e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef

General

Target

e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
Size

102KB
MD5

52133612ec226c359dfed366d7c454a0
SHA1

f737b6b2db1738b54f0291fa94f9bf87ee8cf669
SHA256

e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef
SHA512

1c972282b9c8e27e8372b3379102fd39de3d4f2c3636dfcbf9c6b7bc3653161c5227e53aa823103e731eb9304c1d75eb9d30c5d6d1c20dac6faac8593a61f311
SSDEEP

1536:6bqBQiRBxl5EzcBK/evhxx7C/iijdP5qHw76xDjqTQEnYa7bRgfoSmkg:zbRBxl5NBHt8RP4q6x0Zn3Cqkg

Score

8^/10

spyware stealer

Malware Config

Signatures

Drops file in Drivers directory 1 IoCs

Processes:

e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe

description	ioc	process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe

Drops startup file 2 IoCs

Processes:

e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe

description	ioc	process
File opened (read-only)	\??\T:	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File opened (read-only)	\??\Q:	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File opened (read-only)	\??\P:	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File opened (read-only)	\??\J:	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File opened (read-only)	\??\F:	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File opened (read-only)	\??\Y:	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File opened (read-only)	\??\V:	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File opened (read-only)	\??\R:	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File opened (read-only)	\??\I:	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File opened (read-only)	\??\G:	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File opened (read-only)	\??\W:	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File opened (read-only)	\??\O:	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File opened (read-only)	\??\U:	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File opened (read-only)	\??\S:	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File opened (read-only)	\??\N:	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File opened (read-only)	\??\M:	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File opened (read-only)	\??\L:	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File opened (read-only)	\??\K:	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File opened (read-only)	\??\Z:	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File opened (read-only)	\??\X:	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File opened (read-only)	\??\H:	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File opened (read-only)	\??\E:	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe

Drops file in Program Files directory 64 IoCs

Processes:

e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe

description	ioc	process
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\_desktop.ini	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\root\_desktop.ini	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\hr-hr\_desktop.ini	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files-select\js\_desktop.ini	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\zh-cn\_desktop.ini	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\it-it\_desktop.ini	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\_desktop.ini	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\hu-hu\_desktop.ini	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\_desktop.ini	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File created	C:\Program Files (x86)\Windows Mail\_desktop.ini	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example1.Diagnostics\_desktop.ini	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ar-ae\_desktop.ini	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\pt-br\_desktop.ini	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\nl-nl\_desktop.ini	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\nl-nl\_desktop.ini	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\_desktop.ini	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jvisualvm.exe	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\_desktop.ini	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\_desktop.ini	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\sk-sk\_desktop.ini	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\root\_desktop.ini	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\_desktop.ini	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File created	C:\Program Files\Mozilla Firefox\uninstall\_desktop.ini	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\fr-fr\_desktop.ini	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ru-ru\_desktop.ini	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\eu-es\_desktop.ini	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File created	C:\Program Files\VideoLAN\VLC\lua\sd\_desktop.ini	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\_desktop.ini	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\de-de\_desktop.ini	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\pl-pl\_desktop.ini	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\_desktop.ini	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\pl-pl\_desktop.ini	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\es-es\_desktop.ini	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\hu-hu\_desktop.ini	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\pt-br\_desktop.ini	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\_desktop.ini	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\_desktop.ini	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\1033\_desktop.ini	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hr-hr\_desktop.ini	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\hr-hr\_desktop.ini	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\_desktop.ini	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\policytool.exe	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\1033\_desktop.ini	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kk\_desktop.ini	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\tr-tr\_desktop.ini	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\es-es\_desktop.ini	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\da-dk\_desktop.ini	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\_desktop.ini	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\pl-pl\_desktop.ini	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\_desktop.ini	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\_desktop.ini	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\_desktop.ini	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\ODBC\_desktop.ini	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\dc-annotations\_desktop.ini	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-gb\_desktop.ini	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\_desktop.ini	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\tr-tr\_desktop.ini	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\_desktop.ini	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\_desktop.ini	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\en-gb\_desktop.ini	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File created	C:\Program Files (x86)\Common Files\Java\Java Update\_desktop.ini	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUECALM\_desktop.ini	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe

Drops file in Windows directory 2 IoCs

Processes:

e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe

description	ioc	process
File created	C:\Windows\rundl132.exe	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
File created	C:\Windows\Dll.dll	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

Processes:

e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe

pid	process
4572	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
4572	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
4572	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
4572	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
4572	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
4572	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
4572	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
4572	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
4572	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
4572	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
4572	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
4572	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
4572	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
4572	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
4572	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
4572	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
4572	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
4572	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
4572	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
4572	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
4572	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
4572	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
4572	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
4572	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
4572	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
4572	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
4572	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
4572	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
4572	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
4572	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
4572	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
4572	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
4572	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
4572	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
4572	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
4572	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
4572	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
4572	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
4572	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
4572	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
4572	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
4572	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
4572	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
4572	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
4572	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
4572	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
4572	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
4572	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
4572	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
4572	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
4572	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
4572	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
4572	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
4572	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
4572	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
4572	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
4572	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
4572	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
4572	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
4572	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exenet.exenet.exe

description	pid	process	target process
PID 4572 wrote to memory of 1884	4572	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe	net.exe
PID 4572 wrote to memory of 1884	4572	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe	net.exe
PID 4572 wrote to memory of 1884	4572	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe	net.exe
PID 1884 wrote to memory of 4212	1884	net.exe	net1.exe
PID 1884 wrote to memory of 4212	1884	net.exe	net1.exe
PID 1884 wrote to memory of 4212	1884	net.exe	net1.exe
PID 4572 wrote to memory of 2460	4572	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe	net.exe
PID 4572 wrote to memory of 2460	4572	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe	net.exe
PID 4572 wrote to memory of 2460	4572	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe	net.exe
PID 2460 wrote to memory of 4404	2460	net.exe	net1.exe
PID 2460 wrote to memory of 4404	2460	net.exe	net1.exe
PID 2460 wrote to memory of 4404	2460	net.exe	net1.exe
PID 4572 wrote to memory of 3056	4572	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe	Explorer.EXE
PID 4572 wrote to memory of 3056	4572	e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe	Explorer.EXE

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3056

C:\Users\Admin\AppData\Local\Temp\e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe
"C:\Users\Admin\AppData\Local\Temp\e47a6d77267fc51c28ef5a7cca7b8a90fb38f9f7ebb2544d97d5c9df6efbe1ef.exe"
2⤵
- Drops file in Drivers directory
- Drops startup file
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4572