72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19/04/2024, 07:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
Size

27KB
MD5

f6f516547fdbd904c17fd182506da5b8
SHA1

6a85326d63024f1c8768c866e61700b5694a023f
SHA256

72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac
SHA512

5abb976928ce8ecc61ff825522ae636139cda0d1f1b8672652eec7e899778787626524692510be0a7e6990bbd11e799ba6d4890d93531b9404de83019b5a49da
SSDEEP

384:MX1Gt5M0zhIV/DZ3KZp7JcTO4yf9KFL/KaUUqd3qR+FlYTj9QTN0wpD9p5Cs:y16GVRu1yK9fMFLKaTxsujCT7pZpY

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File opened (read-only)	\??\U:	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File opened (read-only)	\??\T:	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File opened (read-only)	\??\I:	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File opened (read-only)	\??\E:	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File opened (read-only)	\??\Y:	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File opened (read-only)	\??\W:	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File opened (read-only)	\??\R:	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File opened (read-only)	\??\N:	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File opened (read-only)	\??\M:	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File opened (read-only)	\??\K:	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File opened (read-only)	\??\J:	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File opened (read-only)	\??\V:	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File opened (read-only)	\??\Q:	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File opened (read-only)	\??\P:	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File opened (read-only)	\??\O:	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File opened (read-only)	\??\Z:	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File opened (read-only)	\??\S:	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File opened (read-only)	\??\L:	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File opened (read-only)	\??\H:	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File opened (read-only)	\??\G:	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ja-jp\_desktop.ini	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sl-si\_desktop.ini	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\_desktop.ini	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\security\policy\_desktop.ini	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\_desktop.ini	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Configuration\Registration\_desktop.ini	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ko-kr\_desktop.ini	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\da-dk\_desktop.ini	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ca-es\_desktop.ini	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File created	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ar-ae\_desktop.ini	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\_desktop.ini	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\fr-ma\_desktop.ini	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\themes\dark\_desktop.ini	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ach\_desktop.ini	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-cn\_desktop.ini	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\pl-pl\_desktop.ini	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\fi-fi\_desktop.ini	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bn_IN\_desktop.ini	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\uz-Latn-UZ\_desktop.ini	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-white\_desktop.ini	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherImages\423x173\_desktop.ini	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\fr-fr\_desktop.ini	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ja-jp\_desktop.ini	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\_desktop.ini	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\_desktop.ini	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\am-ET\_desktop.ini	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_2020.1906.55.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\files\dev\cef\_desktop.ini	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\_desktop.ini	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\zh-cn\_desktop.ini	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\zh-tw\_desktop.ini	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\WidevineCdm\_platform_specific\_desktop.ini	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\hu-hu\_desktop.ini	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File created	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Assets\AppTiles\_desktop.ini	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\_desktop.ini	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fi-fi\_desktop.ini	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\_desktop.ini	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\eu-es\_desktop.ini	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\uk-ua\_desktop.ini	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\pl-pl\_desktop.ini	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\_desktop.ini	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File created	C:\Program Files\VideoLAN\VLC\locale\kk\LC_MESSAGES\_desktop.ini	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\it\_desktop.ini	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\tool\_desktop.ini	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\CMap\_desktop.ini	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\_desktop.ini	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.29\_desktop.ini	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\_desktop.ini	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\fonts\_desktop.ini	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\fr-ma\_desktop.ini	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\uk-ua\_desktop.ini	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File created	C:\Program Files\dotnet\host\fxr\7.0.16\_desktop.ini	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\vi-VN\_desktop.ini	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.exe	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\_desktop.ini	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ar-ae\_desktop.ini	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\da-dk\_desktop.ini	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\he-il\_desktop.ini	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\_desktop.ini	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ar-ae\_desktop.ini	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\_desktop.ini	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1320	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
1320	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
1320	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
1320	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
1320	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
1320	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
1320	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
1320	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
1320	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
1320	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
1320	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
1320	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
1320	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
1320	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
1320	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
1320	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
1320	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
1320	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
1320	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
1320	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1320 wrote to memory of 1468	1320	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe	84
PID 1320 wrote to memory of 1468	1320	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe	84
PID 1320 wrote to memory of 1468	1320	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe	84
PID 1468 wrote to memory of 2100	1468	net.exe	86
PID 1468 wrote to memory of 2100	1468	net.exe	86
PID 1468 wrote to memory of 2100	1468	net.exe	86
PID 1320 wrote to memory of 3408	1320	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe	56
PID 1320 wrote to memory of 3408	1320	72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3408
- C:\Users\Admin\AppData\Local\Temp\72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe
  "C:\Users\Admin\AppData\Local\Temp\72c203f92bed415ca54d7f225bd16016c342d20e339f58b06d9fcaeecd931aac.exe"
  2⤵
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1320
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1468
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:2100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\dotnet\dotnet.exe

Filesize
170KB

MD5
2d86dea505e884a25c2fc9ca215a4c8e

SHA1
6424238be4cf714d05cd15698b3b9a4edcd905b8

SHA256
953181892a80745ae7a475072365a2be00a8c5adb5e7c1a98911b961ddc5fcb0

SHA512
c5b2e0499c89da67be925c2a8e8cb4f721291df15bd406f9f41e554330b84d8c254ca124c3d65d97005665f69b115684141c334028da8024ca415a51399ba036

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
637KB

MD5
9cba1e86016b20490fff38fb45ff4963

SHA1
378720d36869d50d06e9ffeef87488fbc2a8c8f7

SHA256
a22e6d0f5c7d44fefc2204e0f7c7b048e1684f6cf249ba98c006bbf791c22d19

SHA512
2f3737d29ea3925d10ea5c717786425f6434be732974586328f03691a35cd1539828e3301685749e5c4135b8094f15b87fb9659915de63678a25749e2f8f5765

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1132431369-515282257-1998160155-1000\_desktop.ini

Filesize
9B

MD5
c59aab012a570d8b20f60efcafb272be

SHA1
709df64d9a23340c6bc42f2bf8dfdca512bff2e0

SHA256
8a349242c7461f8fccc029421cd051ef8f140a8e3738d348a2354a3d5b9de220

SHA512
8c3f67dc02beaca59f0deaa4d8e33bc385b19df02d2a8b905b47148e21919f7d059f3883f02dad25a0d11dc807343390114753a7918171720d8cd72e84239e17

Download Submit
memory/1320-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1320-5-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1320-12-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1320-18-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1320-22-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1320-1212-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1320-4778-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1320-5217-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download