79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac

Analysis

max time kernel
152s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 21:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
Size

33KB
MD5

588c7ebb89e436745c7227efa43b4720
SHA1

09420e72d25fa110eb29c747f5955fa193204ee5
SHA256

79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac
SHA512

2d4d289144fd2f5dd1727e048372e71e5f9e004cbe709d6a5036827ac1e40459575c31032b255d74c726e10a56895ddb555c2dd6f048afeca4a42f3fa8965868
SSDEEP

768:OQAAvhuO5RroZJ767395uINRhv/EY3GQvTp7XAMtSG:OQAAvhue+Zk77RNzXFWQdXDSG

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File opened (read-only)	\??\M:	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File opened (read-only)	\??\H:	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File opened (read-only)	\??\X:	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File opened (read-only)	\??\V:	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File opened (read-only)	\??\T:	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File opened (read-only)	\??\R:	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File opened (read-only)	\??\O:	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File opened (read-only)	\??\L:	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File opened (read-only)	\??\J:	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File opened (read-only)	\??\G:	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File opened (read-only)	\??\E:	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File opened (read-only)	\??\Z:	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File opened (read-only)	\??\Y:	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File opened (read-only)	\??\Q:	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File opened (read-only)	\??\P:	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File opened (read-only)	\??\K:	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File opened (read-only)	\??\W:	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File opened (read-only)	\??\S:	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File opened (read-only)	\??\N:	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File opened (read-only)	\??\I:	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\_desktop.ini	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\_desktop.ini	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Resources\_desktop.ini	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SLATE\_desktop.ini	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File created	C:\Program Files\Microsoft Office 15\_desktop.ini	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\_desktop.ini	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\_desktop.ini	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\_desktop.ini	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\_desktop.ini	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\_desktop.ini	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File created	C:\Program Files\Internet Explorer\en-US\_desktop.ini	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javap.exe	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\_desktop.ini	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\_desktop.ini	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lv\_desktop.ini	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ml\_desktop.ini	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\_desktop.ini	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\_desktop.ini	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES\_desktop.ini	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\serialver.exe	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\core\_desktop.ini	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\plugin2\_desktop.ini	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File created	C:\Program Files\Microsoft Office\root\Licenses\_desktop.ini	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File created	C:\Program Files\Microsoft Office\root\Office15\_desktop.ini	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\_desktop.ini	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File created	C:\Program Files\VideoLAN\VLC\locale\wa\_desktop.ini	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\_desktop.ini	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\_desktop.ini	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\_desktop.ini	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\_desktop.ini	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File opened for modification	C:\Program Files\Microsoft Office\_desktop.ini	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\javaws.exe	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EXPEDITN\_desktop.ini	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\1033\_desktop.ini	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\_desktop.ini	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File created	C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\_desktop.ini	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\_desktop.ini	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\_desktop.ini	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\_desktop.ini	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\_desktop.ini	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Templates\_desktop.ini	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\_desktop.ini	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\bin\_desktop.ini	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File created	C:\Program Files\Java\jdk1.8.0_66\include\win32\_desktop.ini	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\_desktop.ini	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\_desktop.ini	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File created	C:\Program Files\VideoLAN\VLC\locale\is\_desktop.ini	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kk\_desktop.ini	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pa\LC_MESSAGES\_desktop.ini	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\wa\_desktop.ini	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\configuration\_desktop.ini	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File opened for modification	C:\Program Files\Microsoft Office\root\_desktop.ini	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\_desktop.ini	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ach\_desktop.ini	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\_desktop.ini	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\_desktop.ini	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File created	C:\Program Files\VideoLAN\VLC\locale\cgg\_desktop.ini	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File created	C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\_desktop.ini	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File created	C:\Program Files\VideoLAN\VLC\locale\oc\LC_MESSAGES\_desktop.ini	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\_desktop.ini	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File opened for modification	C:\Program Files\Java\_desktop.ini	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\_desktop.ini	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\_desktop.ini	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\as_IN\_desktop.ini	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
File created	C:\Windows\Dll.dll	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
4056	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
4056	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
4056	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
4056	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
4056	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
4056	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
4056	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
4056	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
4056	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
4056	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
4056	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
4056	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
4056	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
4056	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
4056	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
4056	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
4056	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
4056	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
4056	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
4056	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
4056	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
4056	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
4056	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
4056	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
4056	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
4056	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
4056	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
4056	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
4056	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
4056	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
4056	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
4056	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
4056	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
4056	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
4056	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
4056	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
4056	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
4056	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
4056	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
4056	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
4056	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
4056	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
4056	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
4056	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
4056	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
4056	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
4056	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
4056	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
4056	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
4056	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
4056	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
4056	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
4056	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
4056	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
4056	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
4056	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
4056	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
4056	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
4056	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
4056	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 4056 wrote to memory of 4132	4056	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe	86
PID 4056 wrote to memory of 4132	4056	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe	86
PID 4056 wrote to memory of 4132	4056	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe	86
PID 4132 wrote to memory of 4660	4132	net.exe	88
PID 4132 wrote to memory of 4660	4132	net.exe	88
PID 4132 wrote to memory of 4660	4132	net.exe	88
PID 4056 wrote to memory of 4560	4056	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe	89
PID 4056 wrote to memory of 4560	4056	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe	89
PID 4056 wrote to memory of 4560	4056	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe	89
PID 4560 wrote to memory of 1272	4560	net.exe	91
PID 4560 wrote to memory of 1272	4560	net.exe	91
PID 4560 wrote to memory of 1272	4560	net.exe	91
PID 4056 wrote to memory of 3308	4056	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe	23
PID 4056 wrote to memory of 3308	4056	79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe	23

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3308
- C:\Users\Admin\AppData\Local\Temp\79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe
  "C:\Users\Admin\AppData\Local\Temp\79bbe433f7273b07d7c61bae80f6fd6d8809d712d8d5f772dd62d809b75bffac.exe"
  2⤵
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4056
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4132
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:4660
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4560
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:1272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\Application\chrome.exe

Filesize
2.8MB

MD5
9a5f4927f170db6105b2a09ca15eb9b8

SHA1
b24cc8ec9da7176275ac4bd96921e07dd27ebbb2

SHA256
d5011ab505955850d2ad5bdd8cd591912f9bd0841861a8926369483bda87e665

SHA512
91d86921ff0c13d4516aed9ec8b2c027734fd5a1dca181b444510aa45b15bb9c162f16765e2bb49abf3faddee16c09c5b80ed2f717881b4d8b5288893af00bd1

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2344688013-2965468717-2034126-1000\_desktop.ini

Filesize
10B

MD5
dbf19ca54500e964528b156763234c1d

SHA1
05376f86423aec8badf0adbc47887234ac83ef5a

SHA256
bfa0ad2e861e2369dc239edf8f62fbe1c4507d877ec2f76e46e48f1e68fdd5ae

SHA512
fb8ce1253ad6d3c1b7d970614dbc2d21574576336a490b54a8dc705a3d8637c0669747ba821fb2f4da14d7447dc24607aca988b0cd3bd9fc4d9d5988b4b631d0

Download Submit
memory/4056-22-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4056-5-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4056-9-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4056-3-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4056-0-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4056-2-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4056-426-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4056-466-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4056-647-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4056-664-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4056-828-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4056-1379-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download