5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548

Analysis

max time kernel
160s
max time network
180s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
11/10/2023, 06:11

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
Size

29KB
MD5

935320c4695ec4790a3ac30084e9da3e
SHA1

7ca7ec6819c9e9fffb46c60c37966d250864a9dd
SHA256

5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548
SHA512

7507f9386fb70a7f7fff8e65ba4ed3ce14e13e380893c8c6bbcaf68fbd832c3ea05a2d2e128200a9c83f7264271ad743668be5d857d6cf9d280d4bf4801ffeeb
SSDEEP

384:z7nbbOVsEQ1Gt5M0zhIV/DZ3KZp7JcTO4yf9Knuf2MqlUV2V9wVfUnfR9C5fyuGu:/b4DQ16GVRu1yK9fMnJG2V9dDClcx

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File opened (read-only)	\??\M:	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File opened (read-only)	\??\H:	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File opened (read-only)	\??\G:	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File opened (read-only)	\??\E:	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File opened (read-only)	\??\X:	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File opened (read-only)	\??\V:	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File opened (read-only)	\??\L:	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File opened (read-only)	\??\K:	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File opened (read-only)	\??\T:	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File opened (read-only)	\??\P:	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File opened (read-only)	\??\Q:	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File opened (read-only)	\??\Z:	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File opened (read-only)	\??\S:	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File opened (read-only)	\??\U:	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File opened (read-only)	\??\R:	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File opened (read-only)	\??\N:	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File opened (read-only)	\??\J:	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File opened (read-only)	\??\I:	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File opened (read-only)	\??\Y:	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File opened (read-only)	\??\W:	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-125_8wekyb3d8bbwe\_desktop.ini	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ja-jp\_desktop.ini	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstaller.exe	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File created	C:\Program Files\VideoLAN\VLC\locale\te\_desktop.ini	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBackgroundHost.exe	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Lumia.MagicEdit\Pages\_desktop.ini	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-black\_desktop.ini	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\_desktop.ini	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Transit\_desktop.ini	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_desktop.ini	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\ja\_desktop.ini	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\_desktop.ini	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-black\_desktop.ini	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\_desktop.ini	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\keytool.exe	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\en-gb\locimages\_desktop.ini	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Resources\Fonts\_desktop.ini	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\_desktop.ini	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\_desktop.ini	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javah.exe	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\uk-ua\_desktop.ini	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\sr-latn-cs\_desktop.ini	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File created	C:\Program Files\VideoLAN\VLC\locale\vi\_desktop.ini	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_chroma\_desktop.ini	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Store.Purchase\_desktop.ini	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ro-ro\_desktop.ini	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gu\_desktop.ini	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File created	C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\_desktop.ini	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\210x173\_desktop.ini	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Place\_desktop.ini	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sv-se\_desktop.ini	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\servertool.exe	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\HelpAndFeedback\_desktop.ini	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File created	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\_desktop.ini	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\_desktop.ini	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\_desktop.ini	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Solitaire.exe	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\_desktop.ini	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tl\LC_MESSAGES\_desktop.ini	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\_desktop.ini	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File created	C:\Program Files\VideoLAN\VLC\locale\br\_desktop.ini	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\sd\_desktop.ini	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\th-TH\View3d\_desktop.ini	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\pt-br\_desktop.ini	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-ae\_desktop.ini	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\_desktop.ini	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ckb\_desktop.ini	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\WindowsIcons\_desktop.ini	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pl-pl\_desktop.ini	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\klist.exe	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\_desktop.ini	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ia\LC_MESSAGES\_desktop.ini	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\_desktop.ini	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sq\_desktop.ini	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\gl-ES\View3d\_desktop.ini	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\appletviewer.exe	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\he-il\_desktop.ini	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pl-pl\_desktop.ini	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\_desktop.ini	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cgg\_desktop.ini	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ja-jp\_desktop.ini	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\_desktop.ini	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
3752	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
3752	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
3752	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
3752	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
3752	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
3752	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
3752	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
3752	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
3752	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
3752	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
3752	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
3752	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
3752	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
3752	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
3752	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
3752	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
3752	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
3752	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
3752	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
3752	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3752 wrote to memory of 3928	3752	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe	85
PID 3752 wrote to memory of 3928	3752	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe	85
PID 3752 wrote to memory of 3928	3752	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe	85
PID 3928 wrote to memory of 560	3928	net.exe	87
PID 3928 wrote to memory of 560	3928	net.exe	87
PID 3928 wrote to memory of 560	3928	net.exe	87
PID 3752 wrote to memory of 3164	3752	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe	62
PID 3752 wrote to memory of 3164	3752	5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe	62

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3164
- C:\Users\Admin\AppData\Local\Temp\5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe
  "C:\Users\Admin\AppData\Local\Temp\5b95993842ee5c457c161000b53d129110c9dcb144abbc73a44f07b50fc24548.exe"
  2⤵
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3752
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3928
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:560

C:\Windows\System32\Upfc.exe
C:\Windows\System32\Upfc.exe /launchtype periodic /cv UYTZ3ZdrpUOCQP3kb+Lhsw.0
1⤵
PID:3232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\_desktop.ini

Filesize
10B

MD5
dbf19ca54500e964528b156763234c1d

SHA1
05376f86423aec8badf0adbc47887234ac83ef5a

SHA256
bfa0ad2e861e2369dc239edf8f62fbe1c4507d877ec2f76e46e48f1e68fdd5ae

SHA512
fb8ce1253ad6d3c1b7d970614dbc2d21574576336a490b54a8dc705a3d8637c0669747ba821fb2f4da14d7447dc24607aca988b0cd3bd9fc4d9d5988b4b631d0

Download Submit
C:\Program Files\Google\Chrome\Application\chrome.exe

Filesize
2.8MB

MD5
5be2181fce0944e288f82062e5d3499b

SHA1
6bfa96657cfb3710d2dbdc9bd4e6968dcfaef903

SHA256
5c2d9710b0cbeeba71385c553e91374d0928c8b1edda8a94a4f2d1d6b0fd1e20

SHA512
a3745e4dad700eb0b2ea145d986c434f6efdf53b3152b463fc3011ddcad0eed57e3c0712e3cdfbbaaaae63d877455ff0328ef1b45032cf2f8be4e008f21ffc5b

Download Submit
C:\_desktop.ini

Filesize
9B

MD5
872506f1dadcc0cedd1e9dee11f54da4

SHA1
d1e87145ed1d918f10ae4e93ccdbb994bc906ed5

SHA256
a0049e98811438481e150df54f7b555026746c943cb03106677bf75b4e412104

SHA512
6cf3aeeed18e66a16ed653a5c33133ec8d5fb58cf42aab9e712cf473233e506d4f14692dff04b7c20847718e5c344ec2651e57d2ae7a034610b07679b786344c

Download Submit
memory/3752-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3752-5-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3752-13-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3752-19-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3752-24-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3752-28-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3752-1264-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3752-1270-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3752-2451-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download