Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
28/05/2024, 08:04
Static task
static1
Behavioral task
behavioral1
Sample
28f9014ef8781f01a437a7bc88b51138a85b457285e353e09b57ee93dce8d2d3.exe
Resource
win7-20240508-en
General
-
Target
28f9014ef8781f01a437a7bc88b51138a85b457285e353e09b57ee93dce8d2d3.exe
-
Size
53KB
-
MD5
11b8817a1db9277f0052a62660ec600e
-
SHA1
b0e4bd9a440ea87618bfd0f759f17ec0c6b9701e
-
SHA256
28f9014ef8781f01a437a7bc88b51138a85b457285e353e09b57ee93dce8d2d3
-
SHA512
61cfe18d95dbac2eb90cf1cddb72ac504e5acb4c6a00d59450b438c1509bd31979f12b2415a919e254d7007c26fc31183bc56ab59583d5c1d3a88ee95d53a1d7
-
SSDEEP
1536:PhUaYzMXqtGNttyUn01Q78a4RgphWNFaWp:PhUaY46tGNttyJQ7KR0WDzp
Malware Config
Signatures
-
Drops file in Drivers directory 2 IoCs
description ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts 28f9014ef8781f01a437a7bc88b51138a85b457285e353e09b57ee93dce8d2d3.exe File opened for modification C:\Windows\system32\drivers\etc\hosts Logo1_.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe -
Executes dropped EXE 2 IoCs
pid Process 1780 Logo1_.exe 2136 28f9014ef8781f01a437a7bc88b51138a85b457285e353e09b57ee93dce8d2d3.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\sv-se\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\Simple\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\it-it\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\dc-annotations\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\root\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ja-jp\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\css\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\95D30FCC-DB4C-4EEA-BF52-74786899DC3F\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-si\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ro-ro\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ca-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ru-ru\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\tr-tr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\eu-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\sv-se\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sk-sk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-il\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\fr-fr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ENES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\zh-cn\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ca-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sk-sk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ko-kr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-ae\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\zh-tw\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\en-il\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-gb\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\host\fxr\7.0.16\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ar-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\hu-hu\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\pl-pl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\mai\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-ma\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office 15\ClientX64\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\uk-ua\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\pt-br\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\it-IT\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\pt-br\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\da-dk\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-gb\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\_desktop.ini Logo1_.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\PROOF\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sv-se\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\uk-ua\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Media Player\de-DE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\cs-cz\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\sl-si\_desktop.ini Logo1_.exe File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\playlist\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\it\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SUMIPNTG\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\uk-ua\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\hr-hr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sv-se\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\Dll.dll Logo1_.exe File created C:\Windows\rundl132.exe 28f9014ef8781f01a437a7bc88b51138a85b457285e353e09b57ee93dce8d2d3.exe File created C:\Windows\Logo1_.exe 28f9014ef8781f01a437a7bc88b51138a85b457285e353e09b57ee93dce8d2d3.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 760 28f9014ef8781f01a437a7bc88b51138a85b457285e353e09b57ee93dce8d2d3.exe 760 28f9014ef8781f01a437a7bc88b51138a85b457285e353e09b57ee93dce8d2d3.exe 760 28f9014ef8781f01a437a7bc88b51138a85b457285e353e09b57ee93dce8d2d3.exe 760 28f9014ef8781f01a437a7bc88b51138a85b457285e353e09b57ee93dce8d2d3.exe 760 28f9014ef8781f01a437a7bc88b51138a85b457285e353e09b57ee93dce8d2d3.exe 760 28f9014ef8781f01a437a7bc88b51138a85b457285e353e09b57ee93dce8d2d3.exe 760 28f9014ef8781f01a437a7bc88b51138a85b457285e353e09b57ee93dce8d2d3.exe 760 28f9014ef8781f01a437a7bc88b51138a85b457285e353e09b57ee93dce8d2d3.exe 760 28f9014ef8781f01a437a7bc88b51138a85b457285e353e09b57ee93dce8d2d3.exe 760 28f9014ef8781f01a437a7bc88b51138a85b457285e353e09b57ee93dce8d2d3.exe 760 28f9014ef8781f01a437a7bc88b51138a85b457285e353e09b57ee93dce8d2d3.exe 760 28f9014ef8781f01a437a7bc88b51138a85b457285e353e09b57ee93dce8d2d3.exe 760 28f9014ef8781f01a437a7bc88b51138a85b457285e353e09b57ee93dce8d2d3.exe 760 28f9014ef8781f01a437a7bc88b51138a85b457285e353e09b57ee93dce8d2d3.exe 760 28f9014ef8781f01a437a7bc88b51138a85b457285e353e09b57ee93dce8d2d3.exe 760 28f9014ef8781f01a437a7bc88b51138a85b457285e353e09b57ee93dce8d2d3.exe 760 28f9014ef8781f01a437a7bc88b51138a85b457285e353e09b57ee93dce8d2d3.exe 760 28f9014ef8781f01a437a7bc88b51138a85b457285e353e09b57ee93dce8d2d3.exe 760 28f9014ef8781f01a437a7bc88b51138a85b457285e353e09b57ee93dce8d2d3.exe 760 28f9014ef8781f01a437a7bc88b51138a85b457285e353e09b57ee93dce8d2d3.exe 760 28f9014ef8781f01a437a7bc88b51138a85b457285e353e09b57ee93dce8d2d3.exe 760 28f9014ef8781f01a437a7bc88b51138a85b457285e353e09b57ee93dce8d2d3.exe 760 28f9014ef8781f01a437a7bc88b51138a85b457285e353e09b57ee93dce8d2d3.exe 760 28f9014ef8781f01a437a7bc88b51138a85b457285e353e09b57ee93dce8d2d3.exe 760 28f9014ef8781f01a437a7bc88b51138a85b457285e353e09b57ee93dce8d2d3.exe 760 28f9014ef8781f01a437a7bc88b51138a85b457285e353e09b57ee93dce8d2d3.exe 1780 Logo1_.exe 1780 Logo1_.exe 1780 Logo1_.exe 1780 Logo1_.exe 1780 Logo1_.exe 1780 Logo1_.exe 1780 Logo1_.exe 1780 Logo1_.exe 1780 Logo1_.exe 1780 Logo1_.exe 1780 Logo1_.exe 1780 Logo1_.exe 1780 Logo1_.exe 1780 Logo1_.exe 1780 Logo1_.exe 1780 Logo1_.exe 1780 Logo1_.exe 1780 Logo1_.exe 1780 Logo1_.exe 1780 Logo1_.exe 1780 Logo1_.exe 1780 Logo1_.exe 1780 Logo1_.exe 1780 Logo1_.exe 1780 Logo1_.exe 1780 Logo1_.exe 1780 Logo1_.exe 1780 Logo1_.exe 1780 Logo1_.exe 1780 Logo1_.exe 1780 Logo1_.exe 1780 Logo1_.exe 1780 Logo1_.exe 1780 Logo1_.exe 1780 Logo1_.exe 1780 Logo1_.exe 1780 Logo1_.exe 1780 Logo1_.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 760 wrote to memory of 2524 760 28f9014ef8781f01a437a7bc88b51138a85b457285e353e09b57ee93dce8d2d3.exe 82 PID 760 wrote to memory of 2524 760 28f9014ef8781f01a437a7bc88b51138a85b457285e353e09b57ee93dce8d2d3.exe 82 PID 760 wrote to memory of 2524 760 28f9014ef8781f01a437a7bc88b51138a85b457285e353e09b57ee93dce8d2d3.exe 82 PID 2524 wrote to memory of 220 2524 net.exe 84 PID 2524 wrote to memory of 220 2524 net.exe 84 PID 2524 wrote to memory of 220 2524 net.exe 84 PID 760 wrote to memory of 1164 760 28f9014ef8781f01a437a7bc88b51138a85b457285e353e09b57ee93dce8d2d3.exe 86 PID 760 wrote to memory of 1164 760 28f9014ef8781f01a437a7bc88b51138a85b457285e353e09b57ee93dce8d2d3.exe 86 PID 760 wrote to memory of 1164 760 28f9014ef8781f01a437a7bc88b51138a85b457285e353e09b57ee93dce8d2d3.exe 86 PID 760 wrote to memory of 1780 760 28f9014ef8781f01a437a7bc88b51138a85b457285e353e09b57ee93dce8d2d3.exe 87 PID 760 wrote to memory of 1780 760 28f9014ef8781f01a437a7bc88b51138a85b457285e353e09b57ee93dce8d2d3.exe 87 PID 760 wrote to memory of 1780 760 28f9014ef8781f01a437a7bc88b51138a85b457285e353e09b57ee93dce8d2d3.exe 87 PID 1780 wrote to memory of 3376 1780 Logo1_.exe 88 PID 1780 wrote to memory of 3376 1780 Logo1_.exe 88 PID 1780 wrote to memory of 3376 1780 Logo1_.exe 88 PID 3376 wrote to memory of 4884 3376 net.exe 91 PID 3376 wrote to memory of 4884 3376 net.exe 91 PID 3376 wrote to memory of 4884 3376 net.exe 91 PID 1164 wrote to memory of 2136 1164 cmd.exe 92 PID 1164 wrote to memory of 2136 1164 cmd.exe 92 PID 1164 wrote to memory of 2136 1164 cmd.exe 92 PID 1780 wrote to memory of 4652 1780 Logo1_.exe 95 PID 1780 wrote to memory of 4652 1780 Logo1_.exe 95 PID 1780 wrote to memory of 4652 1780 Logo1_.exe 95 PID 4652 wrote to memory of 5112 4652 net.exe 97 PID 4652 wrote to memory of 5112 4652 net.exe 97 PID 4652 wrote to memory of 5112 4652 net.exe 97 PID 1780 wrote to memory of 3444 1780 Logo1_.exe 56 PID 1780 wrote to memory of 3444 1780 Logo1_.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3444
-
C:\Users\Admin\AppData\Local\Temp\28f9014ef8781f01a437a7bc88b51138a85b457285e353e09b57ee93dce8d2d3.exe"C:\Users\Admin\AppData\Local\Temp\28f9014ef8781f01a437a7bc88b51138a85b457285e353e09b57ee93dce8d2d3.exe"2⤵
- Drops file in Drivers directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- Suspicious use of WriteProcessMemory
PID:2524 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵PID:220
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a50B0.bat3⤵
- Suspicious use of WriteProcessMemory
PID:1164 -
C:\Users\Admin\AppData\Local\Temp\28f9014ef8781f01a437a7bc88b51138a85b457285e353e09b57ee93dce8d2d3.exe"C:\Users\Admin\AppData\Local\Temp\28f9014ef8781f01a437a7bc88b51138a85b457285e353e09b57ee93dce8d2d3.exe"4⤵
- Executes dropped EXE
PID:2136
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Drops file in Drivers directory
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1780 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:4884
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:4652 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:5112
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
258KB
MD5ebb1acf3749aab2799316e438dfdbdf4
SHA1704fe023ab74891eeff0ba9779303aff0b0da5aa
SHA2562f7d16cda5245419705eeff7f92014c5d80e91d8a2d04beff74d79f832f7e77f
SHA512ff93751e380f95501d316a68f459a42e116d3ca10a1d609f4f48ca679e5b9c820021ab2c1869a8d13c5a47a291a3f81e6e22966f41ed55f0f4d64a65902bacb4
-
Filesize
577KB
MD5ee6d14491d3255f801199b612664b479
SHA1b56d2b1b62695a40ac4251977b32a3fc24decb3f
SHA256d02d67be4e0fcfe6447e2b256b1866b0a976400bf7a5fb610bda2dc617ef7179
SHA512d73530d0ec59f83068f5b5f7ecc2a2f7551d19e69bc5a5d938ee62957ea1baceb181bccee81cbd802a85e9ba1d0aba037da6dd96710691c7f387e0c59524f73c
-
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize643KB
MD5c68e034d324260384602839c6e3295de
SHA1add6ebe18274a2afd7756fcb2b5be590125eff7f
SHA2568317babad7376315f76f48454d7f4057d60f2a13f0e469a7c877473b220af74f
SHA5127c956a76088bae2a425fc13f8484027ae04bc9995b7ca85a92125801e0676ff660c2a1fcb4640424883455bc10a84d39788032d884e7b64178693b1a2a0885cb
-
Filesize
722B
MD5abac0749d0142cdfa441f76ef9193e6d
SHA1d870af6dd7a9d8e928f9b183d673ed6a212d891f
SHA25638a05c8a1e6008f4b487993346476f7072a89060e8523b8509ce49a2e3827a3b
SHA5124934d8bdf73c3cfe5b242da5113de6b024c7ea7bd58df441e20f693a5269ecd7e75d179faaac22e0aec571d84e5bb0b2e45b23fd43c9d03f0e9238f972adce7b
-
C:\Users\Admin\AppData\Local\Temp\28f9014ef8781f01a437a7bc88b51138a85b457285e353e09b57ee93dce8d2d3.exe.exe
Filesize19KB
MD5d7acce9a9cc1c75c377dad3c79eba7ff
SHA19c1a0eb12e8cac44ecbde6dac2d6e4852e21e0b3
SHA2560e4d0729fac0a78ae1fef66333e70fdce7c643ed84dd9033ab022111c61fd5a4
SHA51210716d1fdf3467348476130fb4a118c0cbf2064397bd53f1e0c709c0463693f06d2d1ab070eb85fb87bccb4cb06d213c3c0cd25ebd1635e61dc7a6ea043e4447
-
Filesize
33KB
MD5b889976a7791068af99766aca8f357d8
SHA1146247c065098fb7f98f6cc1094825486b77d65c
SHA2562d86f486401387ff3dcf30a8ffca900063a26c269b2e44bc1b925cbfafc30e92
SHA512bad98a62f1e63adf7fef79f14ea027179ad4255a862f30114918046d14c89256cd2f5dcc3044941ecde471d9ede8d18a4ee040ca300cd1a9b9243aabbeee9558
-
Filesize
842B
MD56f4adf207ef402d9ef40c6aa52ffd245
SHA14b05b495619c643f02e278dede8f5b1392555a57
SHA256d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e
SHA512a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47
-
Filesize
9B
MD5e850d9ceb7ebcc619d731dc2f1377b2b
SHA1a45553c9057075c02e28f90d5e8ea57a0dddbacc
SHA256b682a6e85069777ca22f84b99607acd09640eaa80029d74363c0a5aabddead4c
SHA512be92bd8393d0fe69559ec55e1068fcd77ccc699361a9cb98d467bd51a029c371852b7a1196ad53fa8865e956582e6a4d35f6ac6fea3832058b7a427133b0048c