Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
19/07/2024, 05:08
Static task
static1
Behavioral task
behavioral1
Sample
55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe
Resource
win7-20240705-en
General
-
Target
55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe
-
Size
1.1MB
-
MD5
4052774a9f7c6514ed83a76e091a9543
-
SHA1
6013d9d0d8e048e9b8bcce58ebb4c026ba63d6d4
-
SHA256
55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd
-
SHA512
2675bd5ed1a1dd4802ced7536db854fd61e926c0701f44f8a5e6e13348fae14b18b873d021c356894cb96f990456db8e77d59ec82ae2086eedd0cb638435889a
-
SSDEEP
24576:MbBRXT9T+w6zY8v5a2FZ7WDpk2Kvfd5nP6Wp8zrMBThYBjv:sBRZ6zY8/7WDaDvfd5iQ8zoBThojv
Malware Config
Signatures
-
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini Logo1_.exe -
Executes dropped EXE 2 IoCs
pid Process 4112 Logo1_.exe 4932 55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\X: Logo1_.exe File opened (read-only) \??\U: Logo1_.exe File opened (read-only) \??\T: Logo1_.exe File opened (read-only) \??\O: Logo1_.exe File opened (read-only) \??\H: Logo1_.exe File opened (read-only) \??\G: Logo1_.exe File opened (read-only) \??\Z: Logo1_.exe File opened (read-only) \??\J: Logo1_.exe File opened (read-only) \??\I: Logo1_.exe File opened (read-only) \??\E: Logo1_.exe File opened (read-only) \??\K: Logo1_.exe File opened (read-only) \??\W: Logo1_.exe File opened (read-only) \??\V: Logo1_.exe File opened (read-only) \??\S: Logo1_.exe File opened (read-only) \??\Q: Logo1_.exe File opened (read-only) \??\N: Logo1_.exe File opened (read-only) \??\M: Logo1_.exe File opened (read-only) \??\L: Logo1_.exe File opened (read-only) \??\Y: Logo1_.exe File opened (read-only) \??\R: Logo1_.exe File opened (read-only) \??\P: Logo1_.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\css\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ko-kr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STUDIO\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\nb-no\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ro-ro\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\tr-tr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\de-de\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hr-hr\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nb-no\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Windows Defender\ja-JP\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\it-it\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files-select\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\fr-fr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Adobe\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Windows Defender\ja-JP\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SLATE\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\de\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\it-it\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\es-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-ae\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PIXEL\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\dc-annotations\js\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\da-dk\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\hr-hr\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\uk-ua\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EXPEDITN\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Windows Mail\wab.exe Logo1_.exe File created C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\control\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\root\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\sv-se\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\tr-tr\_desktop.ini Logo1_.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-cn\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\es-es\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection64.exe Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\de-de\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\es-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\es-es\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sl-si\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ja-jp\_desktop.ini Logo1_.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sl-si\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.106\WidevineCdm\_platform_specific\win_x64\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Java\jdk-1.8\lib\_desktop.ini Logo1_.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\VBA7.1\_desktop.ini Logo1_.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\sv-se\_desktop.ini Logo1_.exe File created C:\Program Files\ModifiableWindowsApps\_desktop.ini Logo1_.exe -
Drops file in Windows directory 4 IoCs
description ioc Process File created C:\Windows\rundl132.exe 55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe File created C:\Windows\Logo1_.exe 55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe File opened for modification C:\Windows\rundl132.exe Logo1_.exe File created C:\Windows\Dll.dll Logo1_.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3792 55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe 3792 55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe 3792 55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe 3792 55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe 3792 55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe 3792 55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe 3792 55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe 3792 55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe 3792 55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe 3792 55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe 3792 55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe 3792 55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe 3792 55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe 3792 55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe 3792 55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe 3792 55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe 3792 55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe 3792 55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe 3792 55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe 3792 55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe 3792 55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe 3792 55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe 3792 55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe 3792 55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe 3792 55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe 3792 55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe 4112 Logo1_.exe 4112 Logo1_.exe 4112 Logo1_.exe 4112 Logo1_.exe 4112 Logo1_.exe 4112 Logo1_.exe 4112 Logo1_.exe 4112 Logo1_.exe 4112 Logo1_.exe 4112 Logo1_.exe 4112 Logo1_.exe 4112 Logo1_.exe 4112 Logo1_.exe 4112 Logo1_.exe 4112 Logo1_.exe 4112 Logo1_.exe 4112 Logo1_.exe 4112 Logo1_.exe 4112 Logo1_.exe 4112 Logo1_.exe 4112 Logo1_.exe 4112 Logo1_.exe 4112 Logo1_.exe 4112 Logo1_.exe 4112 Logo1_.exe 4112 Logo1_.exe 4112 Logo1_.exe 4112 Logo1_.exe 4112 Logo1_.exe 4112 Logo1_.exe 4112 Logo1_.exe 4112 Logo1_.exe 4112 Logo1_.exe 4112 Logo1_.exe 4112 Logo1_.exe 4112 Logo1_.exe 4112 Logo1_.exe 4112 Logo1_.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 3792 wrote to memory of 368 3792 55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe 84 PID 3792 wrote to memory of 368 3792 55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe 84 PID 3792 wrote to memory of 368 3792 55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe 84 PID 368 wrote to memory of 2224 368 net.exe 86 PID 368 wrote to memory of 2224 368 net.exe 86 PID 368 wrote to memory of 2224 368 net.exe 86 PID 3792 wrote to memory of 2936 3792 55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe 90 PID 3792 wrote to memory of 2936 3792 55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe 90 PID 3792 wrote to memory of 2936 3792 55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe 90 PID 3792 wrote to memory of 4112 3792 55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe 91 PID 3792 wrote to memory of 4112 3792 55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe 91 PID 3792 wrote to memory of 4112 3792 55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe 91 PID 4112 wrote to memory of 4952 4112 Logo1_.exe 93 PID 4112 wrote to memory of 4952 4112 Logo1_.exe 93 PID 4112 wrote to memory of 4952 4112 Logo1_.exe 93 PID 4952 wrote to memory of 3692 4952 net.exe 95 PID 4952 wrote to memory of 3692 4952 net.exe 95 PID 4952 wrote to memory of 3692 4952 net.exe 95 PID 2936 wrote to memory of 4932 2936 cmd.exe 96 PID 2936 wrote to memory of 4932 2936 cmd.exe 96 PID 4112 wrote to memory of 4188 4112 Logo1_.exe 97 PID 4112 wrote to memory of 4188 4112 Logo1_.exe 97 PID 4112 wrote to memory of 4188 4112 Logo1_.exe 97 PID 4188 wrote to memory of 552 4188 net.exe 99 PID 4188 wrote to memory of 552 4188 net.exe 99 PID 4188 wrote to memory of 552 4188 net.exe 99 PID 4112 wrote to memory of 3504 4112 Logo1_.exe 56 PID 4112 wrote to memory of 3504 4112 Logo1_.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3504
-
C:\Users\Admin\AppData\Local\Temp\55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe"C:\Users\Admin\AppData\Local\Temp\55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe"2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3792 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- Suspicious use of WriteProcessMemory
PID:368 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵PID:2224
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aBA86.bat3⤵
- Suspicious use of WriteProcessMemory
PID:2936 -
C:\Users\Admin\AppData\Local\Temp\55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe"C:\Users\Admin\AppData\Local\Temp\55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe"4⤵
- Executes dropped EXE
PID:4932
-
-
-
C:\Windows\Logo1_.exeC:\Windows\Logo1_.exe3⤵
- Drops startup file
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4112 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:4952 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:3692
-
-
-
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"4⤵
- Suspicious use of WriteProcessMemory
PID:4188 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"5⤵PID:552
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
257KB
MD59650ed78debcd79b8f4e5437297bbd81
SHA10087f5d3fe8221d62addade22b600824f8818421
SHA2564e8693622b732fdaf953b7ca5192466ac524201740945d849bd6afd0404817e3
SHA5129c66a42d83f9e132d09db322c00ca7404b6f7285f5d6cf4848aa7c1b4b82d35e8a0ad319780c38aa3f504d091b918d89a5bd683c85d24724c079ba9d2e58f658
-
Filesize
583KB
MD53ba4190218dc871fa2a4c0387d0d3a00
SHA1a4d60147752e2d668583e2be441a228f72b80fa7
SHA2562506e369572544475c9fb47de4280dcd91678c168936b1d0afebe7fd8acc0c78
SHA5126142ef886894937dd7e95de25d28fc272c0fcccead142b8439958616877cd1cad9f86626ea51e7e73b6442d98f7d2006a7f5ec47bbb8a8683332f728584bc95d
-
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize649KB
MD51ad09ab121869e9bedf81b1e82331d05
SHA121270e52207071b7d304acb7d776c9abba38c15c
SHA256834cd914a6bc7c3eadf3b23bacc01433aa6a32411ab547d958604a1c434518b7
SHA5124b1f28d726ec031fd0350a21ea7091087ae2688818716f7add7524fdf06a07d5937a4aa53c6029d2fab093714b1b48b8032927b56e2c207158946f6c71e6646b
-
Filesize
722B
MD5b03f3ba65ca276663a81bbb62e6e708d
SHA190863f9b190db9b4e5ca94bc2f980286a7f4ba99
SHA2563c7e8267339de3112841a206dd7043d631fb096ebf0e88e85b7b528dea27a81c
SHA512b01c40139cd2a7b2169c2d654e58929a18b30e45fb0c759ba7edfbb3c52134f730a69b1e859334a922e0ae06b9a238c6a20ec8cb28c41b12f76aad730cb49f33
-
C:\Users\Admin\AppData\Local\Temp\55e029a4af7d6887c97710dd72fd928a6c857b808ac3cd7f545a8e3e9c9adcfd.exe.exe
Filesize1.1MB
MD5f012ebe3b9f0c4d18b43076b68295667
SHA127ce582d305bf5ec574fd7edf39e1300783e9323
SHA256bdff5163ff3787a7a8b6bb3f688e877c5fa10db2ad535bb9765c91e976fbcafe
SHA51206ce3eceb42ca555511f55e85fe79441a4a8c70ad32c36a045560cb8449e44f08bcd9e938e9a11a0360c7363ba2fff4dd92b1a300e21e214a6d273009d8c2463
-
Filesize
39KB
MD5dd45e175b084f3e7b3923cb8fcb3833b
SHA1e44896aa2e3e4a8ba6677fd10c4eac8315b3939c
SHA256cff2b960d67366aedaec8aaa4388a3537000a7253a3eeef378d24e1a171a4f13
SHA512562284581292c3965df7e1f95bcffa2047d9a9e42e863e32b9cfc7b289270db24ca1ecb004f26d499d9901c49c11844cf3868b93b4b704f30a98ba4b52824fba
-
Filesize
9B
MD51368e4d784ef82633de86fa6bc6e37f9
SHA177c7384e886b27647bb4f2fd364e7947e7b6abc6
SHA25657507bed6cf91d70e66bd4cc287634889ef30b648cb7c44a4edec0e2cb68b772
SHA5123cb7168e776eb564768e30eba43174014a85108ab306a7c07a1522fb42173c381a5bff9ac10944fd345dd5308061cbe2878c60d1e878f8768281c1adcf5dd85b