a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce

Analysis

max time kernel
149s
max time network
96s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10-04-2024 18:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
Size

26KB
MD5

b1d285f2920b52df533cefca953e7ef9
SHA1

0736764baa53aa8f8543784d481c2b0fe2ce3767
SHA256

a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce
SHA512

dfac344861eaddca3bcab60fb8304a559250cfeb598a8c768fa6461396c238f6ec579b8257461b5e7981c59ca59d6818f810ae8d00b8e2baab4dce3df2bc6da5
SSDEEP

768:bf1ODKAaDMG8H92RwZNQSwcfymNBg+g61GoL:bNfgLdQAQfcfymN

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File opened (read-only)	\??\R:	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File opened (read-only)	\??\P:	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File opened (read-only)	\??\H:	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File opened (read-only)	\??\G:	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File opened (read-only)	\??\Z:	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File opened (read-only)	\??\W:	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File opened (read-only)	\??\U:	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File opened (read-only)	\??\S:	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File opened (read-only)	\??\L:	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File opened (read-only)	\??\I:	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File opened (read-only)	\??\X:	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File opened (read-only)	\??\O:	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File opened (read-only)	\??\M:	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File opened (read-only)	\??\K:	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File opened (read-only)	\??\Y:	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File opened (read-only)	\??\V:	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File opened (read-only)	\??\Q:	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File opened (read-only)	\??\N:	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File opened (read-only)	\??\J:	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File opened (read-only)	\??\E:	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\br\_desktop.ini	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\_desktop.ini	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Install\_desktop.ini	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\_desktop.ini	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\d3d11\_desktop.ini	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sl-sl\_desktop.ini	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jrunscript.exe	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_2019.19071.19011.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_desktop.ini	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\identity_proxy\_desktop.ini	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\_desktop.ini	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\WCChromeNativeMessagingHost.exe	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\dev\_desktop.ini	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sk-sk\_desktop.ini	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\hr-hr\_desktop.ini	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\_desktop.ini	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lv\_desktop.ini	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File created	C:\Program Files\VideoLAN\VLC\lua\sd\_desktop.ini	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\_desktop.ini	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\da-dk\_desktop.ini	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\uk-ua\_desktop.ini	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-black\_desktop.ini	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-white\_desktop.ini	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\de-de\_desktop.ini	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sl-si\_desktop.ini	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\css\_desktop.ini	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File created	C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\_desktop.ini	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sv\_desktop.ini	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\_desktop.ini	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\nl-nl\_desktop.ini	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File created	C:\Program Files (x86)\Google\Update\_desktop.ini	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\sk-sk\_desktop.ini	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File created	C:\Program Files\Java\jdk-1.8\jre\_desktop.ini	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\_desktop.ini	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\en-il\_desktop.ini	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\th-TH\_desktop.ini	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File created	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Assets\AppTiles\_desktop.ini	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\tr-tr\_desktop.ini	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\plugins\rhp\_desktop.ini	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\_desktop.ini	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\_desktop.ini	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\_desktop.ini	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Images\contrast-white\_desktop.ini	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\_desktop.ini	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\ja-JP\_desktop.ini	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\hu-hu\_desktop.ini	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\hu-hu\_desktop.ini	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\fi-fi\_desktop.ini	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\nb-no\_desktop.ini	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\da-dk\_desktop.ini	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\_desktop.ini	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nb-no\_desktop.ini	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\_desktop.ini	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ko-kr\_desktop.ini	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\_desktop.ini	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File created	C:\Program Files\WindowsPowerShell\Configuration\Registration\_desktop.ini	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Calculator\_desktop.ini	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\Fonts\_desktop.ini	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ar-ae\_desktop.ini	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\_desktop.ini	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File created	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_2019.904.1644.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\root\_desktop.ini	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\da-dk\_desktop.ini	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\sv-se\_desktop.ini	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
4264	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
4264	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
4264	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
4264	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
4264	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
4264	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
4264	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
4264	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
4264	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
4264	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
4264	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
4264	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
4264	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
4264	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
4264	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
4264	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
4264	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
4264	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
4264	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
4264	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4264 wrote to memory of 4316	4264	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe	83
PID 4264 wrote to memory of 4316	4264	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe	83
PID 4264 wrote to memory of 4316	4264	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe	83
PID 4316 wrote to memory of 4028	4316	net.exe	85
PID 4316 wrote to memory of 4028	4316	net.exe	85
PID 4316 wrote to memory of 4028	4316	net.exe	85
PID 4264 wrote to memory of 3528	4264	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe	56
PID 4264 wrote to memory of 3528	4264	a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3528
- C:\Users\Admin\AppData\Local\Temp\a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe
  "C:\Users\Admin\AppData\Local\Temp\a1b1b79cb55fe601685b4c8cef29ff05d2e27e5dda9b9bd9d92b5258790dd1ce.exe"
  2⤵
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4264
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4316
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:4028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
10e927db6aae50e89fcb4d441d9e27e1

SHA1
6a2250c03aba8fe7a9c388742db5ac4e473fa178

SHA256
a68e60f5bc35fdb50525110f44ad636498278629d38a3854369e9a93ed70ee19

SHA512
1d6c8b2d48403d037fc31ffeee690ca956ed8595671e1400c8dad69347ac0749d94498b00feec325575d98d300c0694d0083ca7e2e72a124ff45e9f74dd09227

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
165KB

MD5
cdad2adb9ae1f1538e8bbcb20b175991

SHA1
4ff6d0c6372379a3ac5ab93b3ba69b5eee7d89bc

SHA256
0b362304913270867cfe6a9b73811cefc0ce242a28e5b0149bcae0eb65027d64

SHA512
fbe4507dfdd7e13bc4d301bb46317624eaffc8a485c87e6a9b8af65cf2d6583b67a2f04e4deea0d210fd9117c84f1e064a928400ba691e4bdf4001c7757221e6

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

Filesize
481KB

MD5
1db5b390daa2d070657fbdb4f5d2cc55

SHA1
77e633e49df484b827080753514cc376749b0ceb

SHA256
d5fbaf5c0d8e313d4dad23b28cac4256c5dbed6ab3b0d797e2971f30c5e095ad

SHA512
68aa0152f5aae79a146c1813915fd16ec5454b285bd1781370923f97d6c147d53684192f7f4161e5c1a340959ec432ecaac127b0abe7d08f70c387e08ee4f617

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3270530367-132075249-2153716227-1000\_desktop.ini

Filesize
9B

MD5
95b3e5fe04e8423c49a7f69a5d13771f

SHA1
615b63fb8bf07dbb0565ffd492067309645064c9

SHA256
1663db9b496c87701f6c8f6721e92994ffdd747f949ab1070fd844c4d63fb916

SHA512
d9a0d342e84c32d4c0aee97be7b9a102963d1aeab7edd87b080548f7dd144d851c558e6706bec441534d8e188938655c2b551e358d342309677511404a34ce81

Download Submit
memory/4264-27-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4264-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4264-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4264-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4264-978-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4264-1161-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4264-1705-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4264-12-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4264-4726-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4264-5-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download