2dabf1.exenet.exeLogo1_.exenet.execmd.exenet.exedescription pid Process procid_target PID 836 wrote to memory of 752 836 8cec4d595be46302cab935e68b275aa07d1bd4989fb05290c12563c15e2dabf1.exe 85 PID 836 wrote to memory of 752 836 8cec4d595be46302cab935e68b275aa07d1bd4989fb05290c12563c15e2dabf1.exe 85 PID 836 wrote to memory of 752 836 8cec4d595be46302cab935e68b275aa07d1bd4989fb05290c12563c15e2dabf1.exe 85 PID 752 wrote to memory of 1260 752 net.exe 88 PID 752 wrote to memory of 1260 752 net.exe 88 PID 752 wrote to memory of 1260 752 net.exe 88 PID 836 wrote to memory of 2468 836 8cec4d595be46302cab935e68b275aa07d1bd4989fb05290c12563c15e2dabf1.exe 91 PID 836 wrote to memory of 2468 836 8cec4d595be46302cab935e68b275aa07d1bd4989fb05290c12563c15e2dabf1.exe 91 PID 836 wrote to memory of 2468 836 8cec4d595be46302cab935e68b275aa07d1bd4989fb05290c12563c15e2dabf1.exe 91 PID 836 wrote to memory of 3964 836 8cec4d595be46302cab935e68b275aa07d1bd4989fb05290c12563c15e2dabf1.exe 93 PID 836 wrote to memory of 3964 836 8cec4d595be46302cab935e68b275aa07d1bd4989fb05290c12563c15e2dabf1.exe 93 PID 836 wrote to memory of 3964 836 8cec4d595be46302cab935e68b275aa07d1bd4989fb05290c12563c15e2dabf1.exe 93 PID 3964 wrote to memory of 740 3964 Logo1_.exe 94 PID 3964 wrote to memory of 740 3964 Logo1_.exe 94 PID 3964 wrote to memory of 740 3964 Logo1_.exe 94 PID 740 wrote to memory of 4148 740 net.exe 96 PID 740 wrote to memory of 4148 740 net.exe 96 PID 740 wrote to memory of 4148 740 net.exe 96 PID 2468 wrote to memory of 692 2468 cmd.exe 97 PID 2468 wrote to memory of 692 2468 cmd.exe 97 PID 3964 wrote to memory of 4144 3964 Logo1_.exe 99 PID 3964 wrote to memory of 4144 3964 Logo1_.exe 99 PID 3964 wrote to memory of 4144 3964 Logo1_.exe 99 PID 4144 wrote to memory of 1420 4144 net.exe 101 PID 4144 wrote to memory of 1420 4144 net.exe 101 PID 4144 wrote to memory of 1420 4144 net.exe 101 PID 3964 wrote to memory of 3472 3964 Logo1_.exe 56 PID 3964 wrote to memory of 3472 3964 Logo1_.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3472
-
C:\Users\Admin\AppData\Local\Temp\8cec4d595be46302cab935e68b275aa07d1bd4989fb05290c12563c15e2dabf1.exe"C:\Users\Admin\AppData\Local\Temp\8cec4d595be46302cab935e68b275aa07d1bd4989fb05290c12563c15e2dabf1.exe"2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:836 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- Suspicious use of WriteProcessMemory
PID:752 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵PID:1260
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4882.bat3⤵
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Users\Admin\AppData\Local\Temp\8cec4d595be46302cab935e68b275aa07d1bd4989fb05290c12563c15e2dabf1.exe"C:\Users\Admin\AppData\Local\Temp\8cec4d595be46302cab935e68b275aa07d1bd4989fb05290c12563c15e2dabf1.exe"4⤵
- Executes dropped EXE
PID:692
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Drops file in Drivers directory
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3964 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:740 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:4148
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:1420
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
258KB
MD5196e80c6461b51a75560df3e57cfbd9a
SHA13dd1bb9835e97f093efe4ffd8c078d8fa3d4ef7f
SHA256dee2cf210ee5f75549462b7cb03674155eb011190c77e332d53edcf655bcc237
SHA51200a3d357b589b85a644c78558fd8eff80832cec119f8d4976f7248ce2521dbe331078129ec35af26ec18d182daad55812e3d57f2f9b73615762a37ac2fc15798
-
Filesize
577KB
MD552b929e3308c6c5cf1e9366799ba774d
SHA173367e44a6aeb30f38c053492485ccc88f3f96b9
SHA2561371f108190c128f882a8babd65e575855c16a158530163f97d4aaec08204a3a
SHA512074eb6f7224979654bf1f5239a9b46a4a30ce8a17c3e47b3f38902cffdbb4c394facbe948d6b0b7f99077483708f8bc03aa40fb1ddba2c18033d52719ac47baa
-
Filesize
488KB
MD515137620fba9c2013dfa9107be4321d5
SHA131c790632ae19274fc2ed7e1615458324bc199bd
SHA25637cf90de70064c0ecf765ae35e8b0cf412c90cca2aaa2513cfba95b408b4e604
SHA512e2cbb59ec77cb009bf1b0d8d398c0898e65380858d33afb58e6ffc762842526f097d112369200cda95f015f5aa75e5af88810e2f2e174e0d1600cb6ec22a77e3
-
Filesize
722B
MD5210c3f985b07bcf56938c81065d7c162
SHA13977cf1be08774e18947a62bef22f8a7e01cebf9
SHA256d471416b5e7b2e6d4edd40f2ecb46d291442ae64235e9fb20a9ae52306f6b0e0
SHA512adbdb34fd04518be17e5c7893cd12fd24660a6a7c34c86edc420cf6402d91f43410d9c8776c5acde27de9a8e37e4fc9f26a7109697c8098be7be56afc33ba62b
-
C:\Users\Admin\AppData\Local\Temp\8cec4d595be46302cab935e68b275aa07d1bd4989fb05290c12563c15e2dabf1.exe.exe
Filesize59KB
MD5dfc18f7068913dde25742b856788d7ca
SHA1cbaa23f782c2ddcd7c9ff024fd0b096952a2b387
SHA256ff4ac75c02247000da084de006c214d3dd3583867bd3533ba788e22734c7a2bf
SHA512d0c7ec1dae41a803325b51c12490c355ed779d297daa35247889950491e52427810132f0829fc7ffa3022f1a106f4e4ba78ed612223395313a6f267e9ab24945
-
Filesize
33KB
MD50e8792b58f9237e03516447b7048d63c
SHA16f28494f0766ee470bbced1fe79fb10e5fee8252
SHA2567e4e7447ce04580a3af3a9bf90810712d6daebc0ced6c6856eae22771ac50956
SHA5126b935debde1916d7b1f2239ac3534c1f1585406c0d5f1060fdb356253cfab2fe9c716fd7ad05f20b9b3bb222307f15ae1b88e9062c7282d570b523150364e8a5
-
Filesize
842B
MD56f4adf207ef402d9ef40c6aa52ffd245
SHA14b05b495619c643f02e278dede8f5b1392555a57
SHA256d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e
SHA512a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47
-
Filesize
8B
MD5331b730a7f1adbf1f0bc05e0c610f0f1
SHA12f2283f84f040fbd4ecf99055026b70bb3b732ec
SHA2562d3dbb80989e5cc7ef9ef800cc986bb8dccf4ca1f78437040bccd59312a55593
SHA51216790117c382e66c8af2932ed0c37229ae5ee6b8bbaa8bd4e3f9afed6e07cd89c5807c81145f19f561ab714d844826cf6099a6dc97d84fa3f9da5e763bcc78c4