Analysis
-
max time kernel
154s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
29-05-2024 14:22
Static task
static1
Behavioral task
behavioral1
Sample
86c881b8328c04c0c0c38b1208ec4b4ddefc628470ae4e50b80b191e87ed5e18.exe
Resource
win7-20240221-en
General
-
Target
86c881b8328c04c0c0c38b1208ec4b4ddefc628470ae4e50b80b191e87ed5e18.exe
-
Size
74KB
-
MD5
b34193e981ef61d9e0005a6a19eedf84
-
SHA1
f8095cbf39092fb306002cd4f58146cc50a81985
-
SHA256
86c881b8328c04c0c0c38b1208ec4b4ddefc628470ae4e50b80b191e87ed5e18
-
SHA512
47db1bbfc19948f06c53eb2ce68ae89b309a3fe4d6f5c20b1c11ea2f3b8b6c4b09fe797610a6f814e147172b11ea46ecc65786a5fa9f0632f63663aa9c0bda4e
-
SSDEEP
1536:6Hcx1aeg1v9OQZVUKM6+kKpNEToa9D4ZQKbgZi1dst7x9PxQ:6Hf9lOzKM5p9lZQKbgZi1St7xQ
Malware Config
Signatures
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe -
Executes dropped EXE 2 IoCs
pid Process 3740 Logo1_.exe 1416 86c881b8328c04c0c0c38b1208ec4b4ddefc628470ae4e50b80b191e87ed5e18.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\_desktop.ini Logo1_.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\en-US\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\en-gb\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\he-il\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\uk-ua\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sv-se\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\it-it\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\nl-nl\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\it-it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\msinfo32.exe Logo1_.exe File created C:\Program Files (x86)\Microsoft.NET\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\OSE.EXE Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\eu-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\de-de\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\ja-jp\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\sk-sk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sk-sk\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ru-ru\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\nb-no\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sv-se\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\en-gb\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\deploy\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\te\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ar-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}\122.0.2365.52\MicrosoftEdge_X64_122.0.2365.52.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe Logo1_.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\1.3.185.17\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ca-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ja-jp\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\sv-se\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\fr-fr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\EBWebView\x64\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files-select\css\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ko-kr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\bin\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Resources\1033\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\Diagnostics\Simple\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\it-it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\sv-se\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\pt-br\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Internet Explorer\es-ES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\1033\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SONORA\_desktop.ini Logo1_.exe File created C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ru-ru\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\zh-Hans\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ja-jp\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\pl-pl\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\hr-hr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\_desktop.ini Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\tr-tr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Installer\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe 86c881b8328c04c0c0c38b1208ec4b4ddefc628470ae4e50b80b191e87ed5e18.exe File created C:\Windows\Logo1_.exe 86c881b8328c04c0c0c38b1208ec4b4ddefc628470ae4e50b80b191e87ed5e18.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\Dll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2388 86c881b8328c04c0c0c38b1208ec4b4ddefc628470ae4e50b80b191e87ed5e18.exe 2388 86c881b8328c04c0c0c38b1208ec4b4ddefc628470ae4e50b80b191e87ed5e18.exe 2388 86c881b8328c04c0c0c38b1208ec4b4ddefc628470ae4e50b80b191e87ed5e18.exe 2388 86c881b8328c04c0c0c38b1208ec4b4ddefc628470ae4e50b80b191e87ed5e18.exe 2388 86c881b8328c04c0c0c38b1208ec4b4ddefc628470ae4e50b80b191e87ed5e18.exe 2388 86c881b8328c04c0c0c38b1208ec4b4ddefc628470ae4e50b80b191e87ed5e18.exe 2388 86c881b8328c04c0c0c38b1208ec4b4ddefc628470ae4e50b80b191e87ed5e18.exe 2388 86c881b8328c04c0c0c38b1208ec4b4ddefc628470ae4e50b80b191e87ed5e18.exe 2388 86c881b8328c04c0c0c38b1208ec4b4ddefc628470ae4e50b80b191e87ed5e18.exe 2388 86c881b8328c04c0c0c38b1208ec4b4ddefc628470ae4e50b80b191e87ed5e18.exe 2388 86c881b8328c04c0c0c38b1208ec4b4ddefc628470ae4e50b80b191e87ed5e18.exe 2388 86c881b8328c04c0c0c38b1208ec4b4ddefc628470ae4e50b80b191e87ed5e18.exe 2388 86c881b8328c04c0c0c38b1208ec4b4ddefc628470ae4e50b80b191e87ed5e18.exe 2388 86c881b8328c04c0c0c38b1208ec4b4ddefc628470ae4e50b80b191e87ed5e18.exe 2388 86c881b8328c04c0c0c38b1208ec4b4ddefc628470ae4e50b80b191e87ed5e18.exe 2388 86c881b8328c04c0c0c38b1208ec4b4ddefc628470ae4e50b80b191e87ed5e18.exe 2388 86c881b8328c04c0c0c38b1208ec4b4ddefc628470ae4e50b80b191e87ed5e18.exe 2388 86c881b8328c04c0c0c38b1208ec4b4ddefc628470ae4e50b80b191e87ed5e18.exe 2388 86c881b8328c04c0c0c38b1208ec4b4ddefc628470ae4e50b80b191e87ed5e18.exe 2388 86c881b8328c04c0c0c38b1208ec4b4ddefc628470ae4e50b80b191e87ed5e18.exe 2388 86c881b8328c04c0c0c38b1208ec4b4ddefc628470ae4e50b80b191e87ed5e18.exe 2388 86c881b8328c04c0c0c38b1208ec4b4ddefc628470ae4e50b80b191e87ed5e18.exe 2388 86c881b8328c04c0c0c38b1208ec4b4ddefc628470ae4e50b80b191e87ed5e18.exe 2388 86c881b8328c04c0c0c38b1208ec4b4ddefc628470ae4e50b80b191e87ed5e18.exe 2388 86c881b8328c04c0c0c38b1208ec4b4ddefc628470ae4e50b80b191e87ed5e18.exe 2388 86c881b8328c04c0c0c38b1208ec4b4ddefc628470ae4e50b80b191e87ed5e18.exe 3740 Logo1_.exe 3740 Logo1_.exe 3740 Logo1_.exe 3740 Logo1_.exe 3740 Logo1_.exe 3740 Logo1_.exe 3740 Logo1_.exe 3740 Logo1_.exe 3740 Logo1_.exe 3740 Logo1_.exe 3740 Logo1_.exe 3740 Logo1_.exe 3740 Logo1_.exe 3740 Logo1_.exe 3740 Logo1_.exe 3740 Logo1_.exe 3740 Logo1_.exe 3740 Logo1_.exe 3740 Logo1_.exe 3740 Logo1_.exe 3740 Logo1_.exe 3740 Logo1_.exe 3740 Logo1_.exe 3740 Logo1_.exe 3740 Logo1_.exe 3740 Logo1_.exe 3740 Logo1_.exe 3740 Logo1_.exe 3740 Logo1_.exe 3740 Logo1_.exe 3740 Logo1_.exe 3740 Logo1_.exe 3740 Logo1_.exe 3740 Logo1_.exe 3740 Logo1_.exe 3740 Logo1_.exe 3740 Logo1_.exe 3740 Logo1_.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 2388 wrote to memory of 1304 2388 86c881b8328c04c0c0c38b1208ec4b4ddefc628470ae4e50b80b191e87ed5e18.exe 91 PID 2388 wrote to memory of 1304 2388 86c881b8328c04c0c0c38b1208ec4b4ddefc628470ae4e50b80b191e87ed5e18.exe 91 PID 2388 wrote to memory of 1304 2388 86c881b8328c04c0c0c38b1208ec4b4ddefc628470ae4e50b80b191e87ed5e18.exe 91 PID 2388 wrote to memory of 4560 2388 86c881b8328c04c0c0c38b1208ec4b4ddefc628470ae4e50b80b191e87ed5e18.exe 93 PID 2388 wrote to memory of 4560 2388 86c881b8328c04c0c0c38b1208ec4b4ddefc628470ae4e50b80b191e87ed5e18.exe 93 PID 2388 wrote to memory of 4560 2388 86c881b8328c04c0c0c38b1208ec4b4ddefc628470ae4e50b80b191e87ed5e18.exe 93 PID 1304 wrote to memory of 4584 1304 net.exe 95 PID 1304 wrote to memory of 4584 1304 net.exe 95 PID 1304 wrote to memory of 4584 1304 net.exe 95 PID 2388 wrote to memory of 3740 2388 86c881b8328c04c0c0c38b1208ec4b4ddefc628470ae4e50b80b191e87ed5e18.exe 96 PID 2388 wrote to memory of 3740 2388 86c881b8328c04c0c0c38b1208ec4b4ddefc628470ae4e50b80b191e87ed5e18.exe 96 PID 2388 wrote to memory of 3740 2388 86c881b8328c04c0c0c38b1208ec4b4ddefc628470ae4e50b80b191e87ed5e18.exe 96 PID 3740 wrote to memory of 488 3740 Logo1_.exe 97 PID 3740 wrote to memory of 488 3740 Logo1_.exe 97 PID 3740 wrote to memory of 488 3740 Logo1_.exe 97 PID 488 wrote to memory of 3264 488 net.exe 99 PID 488 wrote to memory of 3264 488 net.exe 99 PID 488 wrote to memory of 3264 488 net.exe 99 PID 4560 wrote to memory of 1416 4560 cmd.exe 100 PID 4560 wrote to memory of 1416 4560 cmd.exe 100 PID 3740 wrote to memory of 1092 3740 Logo1_.exe 101 PID 3740 wrote to memory of 1092 3740 Logo1_.exe 101 PID 3740 wrote to memory of 1092 3740 Logo1_.exe 101 PID 1092 wrote to memory of 3884 1092 net.exe 103 PID 1092 wrote to memory of 3884 1092 net.exe 103 PID 1092 wrote to memory of 3884 1092 net.exe 103 PID 3740 wrote to memory of 3240 3740 Logo1_.exe 57 PID 3740 wrote to memory of 3240 3740 Logo1_.exe 57
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3240
-
C:\Users\Admin\AppData\Local\Temp\86c881b8328c04c0c0c38b1208ec4b4ddefc628470ae4e50b80b191e87ed5e18.exe"C:\Users\Admin\AppData\Local\Temp\86c881b8328c04c0c0c38b1208ec4b4ddefc628470ae4e50b80b191e87ed5e18.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- Suspicious use of WriteProcessMemory
PID:1304 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵PID:4584
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4ED.bat3⤵
- Suspicious use of WriteProcessMemory
PID:4560 -
C:\Users\Admin\AppData\Local\Temp\86c881b8328c04c0c0c38b1208ec4b4ddefc628470ae4e50b80b191e87ed5e18.exe"C:\Users\Admin\AppData\Local\Temp\86c881b8328c04c0c0c38b1208ec4b4ddefc628470ae4e50b80b191e87ed5e18.exe"4⤵
- Executes dropped EXE
PID:1416
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3740 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:488 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:3264
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:1092 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:3884
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3912 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:81⤵PID:4512
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
258KB
MD5c9badcb684862f516b396d44b56baceb
SHA10d8eabcdc92e05177e46da3ea05ae2f41b01416c
SHA25614c73a5bd721c24ebd8109d5d9a1e7dc8802c1bef0401cdd123ab41ae381c609
SHA512543671893e74c261f12be887a10669dae034fcacad4998ae5282fe102aa4bcdcfa0776a9667f32f60fae93acdc5c2ad23f11ad330354295e9e44a67bc1dddb68
-
Filesize
577KB
MD55aac7583510ebed6b8057afd1b55dfd3
SHA1403d071ba18ca5251c300de07bf79219bba33e8c
SHA25693a36984edc02b39685f692eb85eaf1cf3a02ce9767a2c4b5e38725e5e200adf
SHA512e4ebe57faa33924f168d121a346b075e29b4fa018b5dadf7f55a322262730f76572e46c316e6429d8fbb3fd0b3443429e4dd34b4f0bc7fed3b4126f592a09899
-
Filesize
488KB
MD5964c45500f6fef6457766729643729f0
SHA1dee95a0dff13be023265725d4f9da2a861313d51
SHA2561b4d273efbdbb6a7d03027e2b308d1c520fc23378667c1d938c51c6dfd416944
SHA51211dfaf885a77a60837d5400cf2cb6cb314205484075c02f683c8bcaed748619b02a5b701a7c19738f58036b7c3d1e73b92799a9aa0e6f5d7a6a890b35fc323aa
-
Filesize
721B
MD5ec5e0721278c2a4723e358cb26d48d44
SHA1bc44b684be52881bf8212e6cd2d6a570b2a9b22a
SHA2561c2d089bbb921e5179e6b2d643387b790d4210d6aa81c5ccb56ff861cb70651e
SHA5125ebcafb6889664e889065530df6acb93aed8bc6d3e2cc8103576bbcaf5f288f1a7bc47a7546fbb9ccdda6b3de1e8b962cfcc239e8a9a58fad48643e0b5b60c6c
-
C:\Users\Admin\AppData\Local\Temp\86c881b8328c04c0c0c38b1208ec4b4ddefc628470ae4e50b80b191e87ed5e18.exe.exe
Filesize41KB
MD5977e405c109268909fd24a94cc23d4f0
SHA1af5d032c2b6caa2164cf298e95b09060665c4188
SHA256cd24c61fe7dc3896c6c928c92a2adc58fab0a3ff61ef7ddcac1ba794182ab12f
SHA51212b4b59c1a8e65e72aa07ee4b6b6cd9fdedead01d5ce8e30f16ca26b5d733655e23a71c1d273a950a5b1a6cce810b696612de4a1148ac5f468ddf05d4549eed5
-
Filesize
33KB
MD57a091274be36971fce58dba0c887a23e
SHA11dcc358a109927e63e11775b0f38cca741f8d230
SHA256308ea0a61b9625ffc055c1709dfa413e77ef4d9e01926435215044f6e9ab8757
SHA5129497df8f2d42a38e831fc72c1c0f57f9a120afce4cf93b5b0c7f4462ee3f3fed722ad02733b6919879733fb06136e925a8ab6e62aaad63bce02b1a6fd6858607
-
Filesize
9B
MD54b2b75605a65a6762ec4715de0a70902
SHA13b85993ef06d2d814abc405188fdd19a1bffea0c
SHA25677072cc5a7b394508cf5d819ff8cf4385a9b3cb15d8715a59845ccfa235ea34e
SHA512888361e75afd4308bdad817af543704a42ffdf2d798acef619459e9978ac68f1cf4d468c6e0b146ab738b0109fdf331c4380471aa83f637b0f6ab06164840c65