a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e

Analysis

max time kernel
151s
max time network
156s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
26/08/2023, 10:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
Size

26KB
MD5

09fcc49fe747037561eec5160012d609
SHA1

bced7772a3afdcbfdc9815d720ae75c04163184f
SHA256

a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e
SHA512

99cc3e764c044fa1fe201c50ed49992cc7d3819b2718023babfb31f1ebe11b9b6b9612f41e571fb893d7bfd696cb4f2c818973f742e640c4e5d44364d7cd62a4
SSDEEP

768:CAppp1ODKAaDMG8H92RwZNQSwcfymNBg+g61GoL:Xpp/fgLdQAQfcfymN

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File opened (read-only)	\??\V:	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File opened (read-only)	\??\S:	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File opened (read-only)	\??\K:	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File opened (read-only)	\??\Q:	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File opened (read-only)	\??\N:	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File opened (read-only)	\??\L:	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File opened (read-only)	\??\I:	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File opened (read-only)	\??\G:	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File opened (read-only)	\??\Z:	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File opened (read-only)	\??\X:	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File opened (read-only)	\??\W:	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File opened (read-only)	\??\E:	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File opened (read-only)	\??\Y:	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File opened (read-only)	\??\U:	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File opened (read-only)	\??\J:	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File opened (read-only)	\??\O:	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File opened (read-only)	\??\M:	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File opened (read-only)	\??\T:	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File opened (read-only)	\??\R:	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File opened (read-only)	\??\P:	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\_desktop.ini	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\css\_desktop.ini	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ro-ro\_desktop.ini	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\lo-LA\_desktop.ini	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File created	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-125_8wekyb3d8bbwe\_desktop.ini	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\_desktop.ini	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\he-il\_desktop.ini	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\_desktop.ini	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\pl-pl\_desktop.ini	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sl-sl\_desktop.ini	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\_desktop.ini	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\_desktop.ini	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\_desktop.ini	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\nb-no\_desktop.ini	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\nl-nl\_desktop.ini	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\_desktop.ini	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\ja-JP\_desktop.ini	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\VideoEditor.Common\_desktop.ini	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sk-sk\_desktop.ini	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\_desktop.ini	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\css\_desktop.ini	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\_desktop.ini	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\servertool.exe	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\_desktop.ini	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\da-dk\_desktop.ini	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\_desktop.ini	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\_desktop.ini	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\nl-nl\_desktop.ini	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\nb-no\_desktop.ini	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\_desktop.ini	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File created	C:\Program Files (x86)\Windows Sidebar\_desktop.ini	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\_desktop.ini	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jsadebugd.exe	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pa\_desktop.ini	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-fr\_desktop.ini	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\_desktop.ini	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\_desktop.ini	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\root\_desktop.ini	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\_desktop.ini	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File opened for modification	C:\Program Files (x86)\Google\Update\DisabledGoogleUpdate.exe	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\telemetryrules\_desktop.ini	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\_desktop.ini	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sv-se\_desktop.ini	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\bg-BG\_desktop.ini	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\root\_desktop.ini	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\da-dk\_desktop.ini	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\_desktop.ini	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\_desktop.ini	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\sk-sk\_desktop.ini	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\dc-annotations\_desktop.ini	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ca-es\_desktop.ini	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File created	C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\_desktop.ini	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gu\_desktop.ini	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\sr-cyrl-cs\_desktop.ini	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\zh-cn\_desktop.ini	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\fr-fr\_desktop.ini	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\_desktop.ini	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ja-jp\_desktop.ini	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fa-IR\View3d\_desktop.ini	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fr-CA\_desktop.ini	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-100_8wekyb3d8bbwe\_desktop.ini	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-fr\_desktop.ini	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-gb\_desktop.ini	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
4500	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
4500	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
4500	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
4500	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
4500	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
4500	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
4500	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
4500	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
4500	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
4500	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
4500	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
4500	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
4500	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
4500	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
4500	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
4500	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
4500	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
4500	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
4500	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
4500	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4500 wrote to memory of 2220	4500	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe	82
PID 4500 wrote to memory of 2220	4500	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe	82
PID 4500 wrote to memory of 2220	4500	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe	82
PID 2220 wrote to memory of 1924	2220	net.exe	84
PID 2220 wrote to memory of 1924	2220	net.exe	84
PID 2220 wrote to memory of 1924	2220	net.exe	84
PID 4500 wrote to memory of 3244	4500	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe	54
PID 4500 wrote to memory of 3244	4500	a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe	54

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3244
- C:\Users\Admin\AppData\Local\Temp\a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe
  "C:\Users\Admin\AppData\Local\Temp\a9dde9853f389699621c43d26f58d1b370b83172df7b4fda5b749b5efc6c240e.exe"
  2⤵
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4500
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2220
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:1924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
0483070bbbc609d71ec14c0fb0a70be1

SHA1
90a8ae41bc68220f97f056a9cc9c91d3c8063249

SHA256
840c851344c9acb25241502d597d130feb6f059fe50947e696e192291cbafe65

SHA512
3e20d4be7cbeb347eab3002e184dc4ecfef5c61a88c62fad0154134d77a38b3b468adac10160fe7fb19e68d87f8bfc317613f9a8ed0fc6b8d778341630516b52

Download Submit
C:\Program Files\Google\Chrome\Application\chrome.exe

Filesize
2.8MB

MD5
9283436406789462c5d890176f003e16

SHA1
f4018dce0739baa2b5036182e90fc9fa220c847f

SHA256
b27df63e61e4fc740f4d46f470bf224cc5fb8f5a8b425de58bbaa102d2477b72

SHA512
b124b850ff8ca0727c5174b711f5e1d0bdd6510ee82e73d23d3cc32afa7e4b48ca6712475a3eb6f92bef544b6a18c42f183e476d3e83aece11688dc200632704

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-618519468-4027732583-1827558364-1000\_desktop.ini

Filesize
9B

MD5
f69e51f788b9591cc1a5c32b5d8555e0

SHA1
8690c2639d514f6a56d096f7729496ef0e7dbccf

SHA256
9c946a7ed190442c6c3cab3b0c1324cee605d4e233e75fc2192f4cff06c92c28

SHA512
2db2a58e8a4bb5db019f8a378abf6e12526810029bd9540474ff68cca7e9dc6705f4de550106bfd7f4ba33308da7722c641bb3d5d1b13a2d972609fbb3fb8c34

Download Submit
memory/4500-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4500-5-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4500-13-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4500-19-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4500-24-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4500-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4500-1264-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4500-2879-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4500-4796-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download