ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
31/08/2023, 01:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
Size

29KB
MD5

64323f548000b99d112d25e8c98af958
SHA1

f9184d054a19cd31ae65f2987497bd1729b6610c
SHA256

ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77
SHA512

9d38f22bd423eadf5a1351968c7a032ccac9cdc0928aed4c2c87d9634c481aabf52383f18b2dbb20921ca0d75eb206fad26e40b74990ae810939a2b54d4d4126
SSDEEP

384:z7nbbybwP1Gt5M0zhIV/DZ3KZp7JcTO4yf9Knuf2MqlUV2V9wVfUnfR9C5fyuGyR:/bOG16GVRu1yK9fMnJG2V9dDClcx

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File opened (read-only)	\??\X:	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File opened (read-only)	\??\R:	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File opened (read-only)	\??\O:	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File opened (read-only)	\??\Z:	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File opened (read-only)	\??\L:	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File opened (read-only)	\??\J:	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File opened (read-only)	\??\H:	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File opened (read-only)	\??\V:	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File opened (read-only)	\??\T:	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File opened (read-only)	\??\S:	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File opened (read-only)	\??\Q:	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File opened (read-only)	\??\M:	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File opened (read-only)	\??\K:	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File opened (read-only)	\??\G:	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File opened (read-only)	\??\E:	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File opened (read-only)	\??\W:	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File opened (read-only)	\??\U:	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File opened (read-only)	\??\P:	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File opened (read-only)	\??\N:	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File opened (read-only)	\??\I:	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\_desktop.ini	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\_desktop.ini	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\_desktop.ini	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\fr-ma\_desktop.ini	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\_desktop.ini	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\_desktop.ini	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\_desktop.ini	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\_desktop.ini	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\_desktop.ini	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\de-de\_desktop.ini	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\da-dk\_desktop.ini	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\es-es\_desktop.ini	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\jfr\_desktop.ini	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File opened for modification	C:\Program Files\Windows Defender\_desktop.ini	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-cn\_desktop.ini	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ia\LC_MESSAGES\_desktop.ini	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\_desktop.ini	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-black\_desktop.ini	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-white\_desktop.ini	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ar-ae\_desktop.ini	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\it-it\_desktop.ini	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\cpdf\_desktop.ini	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\hu-hu\_desktop.ini	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sl-si\_desktop.ini	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\_desktop.ini	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\_desktop.ini	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\_desktop.ini	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\sk-sk\_desktop.ini	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\_desktop.ini	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fur\_desktop.ini	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\_desktop.ini	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Maps.exe	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sk-sk\_desktop.ini	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\tr-tr\_desktop.ini	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File created	C:\Program Files\Windows Defender\ja-JP\_desktop.ini	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-black\_desktop.ini	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\root\_desktop.ini	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\hu-hu\_desktop.ini	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\themes\dark\_desktop.ini	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\_desktop.ini	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ky\_desktop.ini	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\_desktop.ini	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\_desktop.ini	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\_desktop.ini	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\_desktop.ini	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\tr-tr\_desktop.ini	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\pl-pl\_desktop.ini	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\_desktop.ini	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\zh-tw\_desktop.ini	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\_desktop.ini	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File created	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-white\_desktop.ini	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\_desktop.ini	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\Simple\_desktop.ini	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\da-dk\_desktop.ini	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-ae\_desktop.ini	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fi-fi\_desktop.ini	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\hr-hr\_desktop.ini	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\de-de\_desktop.ini	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ca-es\_desktop.ini	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\cs-cz\_desktop.ini	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\pt-br\_desktop.ini	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java.exe	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hy\_desktop.ini	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ko\_desktop.ini	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1440	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
1440	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
1440	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
1440	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
1440	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
1440	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
1440	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
1440	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
1440	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
1440	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
1440	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
1440	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
1440	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
1440	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
1440	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
1440	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
1440	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
1440	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
1440	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
1440	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1440 wrote to memory of 4876	1440	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe	82
PID 1440 wrote to memory of 4876	1440	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe	82
PID 1440 wrote to memory of 4876	1440	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe	82
PID 4876 wrote to memory of 1300	4876	net.exe	84
PID 4876 wrote to memory of 1300	4876	net.exe	84
PID 4876 wrote to memory of 1300	4876	net.exe	84
PID 1440 wrote to memory of 3128	1440	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe	41
PID 1440 wrote to memory of 3128	1440	ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe	41

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3128
- C:\Users\Admin\AppData\Local\Temp\ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe
  "C:\Users\Admin\AppData\Local\Temp\ad85e66bf3d4202942c44578b813c615fd82bef39701f5bc36d60bf498f68f77.exe"
  2⤵
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1440
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4876
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:1300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
60b46f544a0dc4380f14838fb6989888

SHA1
b89da20a3cad127fce57c970d958cbbdb31debdd

SHA256
c729c410ae69ba23055f3720c6bc020a5ad5e18bedf8a518679479ff720b164b

SHA512
cf2d6cbfc59e9c6f2c7d703d905322c636bd915b897ddd936a3e0ddafc9a29d9bdb558155e7ff2d3ee214ff606a2dc46fe67bd240427e4af98b9c6c6517e4928

Download Submit
C:\Program Files\Google\Chrome\Application\chrome.exe

Filesize
2.8MB

MD5
2a93dbc5cb1519137c9c2c7c79b83aff

SHA1
118a189e938f03d0e9a9f396cce1716be301f35e

SHA256
17117220612a84f83e783a9aa83529f63133430cd2a55919de26b521a38dbe9b

SHA512
26997cd744359ed438d3052c9811b14b1ef200820a4b62ee1ed06156a927b7ae86b36af7c78a3147cca58723c911e46db06ef7aa5f5ba6e4de7f39cc518fec7e

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1420546310-613437930-2990200354-1000\_desktop.ini

Filesize
9B

MD5
3f532d661e3e85749ba887e931dca7a7

SHA1
9c5a57aaaae4d4912756648e50e0f1625555d8d4

SHA256
f6746f43007f7011976e21b41698acf00f4beb5eabd554c27ec7b9700b9a6805

SHA512
f544d4b3b6eedb3643c38c8c11941058d933539e88900ee90aa2a2b90980f410acf8a82345540b68b456c5fc35751422155c888923763c0a8014fcff4d4295b8

Download Submit
memory/1440-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1440-5-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1440-13-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1440-19-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1440-24-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1440-27-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1440-1264-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1440-4805-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download