Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
27/05/2024, 14:55
Static task
static1
Behavioral task
behavioral1
Sample
90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe
Resource
win7-20240220-en
General
-
Target
90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe
-
Size
92KB
-
MD5
5d8face1052ebfdc2d4f79fbb894029e
-
SHA1
35585f9d75f973bd7e704bbedbee0b71d9daf3b9
-
SHA256
90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e
-
SHA512
6df52351cb91e1b88fe78ca820604b49d16335f440a32365220df0f153f8bb69285a8c4f6cb3c9e07dd8ebb6115d5b53e971ef1a710a4f5609d3ecc612d44bb4
-
SSDEEP
1536:FNcx1aeg1vye1MRSryapmebn4ddJZeY86iLflLJYEIs67rxo:FNf9qe1ISGLK4ddJMY86ipmns6S
Malware Config
Signatures
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe -
Executes dropped EXE 2 IoCs
pid Process 2568 Logo1_.exe 2848 90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-ae\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\nb-no\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Google\Update\1.3.36.151\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\security\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\zh-tw\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ca-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\cs-cz\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\zh-tw\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\cs-cz\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\de\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account-select\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\en-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\root\_desktop.ini Logo1_.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EVRGREEN\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\sr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ru-ru\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\fi-fi\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sv-se\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\fi-fi\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\nb-no\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\en-gb\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fi-fi\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\pt-br\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\en-ae\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ja-jp\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\fr-fr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\hr-hr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ko-kr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\en-ae\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\LogTransport2.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pt-br\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\rmid.exe Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SATIN\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\de-de\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\gd\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-tw\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ko-kr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-fr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sl-si\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ca-es\_desktop.ini Logo1_.exe File created C:\Program Files\Google\Chrome\Application\110.0.5481.104\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\modules\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ru-ru\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\fi-fi\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\Dll.dll Logo1_.exe File created C:\Windows\rundl132.exe 90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe File created C:\Windows\Logo1_.exe 90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2472 90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe 2472 90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe 2472 90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe 2472 90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe 2472 90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe 2472 90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe 2472 90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe 2472 90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe 2472 90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe 2472 90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe 2472 90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe 2472 90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe 2472 90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe 2472 90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe 2472 90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe 2472 90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe 2472 90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe 2472 90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe 2472 90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe 2472 90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe 2472 90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe 2472 90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe 2472 90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe 2472 90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe 2472 90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe 2472 90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe 2568 Logo1_.exe 2568 Logo1_.exe 2568 Logo1_.exe 2568 Logo1_.exe 2568 Logo1_.exe 2568 Logo1_.exe 2568 Logo1_.exe 2568 Logo1_.exe 2568 Logo1_.exe 2568 Logo1_.exe 2568 Logo1_.exe 2568 Logo1_.exe 2568 Logo1_.exe 2568 Logo1_.exe 2568 Logo1_.exe 2568 Logo1_.exe 2568 Logo1_.exe 2568 Logo1_.exe 2568 Logo1_.exe 2568 Logo1_.exe 2568 Logo1_.exe 2568 Logo1_.exe 2568 Logo1_.exe 2568 Logo1_.exe 2568 Logo1_.exe 2568 Logo1_.exe 2568 Logo1_.exe 2568 Logo1_.exe 2568 Logo1_.exe 2568 Logo1_.exe 2568 Logo1_.exe 2568 Logo1_.exe 2568 Logo1_.exe 2568 Logo1_.exe 2568 Logo1_.exe 2568 Logo1_.exe 2568 Logo1_.exe 2568 Logo1_.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2472 wrote to memory of 2500 2472 90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe 83 PID 2472 wrote to memory of 2500 2472 90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe 83 PID 2472 wrote to memory of 2500 2472 90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe 83 PID 2500 wrote to memory of 1796 2500 net.exe 85 PID 2500 wrote to memory of 1796 2500 net.exe 85 PID 2500 wrote to memory of 1796 2500 net.exe 85 PID 2472 wrote to memory of 2240 2472 90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe 90 PID 2472 wrote to memory of 2240 2472 90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe 90 PID 2472 wrote to memory of 2240 2472 90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe 90 PID 2472 wrote to memory of 2568 2472 90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe 91 PID 2472 wrote to memory of 2568 2472 90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe 91 PID 2472 wrote to memory of 2568 2472 90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe 91 PID 2568 wrote to memory of 3784 2568 Logo1_.exe 92 PID 2568 wrote to memory of 3784 2568 Logo1_.exe 92 PID 2568 wrote to memory of 3784 2568 Logo1_.exe 92 PID 3784 wrote to memory of 4276 3784 net.exe 94 PID 3784 wrote to memory of 4276 3784 net.exe 94 PID 3784 wrote to memory of 4276 3784 net.exe 94 PID 2240 wrote to memory of 2848 2240 cmd.exe 96 PID 2240 wrote to memory of 2848 2240 cmd.exe 96 PID 2568 wrote to memory of 3700 2568 Logo1_.exe 99 PID 2568 wrote to memory of 3700 2568 Logo1_.exe 99 PID 2568 wrote to memory of 3700 2568 Logo1_.exe 99 PID 3700 wrote to memory of 2540 3700 net.exe 101 PID 3700 wrote to memory of 2540 3700 net.exe 101 PID 3700 wrote to memory of 2540 3700 net.exe 101 PID 2568 wrote to memory of 3512 2568 Logo1_.exe 56 PID 2568 wrote to memory of 3512 2568 Logo1_.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3512
-
C:\Users\Admin\AppData\Local\Temp\90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe"C:\Users\Admin\AppData\Local\Temp\90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2472 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵PID:1796
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a566D.bat3⤵
- Suspicious use of WriteProcessMemory
PID:2240 -
C:\Users\Admin\AppData\Local\Temp\90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe"C:\Users\Admin\AppData\Local\Temp\90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe"4⤵
- Executes dropped EXE
PID:2848
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:3784 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:4276
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:3700 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:2540
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
258KB
MD525161eb204d86328bf9af51c9f0753b9
SHA1b68529e2a928f8c5c424474eb69ceae0415d9c0c
SHA256c600e7f71b7a59ba015142cb4411f8fd86e6888ed41e55298c21289c3a8ac315
SHA512e7d13a41338fe1787b44feddd74dcccd200ce2f069766cabeb76b7cbe957ef22a41499a11229c94e06fd59462a6b824fa62d7d13cc362c7adf2f1e05c03de926
-
Filesize
577KB
MD5aa34071fa5dbfd401e6f61600fbf2036
SHA16ca65290d7594b734ea78b19334246da6225901a
SHA256d9511e71ab9efb9bdf2d021191d4d12dbe850b29557bef4d39b576a0ac505f45
SHA51224304c7f52db95eadbab9b82039ddd87ef5a2a6b6a9b65656dc6cb9244da53fff2a6e92e093c1c45933f7c8ca9e88d4ef5b39264ab8da06900796fdf70d43c30
-
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize643KB
MD5b44d88035c8f330ab76a3c8aab5f6876
SHA1df3e341ffc7bebbe46989ff64a262784661df20d
SHA25628882f6beb154b76f9f6742689c7056d2fb482eb90f0c5935292cdd9f72f7e49
SHA5122bca5a60d49de97529deaaab5c59ec572e66a87cbe2eeaf9e701cad8d364eacd03cc6b4fe31374bf3ad9f4a673b0a588347d6ed31a9e89e12081ed757400d8bb
-
Filesize
722B
MD5eec831de67c542544272597e22a32640
SHA1c9e707b21bc6e0afe869ad8fb06ec726c2668470
SHA256ae119104f6ea545ed0d22fb1a97fd75ff031c1ebadc2c715d1d925e221326714
SHA512d38b0fe2eae1fedf7746b48d3075850b628686244b44ad7868e25fb591004bbb640d6507762692f4559c21a74dbf685b61a59f55d28dcb1b4521723575b2e80f
-
C:\Users\Admin\AppData\Local\Temp\90c644aed39682aa57383b2b6a2c2f520212c09761f05cb9b7c79d36719c9f9e.exe.exe
Filesize59KB
MD5dfc18f7068913dde25742b856788d7ca
SHA1cbaa23f782c2ddcd7c9ff024fd0b096952a2b387
SHA256ff4ac75c02247000da084de006c214d3dd3583867bd3533ba788e22734c7a2bf
SHA512d0c7ec1dae41a803325b51c12490c355ed779d297daa35247889950491e52427810132f0829fc7ffa3022f1a106f4e4ba78ed612223395313a6f267e9ab24945
-
Filesize
33KB
MD55a63f8e9068767deb1ccd980deb047fa
SHA19383b1103782394fbbee5705456e4f3600a86b66
SHA25629de80ac5ca4f60d8fbdc59d956164370d31dd5d4504cf8fa97c29800eb7766c
SHA512f42e3e5217dd13e7efa8092969e65f1b5eb1273d12685c90c5b3ca31e2a9502e12244111d555245e4f8505c0cdadfb7e73c565e2dcbd8fab568867957652b5bc
-
Filesize
9B
MD5fa1e1ef0fdda97877a13339b28fa95e5
SHA17e2cffca41118e7b2d62963bd940630b15b85653
SHA256968b715c081472526487d60da8968e9b3bde2dac103f69beb3f6abe6ef7bc191
SHA5123d55913a97aa89a7201342705640c1d031d19ad8aca4939219067f84e3fe118f47b4e388f490f69f605683d3854425c3de188f731886405474ae8e3d42c86f4f