d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516

Analysis

max time kernel
150s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
13/01/2024, 02:30

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
Size

26KB
MD5

0d1cf8749ea892c6bf63bf5054d89745
SHA1

b6dff3d6a9c6483daa379f135ab110c2eb765fed
SHA256

d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516
SHA512

62d2e800dc48c23d6f4c1ba5d7880e1753400b2c82a43741040eceb25ae5c0d294763b2567ec9f7bd82316d4457187a1f9031082198cec8b78eb3718e51018d1
SSDEEP

768:F1ODKAaDMG8H92RwZNQSwcfymNBg+g61GoL:jfgLdQAQfcfymN

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File opened (read-only)	\??\N:	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File opened (read-only)	\??\L:	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File opened (read-only)	\??\Y:	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File opened (read-only)	\??\X:	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File opened (read-only)	\??\K:	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File opened (read-only)	\??\J:	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File opened (read-only)	\??\Z:	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File opened (read-only)	\??\Q:	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File opened (read-only)	\??\H:	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File opened (read-only)	\??\W:	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File opened (read-only)	\??\R:	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File opened (read-only)	\??\S:	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File opened (read-only)	\??\P:	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File opened (read-only)	\??\O:	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File opened (read-only)	\??\M:	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File opened (read-only)	\??\I:	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File opened (read-only)	\??\G:	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File opened (read-only)	\??\V:	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File opened (read-only)	\??\U:	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File opened (read-only)	\??\E:	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\_desktop.ini	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\de-de\_desktop.ini	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ja-jp\_desktop.ini	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-gb\_desktop.ini	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\themes\_desktop.ini	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\am-ET\_desktop.ini	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\fr-FR\_desktop.ini	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\nb-no\_desktop.ini	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\fr-fr\_desktop.ini	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\root\_desktop.ini	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\hu-hu\_desktop.ini	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File created	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\_desktop.ini	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_desktop.ini	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\cs-cz\_desktop.ini	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\zh-tw\_desktop.ini	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ro-ro\_desktop.ini	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\_desktop.ini	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File created	C:\Program Files\Windows Defender\ja-JP\_desktop.ini	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\_desktop.ini	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\fr-fr\_desktop.ini	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\pt-br\_desktop.ini	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\hu-hu\_desktop.ini	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsAppRuntime.1.2_2000.802.31.0_x86__8wekyb3d8bbwe\hr-HR\_desktop.ini	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\root\_desktop.ini	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\sv-se\_desktop.ini	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\root\_desktop.ini	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\zh-cn\_desktop.ini	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\it-it\_desktop.ini	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\sl-si\_desktop.ini	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\it\_desktop.ini	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\en-US\_desktop.ini	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\js\_desktop.ini	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File created	C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\Bundle\_desktop.ini	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\LayersControl\_desktop.ini	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\_desktop.ini	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\_desktop.ini	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\_desktop.ini	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\notification_helper.exe	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ne\_desktop.ini	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File opened for modification	C:\Program Files\WindowsApps\SpotifyAB.SpotifyMusic_1.226.1187.0_x64__zpdnekdrzrea0\SpotifyWidgetProvider.exe	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ar-ae\_desktop.ini	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\_desktop.ini	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\da-dk\_desktop.ini	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\_desktop.ini	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sv\_desktop.ini	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File created	C:\Program Files\VideoLAN\VLC\lua\meta\_desktop.ini	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\_desktop.ini	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\_desktop.ini	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Calculator\_desktop.ini	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fi-fi\_desktop.ini	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\fr-fr\_desktop.ini	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\root\_desktop.ini	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\tr\_desktop.ini	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File created	C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\x64\_desktop.ini	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\nb-no\_desktop.ini	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-gb\_desktop.ini	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sl-si\_desktop.ini	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\zh-cn\_desktop.ini	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\nl-nl\_desktop.ini	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\nb-no\_desktop.ini	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File created	C:\Program Files (x86)\Windows Media Player\Icons\_desktop.ini	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\en-ae\_desktop.ini	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
3728	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
3728	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
3728	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
3728	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
3728	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
3728	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
3728	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
3728	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
3728	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
3728	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
3728	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
3728	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
3728	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
3728	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
3728	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
3728	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
3728	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
3728	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
3728	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
3728	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3728 wrote to memory of 1260	3728	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe	88
PID 3728 wrote to memory of 1260	3728	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe	88
PID 3728 wrote to memory of 1260	3728	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe	88
PID 1260 wrote to memory of 3064	1260	net.exe	90
PID 1260 wrote to memory of 3064	1260	net.exe	90
PID 1260 wrote to memory of 3064	1260	net.exe	90
PID 3728 wrote to memory of 3448	3728	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe	41
PID 3728 wrote to memory of 3448	3728	d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe	41

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3448
- C:\Users\Admin\AppData\Local\Temp\d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe
  "C:\Users\Admin\AppData\Local\Temp\d9279d39b55dafa8e5c5fa401ccce9c0def16f4cfc740e0b97f3a0861c8f8516.exe"
  2⤵
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3728
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1260
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
359598f8b146708cf2d8d0908ce574bb

SHA1
427ff248a21882dc4c056bcdbc4fae9dc72a4eba

SHA256
3a6b7133a01d5eac5eddca9d0bbb4decfe8ac3ac92a551a84d46a24951c8175d

SHA512
ff9de6ae527c23492d089b5f6e8dae55f4d70448ae57545803a30f23e2fde933f522a0884738539acbab7427c564dad87ab2f933d29f175748196d02a5fca185

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
165KB

MD5
d6a298c6e8b996d9fd17a76e4e7b96b0

SHA1
e6e5e785a3d9e8bd40f9abdfd996f80247913fc9

SHA256
b86dda71a59bfdad61ae6621056ebbf3cfe5b4b665cf0636a28ea5d2ab2c4d90

SHA512
a540bfb830e1698cf01d23de99af964e2e99a953b6845ee6337feed53e2609364011990e160505dd4273da9a3d06292e997f3b7f47adbfb5ebc9eac6012185cc

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1815711207-1844170477-3539718864-1000\_desktop.ini

Filesize
9B

MD5
7f808734d303ae0442efdfce3344deee

SHA1
c814ffceeaadd0b7d41254ebf9698895924d5d42

SHA256
5b9baea2f17425d3edf9e446b467d55f39d41faaa8dbb351fea88b88bd20e79c

SHA512
b0278d3f79e4d8101351196b056c29a03102cac7fce93ba755156b1706ae505eeac237f0febff2718603707499b9ace1dc9dde225230e11c875ab55471ef4e9c

Download Submit
memory/3728-28-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3728-19-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3728-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3728-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3728-12-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3728-59-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3728-1151-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3728-2410-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3728-5-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3728-4703-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download