95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
29/09/2023, 22:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
Size

29KB
MD5

3872fa77fc88f5b0a37885ed0fea6a6c
SHA1

c6583a3cf3d280a880c7ab3767e4dbfb5d218fa0
SHA256

95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387
SHA512

f20a27028c81013507f9f6c0f9bdb77bef7dc108c269bcd1e0e55fc4dfc81f491b9273a10dc93822a7ec8bf9bb3908a2b95be71402a7948d6dc1b8665b6c9d71
SSDEEP

384:NbbyQ9oKLOkAx11Gt5M0zhIV/DZ3KZp7JcTO4yf9Knuf2MqlUV2V9wVfUnfRqOzL:p6KLhAx116GVRu1yK9fMnJG2V9dHS8

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File opened (read-only)	\??\O:	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File opened (read-only)	\??\J:	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File opened (read-only)	\??\I:	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File opened (read-only)	\??\H:	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File opened (read-only)	\??\G:	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File opened (read-only)	\??\Y:	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File opened (read-only)	\??\X:	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File opened (read-only)	\??\W:	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File opened (read-only)	\??\V:	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File opened (read-only)	\??\L:	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File opened (read-only)	\??\K:	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File opened (read-only)	\??\Z:	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File opened (read-only)	\??\P:	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File opened (read-only)	\??\N:	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File opened (read-only)	\??\M:	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File opened (read-only)	\??\E:	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File opened (read-only)	\??\Q:	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File opened (read-only)	\??\T:	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File opened (read-only)	\??\R:	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File opened (read-only)	\??\U:	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\_desktop.ini	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\java.exe	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ru-ru\_desktop.ini	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\eu-es\_desktop.ini	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hu-hu\_desktop.ini	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\da-dk\_desktop.ini	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\_desktop.ini	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\_desktop.ini	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ml-IN\View3d\_desktop.ini	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\cs-cz\_desktop.ini	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\cs-cz\_desktop.ini	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-ae\_desktop.ini	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\tr-tr\_desktop.ini	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\css\_desktop.ini	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\_desktop.ini	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\_desktop.ini	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\mux\_desktop.ini	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\_desktop.ini	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\hu-hu\_desktop.ini	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\en-gb\_desktop.ini	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File created	C:\Program Files (x86)\Windows Defender\_desktop.ini	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\_desktop.ini	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kn\_desktop.ini	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File created	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\da-dk\_desktop.ini	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\de-de\_desktop.ini	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\_desktop.ini	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-ae\_desktop.ini	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\nb-no\_desktop.ini	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\_desktop.ini	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\_desktop.ini	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\text_renderer\_desktop.ini	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\_desktop.ini	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\it-IT\_desktop.ini	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\es-ES\_desktop.ini	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pt-br\_desktop.ini	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ar-ae\_desktop.ini	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\_desktop.ini	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\jfr\_desktop.ini	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File created	C:\Program Files\VideoLAN\VLC\locale\id\_desktop.ini	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\VideoFrameExtractor\Views\_desktop.ini	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\dark\_desktop.ini	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\nl-nl\_desktop.ini	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\_desktop.ini	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\zh-tw\_desktop.ini	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\uk-UA\_desktop.ini	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-gb\locimages\_desktop.ini	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\_desktop.ini	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\_desktop.ini	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\_desktop.ini	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\he-il\_desktop.ini	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\_desktop.ini	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\Comprehensive\_desktop.ini	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\CortanaApp.ViewElements\_desktop.ini	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAppRuntime.1.2_2000.802.31.0_x86__8wekyb3d8bbwe\sl-SI\_desktop.ini	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\_desktop.ini	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ar-ae\_desktop.ini	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\_desktop.ini	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\themes\_desktop.ini	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\css\_desktop.ini	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hu-hu\_desktop.ini	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sv-se\_desktop.ini	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1616	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
1616	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
1616	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
1616	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
1616	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
1616	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
1616	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
1616	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
1616	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
1616	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
1616	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
1616	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
1616	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
1616	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
1616	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
1616	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
1616	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
1616	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
1616	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
1616	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeManageVolumePrivilege	1152	svchost.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1616 wrote to memory of 696	1616	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe	84
PID 1616 wrote to memory of 696	1616	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe	84
PID 1616 wrote to memory of 696	1616	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe	84
PID 696 wrote to memory of 872	696	net.exe	87
PID 696 wrote to memory of 872	696	net.exe	87
PID 696 wrote to memory of 872	696	net.exe	87
PID 1616 wrote to memory of 3176	1616	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe	22
PID 1616 wrote to memory of 3176	1616	95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe	22

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3176
- C:\Users\Admin\AppData\Local\Temp\95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe
  "C:\Users\Admin\AppData\Local\Temp\95414c479b8d1504b456f16b3c2fdea990c35ef003ef9d8191895af980459387.exe"
  2⤵
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1616
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:696
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:872

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:1732

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
8bfad3b639077ed274dbc563b972703b

SHA1
81116254c4c548e7a203a4576f39ab1179027901

SHA256
31d6a2fd6823012356fc104a275da46d18e7bdfbd8e71217b4e598c2596d884e

SHA512
6bfdaf32c1bb69fbaa8494ab94cf6a485d7e139ee79ff82268f423f57300040caba7d39a1207f9d099a2a91a8e3d845636e46d364bea898ec9ad34ace26010ed

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
597KB

MD5
47a341bedad353e27090d4a7f1238769

SHA1
75558dbeb3789be5c0f98a4c47661a697b31349c

SHA256
a4b6a0629c04a4b46288dfe14e62a0602095aa572cf6f5d096c7e0ff6c4b3646

SHA512
8e8aa0f7d12de00ff049e12ce67c7ea78b30b49b17c2155ffff19c04376359f0841c16c7063ce2187ffe709516c5de214de5c9dd39ae28d453a853f9917825c2

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3027552071-446050021-1254071215-1000\_desktop.ini

Filesize
9B

MD5
0d8cc6d8ad77008e4eea5193ba074b8b

SHA1
ed3ef3737662f0b0d7dabb8a681fdab8882322a1

SHA256
02cb6e1ee5bc2475b62b35df1ff95d9d38080ea818c3fea2c65ceb449c761999

SHA512
8cf0f361865203a0b8ea23fb3a33827b86958c4035294db074562956d6fe213d9069f3e5687ea66284e14f4406d74d348d98eec1af10b2538acd7a302752813f

Download Submit
memory/1152-59-0x0000026269240000-0x0000026269241000-memory.dmp

Filesize
4KB

Download
memory/1152-61-0x0000026269350000-0x0000026269351000-memory.dmp

Filesize
4KB

Download
memory/1152-60-0x0000026269240000-0x0000026269241000-memory.dmp

Filesize
4KB

Download
memory/1152-25-0x0000026260DA0000-0x0000026260DB0000-memory.dmp

Filesize
64KB

Download
memory/1152-41-0x0000026260EA0000-0x0000026260EB0000-memory.dmp

Filesize
64KB

Download
memory/1152-57-0x0000026269210000-0x0000026269211000-memory.dmp

Filesize
4KB

Download
memory/1616-19-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1616-23-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1616-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1616-64-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1616-13-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1616-1302-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1616-3827-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1616-5-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1616-4845-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download