104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
18-09-2023 18:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
Size

26KB
MD5

a5d37063aaca62143a8222dae9a2d97c
SHA1

54d461778af4e801ec1c8d54cb128025079053e8
SHA256

104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9
SHA512

d080873aef85a073d0e52bb189ff7f72bf2d6ac82dd622de4520e4b07cd828890469f9868ee97de9ca7370f0625692e74c63173fcbe4e0bc93d15d54d4f55c2a
SSDEEP

768:Y1ODKAaDMG8H92RwZNQSwcfymNBg+g61GoZw:KfgLdQAQfcfymN

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File opened (read-only)	\??\P:	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File opened (read-only)	\??\M:	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File opened (read-only)	\??\L:	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File opened (read-only)	\??\I:	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File opened (read-only)	\??\E:	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File opened (read-only)	\??\X:	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File opened (read-only)	\??\U:	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File opened (read-only)	\??\R:	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File opened (read-only)	\??\N:	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File opened (read-only)	\??\K:	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File opened (read-only)	\??\J:	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File opened (read-only)	\??\Z:	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File opened (read-only)	\??\V:	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File opened (read-only)	\??\S:	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File opened (read-only)	\??\G:	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File opened (read-only)	\??\W:	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File opened (read-only)	\??\T:	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File opened (read-only)	\??\H:	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File opened (read-only)	\??\Y:	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File opened (read-only)	\??\O:	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_neutral_~_8wekyb3d8bbwe\_desktop.ini	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\_desktop.ini	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nl-nl\_desktop.ini	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\es-es\_desktop.ini	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\en-il\_desktop.ini	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\te-IN\_desktop.ini	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\tr-tr\_desktop.ini	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\sl-sl\_desktop.ini	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\update_tracking\_desktop.ini	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\_desktop.ini	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-100_8wekyb3d8bbwe\_desktop.ini	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmprph.exe	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\_desktop.ini	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File created	C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-white\_desktop.ini	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\_desktop.ini	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fi-fi\_desktop.ini	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\nl-nl\_desktop.ini	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\pt-br\_desktop.ini	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\View3D.ResourceResolver.exe	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\da-dk\_desktop.ini	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\_desktop.ini	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\SmartSelect\_desktop.ini	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_2019.1111.2029.0_neutral_~_8wekyb3d8bbwe\_desktop.ini	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\it-it\_desktop.ini	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\_desktop.ini	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\cs-cz\_desktop.ini	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-black\_desktop.ini	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\en-US\_desktop.ini	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\zh-tw\_desktop.ini	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fr-fr\_desktop.ini	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\hu-hu\_desktop.ini	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\pack200.exe	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Resources\_desktop.ini	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\_desktop.ini	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\he-il\_desktop.ini	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\en-ae\_desktop.ini	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\fi-fi\_desktop.ini	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\de-de\_desktop.ini	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\_desktop.ini	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\_desktop.ini	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sl-sl\_desktop.ini	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sl-si\_desktop.ini	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\_desktop.ini	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\_desktop.ini	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\_desktop.ini	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\_desktop.ini	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\_desktop.ini	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sl-sl\_desktop.ini	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\_desktop.ini	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\lua\_desktop.ini	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\beeps\_desktop.ini	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\_desktop.ini	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\_desktop.ini	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\_desktop.ini	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ko-kr\_desktop.ini	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\_desktop.ini	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\_desktop.ini	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\_desktop.ini	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1288	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
1288	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
1288	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
1288	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
1288	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
1288	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
1288	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
1288	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
1288	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
1288	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
1288	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
1288	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
1288	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
1288	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
1288	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
1288	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
1288	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
1288	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
1288	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
1288	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1288 wrote to memory of 4540	1288	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe	86
PID 1288 wrote to memory of 4540	1288	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe	86
PID 1288 wrote to memory of 4540	1288	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe	86
PID 4540 wrote to memory of 1232	4540	net.exe	88
PID 4540 wrote to memory of 1232	4540	net.exe	88
PID 4540 wrote to memory of 1232	4540	net.exe	88
PID 1288 wrote to memory of 904	1288	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe	36
PID 1288 wrote to memory of 904	1288	104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe	36

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:904
- C:\Users\Admin\AppData\Local\Temp\104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe
  "C:\Users\Admin\AppData\Local\Temp\104413c8414d2b0cc21bc270a833dc4a07eb04a7c87f44a1ebfdf64b0af390d9.exe"
  2⤵
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1288
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4540
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:1232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
ec2e6a277c765243926a298835e05019

SHA1
022a830abaedcabc62a9ebf860cb461d5ed79990

SHA256
aa909c55ac95e7d095b1a03d06e08413cd0a22a29fb7167e5732fb004414c53b

SHA512
a4874c771cad3bd972714e1cf72204bff6cbff94388fa72dd5a2c2db4591bcd8474fc056842be1d9dada97f11d3557c768b86cf2272df8ac1f367c7bf4e1452c

Download Submit
C:\Program Files\Google\Chrome\Application\chrome.exe

Filesize
2.8MB

MD5
7c313f145baf0ea3feaac4416946fa6b

SHA1
15e26715a75ed280b2aa504e6b1d14e26cf2f84a

SHA256
ba1b37faf7770abd2930935fda5f32d414ba13571616bdbce039789af746aec3

SHA512
b847fa63fa4612bbfaa0c09270a70ca6c7da1c83d712167727c77dca8d4d35c07d31ebb60a8bf3bb805a5f4f85b226ab128c4a98685b984e51bec4dc353bc75e

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1045988481-1457812719-2617974652-1000\_desktop.ini

Filesize
9B

MD5
9871758f1c8c7fb518b6793d4aa66294

SHA1
2808f61dd22a0bf12c85bbc65326e0bfe2f7f627

SHA256
1f836ee8dbd13a9f1fa0f2de0976570138232addb74f0a354ed9b499191dc80d

SHA512
a261ec877b3ccc43db77712359d10c360a50f420fed5cf6a65fd6894d2cd5055f5b72f85edb823a1da22121955aaaa6da34550da9f825c12982602c579a6bb3d

Download Submit
memory/1288-27-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1288-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1288-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1288-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1288-12-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1288-174-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1288-1264-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1288-3361-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1288-5-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1288-4806-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download