Analysis
-
max time kernel
149s -
max time network
98s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
07-04-2024 19:58
Static task
static1
Behavioral task
behavioral1
Sample
67f55c11d91f264e84d85bbbd5d00e9093d2ff163ffd1898864e4fec76db104a.exe
Resource
win7-20240221-en
General
-
Target
67f55c11d91f264e84d85bbbd5d00e9093d2ff163ffd1898864e4fec76db104a.exe
-
Size
101KB
-
MD5
9981e9f28f6ccafc176b1e0179d2c9b0
-
SHA1
59371b2ded72f632b6a0de00de4a32ad16563372
-
SHA256
67f55c11d91f264e84d85bbbd5d00e9093d2ff163ffd1898864e4fec76db104a
-
SHA512
7bda708a99921d2d0277682f0fdddbb94d690b818b585be63c8822b87a4bfc75f7032b9f7b54595ad39fcddf3a07290d851655d69029f65bde0df3632a916ee9
-
SSDEEP
1536:PVaYzMXqtGNttyUn01Q78a4R1WtwXaa8NPI9j+RedcP01ic4Brg:PVaY46tGNttyJQ7KR1WtwXwKRj1EBrg
Malware Config
Signatures
-
Drops file in Drivers directory 2 IoCs
Processes:
67f55c11d91f264e84d85bbbd5d00e9093d2ff163ffd1898864e4fec76db104a.exeLogo1_.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts 67f55c11d91f264e84d85bbbd5d00e9093d2ff163ffd1898864e4fec76db104a.exe File opened for modification C:\Windows\system32\drivers\etc\hosts Logo1_.exe -
Drops startup file 2 IoCs
Processes:
Logo1_.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe -
Executes dropped EXE 2 IoCs
Processes:
Logo1_.exe67f55c11d91f264e84d85bbbd5d00e9093d2ff163ffd1898864e4fec76db104a.exepid process 3108 Logo1_.exe 4172 67f55c11d91f264e84d85bbbd5d00e9093d2ff163ffd1898864e4fec76db104a.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
Logo1_.exedescription ioc process File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
Processes:
Logo1_.exedescription ioc process File opened for modification C:\Program Files\VideoLAN\VLC\lua\sd\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\cmm\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\sv\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-sl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\pl-pl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\root\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\en-US\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\modules\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\nb-no\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\de-de\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ja-jp\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jcmd.exe Logo1_.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\lua\http\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Photo Viewer\uk-UA\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\eu-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\nb-no\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\uk-ua\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\sl-si\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\es-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sv\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\root\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Services\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ar-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\it-it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\en-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\pt-br\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe Logo1_.exe File created C:\Program Files\MSBuild\Microsoft\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\root\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Configuration\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\it-IT\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\da-dk\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\en-il\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\he-il\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\de-de\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sr\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\en\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-ae\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fr-ma\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ca-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\Adobe\ARM\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Media Player\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\fr-FR\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Security\BrowserCore\en-US\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\es-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Media Player\wmplayer.exe Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
Processes:
67f55c11d91f264e84d85bbbd5d00e9093d2ff163ffd1898864e4fec76db104a.exeLogo1_.exedescription ioc process File created C:\Windows\Logo1_.exe 67f55c11d91f264e84d85bbbd5d00e9093d2ff163ffd1898864e4fec76db104a.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\Dll.dll Logo1_.exe File created C:\Windows\rundl132.exe 67f55c11d91f264e84d85bbbd5d00e9093d2ff163ffd1898864e4fec76db104a.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
67f55c11d91f264e84d85bbbd5d00e9093d2ff163ffd1898864e4fec76db104a.exeLogo1_.exepid process 628 67f55c11d91f264e84d85bbbd5d00e9093d2ff163ffd1898864e4fec76db104a.exe 628 67f55c11d91f264e84d85bbbd5d00e9093d2ff163ffd1898864e4fec76db104a.exe 628 67f55c11d91f264e84d85bbbd5d00e9093d2ff163ffd1898864e4fec76db104a.exe 628 67f55c11d91f264e84d85bbbd5d00e9093d2ff163ffd1898864e4fec76db104a.exe 628 67f55c11d91f264e84d85bbbd5d00e9093d2ff163ffd1898864e4fec76db104a.exe 628 67f55c11d91f264e84d85bbbd5d00e9093d2ff163ffd1898864e4fec76db104a.exe 628 67f55c11d91f264e84d85bbbd5d00e9093d2ff163ffd1898864e4fec76db104a.exe 628 67f55c11d91f264e84d85bbbd5d00e9093d2ff163ffd1898864e4fec76db104a.exe 628 67f55c11d91f264e84d85bbbd5d00e9093d2ff163ffd1898864e4fec76db104a.exe 628 67f55c11d91f264e84d85bbbd5d00e9093d2ff163ffd1898864e4fec76db104a.exe 628 67f55c11d91f264e84d85bbbd5d00e9093d2ff163ffd1898864e4fec76db104a.exe 628 67f55c11d91f264e84d85bbbd5d00e9093d2ff163ffd1898864e4fec76db104a.exe 628 67f55c11d91f264e84d85bbbd5d00e9093d2ff163ffd1898864e4fec76db104a.exe 628 67f55c11d91f264e84d85bbbd5d00e9093d2ff163ffd1898864e4fec76db104a.exe 628 67f55c11d91f264e84d85bbbd5d00e9093d2ff163ffd1898864e4fec76db104a.exe 628 67f55c11d91f264e84d85bbbd5d00e9093d2ff163ffd1898864e4fec76db104a.exe 628 67f55c11d91f264e84d85bbbd5d00e9093d2ff163ffd1898864e4fec76db104a.exe 628 67f55c11d91f264e84d85bbbd5d00e9093d2ff163ffd1898864e4fec76db104a.exe 628 67f55c11d91f264e84d85bbbd5d00e9093d2ff163ffd1898864e4fec76db104a.exe 628 67f55c11d91f264e84d85bbbd5d00e9093d2ff163ffd1898864e4fec76db104a.exe 628 67f55c11d91f264e84d85bbbd5d00e9093d2ff163ffd1898864e4fec76db104a.exe 628 67f55c11d91f264e84d85bbbd5d00e9093d2ff163ffd1898864e4fec76db104a.exe 628 67f55c11d91f264e84d85bbbd5d00e9093d2ff163ffd1898864e4fec76db104a.exe 628 67f55c11d91f264e84d85bbbd5d00e9093d2ff163ffd1898864e4fec76db104a.exe 628 67f55c11d91f264e84d85bbbd5d00e9093d2ff163ffd1898864e4fec76db104a.exe 628 67f55c11d91f264e84d85bbbd5d00e9093d2ff163ffd1898864e4fec76db104a.exe 3108 Logo1_.exe 3108 Logo1_.exe 3108 Logo1_.exe 3108 Logo1_.exe 3108 Logo1_.exe 3108 Logo1_.exe 3108 Logo1_.exe 3108 Logo1_.exe 3108 Logo1_.exe 3108 Logo1_.exe 3108 Logo1_.exe 3108 Logo1_.exe 3108 Logo1_.exe 3108 Logo1_.exe 3108 Logo1_.exe 3108 Logo1_.exe 3108 Logo1_.exe 3108 Logo1_.exe 3108 Logo1_.exe 3108 Logo1_.exe 3108 Logo1_.exe 3108 Logo1_.exe 3108 Logo1_.exe 3108 Logo1_.exe 3108 Logo1_.exe 3108 Logo1_.exe 3108 Logo1_.exe 3108 Logo1_.exe 3108 Logo1_.exe 3108 Logo1_.exe 3108 Logo1_.exe 3108 Logo1_.exe 3108 Logo1_.exe 3108 Logo1_.exe 3108 Logo1_.exe 3108 Logo1_.exe 3108 Logo1_.exe 3108 Logo1_.exe -
Suspicious use of WriteProcessMemory 29 IoCs
Processes:
67f55c11d91f264e84d85bbbd5d00e9093d2ff163ffd1898864e4fec76db104a.exenet.exeLogo1_.exenet.execmd.exenet.exedescription pid process target process PID 628 wrote to memory of 3756 628 67f55c11d91f264e84d85bbbd5d00e9093d2ff163ffd1898864e4fec76db104a.exe net.exe PID 628 wrote to memory of 3756 628 67f55c11d91f264e84d85bbbd5d00e9093d2ff163ffd1898864e4fec76db104a.exe net.exe PID 628 wrote to memory of 3756 628 67f55c11d91f264e84d85bbbd5d00e9093d2ff163ffd1898864e4fec76db104a.exe net.exe PID 3756 wrote to memory of 2972 3756 net.exe net1.exe PID 3756 wrote to memory of 2972 3756 net.exe net1.exe PID 3756 wrote to memory of 2972 3756 net.exe net1.exe PID 628 wrote to memory of 660 628 67f55c11d91f264e84d85bbbd5d00e9093d2ff163ffd1898864e4fec76db104a.exe cmd.exe PID 628 wrote to memory of 660 628 67f55c11d91f264e84d85bbbd5d00e9093d2ff163ffd1898864e4fec76db104a.exe cmd.exe PID 628 wrote to memory of 660 628 67f55c11d91f264e84d85bbbd5d00e9093d2ff163ffd1898864e4fec76db104a.exe cmd.exe PID 628 wrote to memory of 3108 628 67f55c11d91f264e84d85bbbd5d00e9093d2ff163ffd1898864e4fec76db104a.exe Logo1_.exe PID 628 wrote to memory of 3108 628 67f55c11d91f264e84d85bbbd5d00e9093d2ff163ffd1898864e4fec76db104a.exe Logo1_.exe PID 628 wrote to memory of 3108 628 67f55c11d91f264e84d85bbbd5d00e9093d2ff163ffd1898864e4fec76db104a.exe Logo1_.exe PID 3108 wrote to memory of 4568 3108 Logo1_.exe net.exe PID 3108 wrote to memory of 4568 3108 Logo1_.exe net.exe PID 3108 wrote to memory of 4568 3108 Logo1_.exe net.exe PID 4568 wrote to memory of 1188 4568 net.exe net1.exe PID 4568 wrote to memory of 1188 4568 net.exe net1.exe PID 4568 wrote to memory of 1188 4568 net.exe net1.exe PID 660 wrote to memory of 4172 660 cmd.exe 67f55c11d91f264e84d85bbbd5d00e9093d2ff163ffd1898864e4fec76db104a.exe PID 660 wrote to memory of 4172 660 cmd.exe 67f55c11d91f264e84d85bbbd5d00e9093d2ff163ffd1898864e4fec76db104a.exe PID 660 wrote to memory of 4172 660 cmd.exe 67f55c11d91f264e84d85bbbd5d00e9093d2ff163ffd1898864e4fec76db104a.exe PID 3108 wrote to memory of 2112 3108 Logo1_.exe net.exe PID 3108 wrote to memory of 2112 3108 Logo1_.exe net.exe PID 3108 wrote to memory of 2112 3108 Logo1_.exe net.exe PID 2112 wrote to memory of 5016 2112 net.exe net1.exe PID 2112 wrote to memory of 5016 2112 net.exe net1.exe PID 2112 wrote to memory of 5016 2112 net.exe net1.exe PID 3108 wrote to memory of 3492 3108 Logo1_.exe Explorer.EXE PID 3108 wrote to memory of 3492 3108 Logo1_.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3492
-
C:\Users\Admin\AppData\Local\Temp\67f55c11d91f264e84d85bbbd5d00e9093d2ff163ffd1898864e4fec76db104a.exe"C:\Users\Admin\AppData\Local\Temp\67f55c11d91f264e84d85bbbd5d00e9093d2ff163ffd1898864e4fec76db104a.exe"2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- Suspicious use of WriteProcessMemory
PID:3756 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵PID:2972
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a35B6.bat3⤵
- Suspicious use of WriteProcessMemory
PID:660 -
C:\Users\Admin\AppData\Local\Temp\67f55c11d91f264e84d85bbbd5d00e9093d2ff163ffd1898864e4fec76db104a.exe"C:\Users\Admin\AppData\Local\Temp\67f55c11d91f264e84d85bbbd5d00e9093d2ff163ffd1898864e4fec76db104a.exe"4⤵
- Executes dropped EXE
PID:4172 -
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Drops file in Drivers directory
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3108 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:1188
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:2112 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:5016
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
258KB
MD5196e80c6461b51a75560df3e57cfbd9a
SHA13dd1bb9835e97f093efe4ffd8c078d8fa3d4ef7f
SHA256dee2cf210ee5f75549462b7cb03674155eb011190c77e332d53edcf655bcc237
SHA51200a3d357b589b85a644c78558fd8eff80832cec119f8d4976f7248ce2521dbe331078129ec35af26ec18d182daad55812e3d57f2f9b73615762a37ac2fc15798
-
Filesize
456KB
MD5a08d91b0839610dd4a234c24efc1e52b
SHA1923920879a1e008182126229d6edcb09691ba645
SHA256ba29ef35fa341c51d41be56803abdc47c6417383146f0be8185561c4f8efe00c
SHA512877e99aacd523b0f13a19f69738d9eaadfcff45ba7570abdb1a312881a7e4fbe94c1b5a9e0d5c88fbdf2ead263057e7c0553304a0841e42b1e038a5eba6c1dd6
-
Filesize
488KB
MD515137620fba9c2013dfa9107be4321d5
SHA131c790632ae19274fc2ed7e1615458324bc199bd
SHA25637cf90de70064c0ecf765ae35e8b0cf412c90cca2aaa2513cfba95b408b4e604
SHA512e2cbb59ec77cb009bf1b0d8d398c0898e65380858d33afb58e6ffc762842526f097d112369200cda95f015f5aa75e5af88810e2f2e174e0d1600cb6ec22a77e3
-
Filesize
722B
MD5667bc713e142b888adc3ada9f3721fb0
SHA187c56566df7a76c9cacebb12a404561179623946
SHA2569bbe227bab092e724f7fd6850aa4d3d84712bcf9ba6f42ee816cfa802de8db42
SHA5127371fefc426c5d0e301ba79f58c688dba446aa3c845ffb32c46e204394ebcc3904ec8c060de67449bf04873aaf2c3729a46d897a7c93a23b4ceba4735ff84bd5
-
C:\Users\Admin\AppData\Local\Temp\67f55c11d91f264e84d85bbbd5d00e9093d2ff163ffd1898864e4fec76db104a.exe.exe
Filesize68KB
MD548335cfbe6a9bdaa2492ca1320b70a3a
SHA16d3c3d659e3718a0b56f52c9d4386d55d7672b97
SHA2564ec34f1d893e8cc02f669fb5eb329bbcc5374bd7e7284e8fd86fbc29d2ffeb4d
SHA5129eaf3b380449ab1d2b4b6371336fc71f6a43eee0295de012d0859e7f3b80a87f9d8316b0e65d4ca450630ee17b95c64e79e594bfe27fb3965917b0c5bc2d1b58
-
Filesize
33KB
MD50e8792b58f9237e03516447b7048d63c
SHA16f28494f0766ee470bbced1fe79fb10e5fee8252
SHA2567e4e7447ce04580a3af3a9bf90810712d6daebc0ced6c6856eae22771ac50956
SHA5126b935debde1916d7b1f2239ac3534c1f1585406c0d5f1060fdb356253cfab2fe9c716fd7ad05f20b9b3bb222307f15ae1b88e9062c7282d570b523150364e8a5
-
Filesize
842B
MD56f4adf207ef402d9ef40c6aa52ffd245
SHA14b05b495619c643f02e278dede8f5b1392555a57
SHA256d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e
SHA512a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47
-
Filesize
8B
MD5331b730a7f1adbf1f0bc05e0c610f0f1
SHA12f2283f84f040fbd4ecf99055026b70bb3b732ec
SHA2562d3dbb80989e5cc7ef9ef800cc986bb8dccf4ca1f78437040bccd59312a55593
SHA51216790117c382e66c8af2932ed0c37229ae5ee6b8bbaa8bd4e3f9afed6e07cd89c5807c81145f19f561ab714d844826cf6099a6dc97d84fa3f9da5e763bcc78c4