f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69

Analysis

max time kernel
150s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
04/05/2024, 19:14

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
Size

26KB
MD5

1faf8a2a4d36e938fa4e838c59e51757
SHA1

aed13b0baca7f476c5aae8c4406ab620c04be678
SHA256

f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69
SHA512

491e49baf52a6e0eefecc277b0a3fe682185cbf7f41c2074547edf74a5d2124689504173463f89ac19b22301c3255a886736aa9254f618ba01b92354d53eb228
SSDEEP

768:3Q1ODKAaDMG8H92RwZNQSwcfymNBg+g61GoL:3CfgLdQAQfcfymN

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File opened (read-only)	\??\N:	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File opened (read-only)	\??\J:	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File opened (read-only)	\??\G:	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File opened (read-only)	\??\Z:	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File opened (read-only)	\??\U:	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File opened (read-only)	\??\K:	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File opened (read-only)	\??\H:	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File opened (read-only)	\??\Q:	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File opened (read-only)	\??\M:	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File opened (read-only)	\??\P:	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File opened (read-only)	\??\L:	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File opened (read-only)	\??\I:	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File opened (read-only)	\??\W:	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File opened (read-only)	\??\R:	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File opened (read-only)	\??\V:	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File opened (read-only)	\??\S:	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File opened (read-only)	\??\O:	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File opened (read-only)	\??\E:	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File opened (read-only)	\??\Y:	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File opened (read-only)	\??\X:	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fi-fi\_desktop.ini	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\nb-no\_desktop.ini	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\plugins\_desktop.ini	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\tr-tr\_desktop.ini	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\pl-pl\_desktop.ini	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\dummy\_desktop.ini	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File created	C:\Program Files\Reference Assemblies\_desktop.ini	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File created	C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\_desktop.ini	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\uk-UA\_desktop.ini	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\cs-cz\_desktop.ini	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\zh-cn\_desktop.ini	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\_desktop.ini	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\cs-cz\_desktop.ini	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sl-si\_desktop.ini	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-cn\_desktop.ini	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\sv-se\_desktop.ini	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\_desktop.ini	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File created	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Microsoft.Support.SDK\_desktop.ini	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ko-kr\_desktop.ini	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\sv-se\_desktop.ini	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\_desktop.ini	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\_desktop.ini	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\_desktop.ini	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File opened for modification	C:\Program Files\Java\jre8\_desktop.ini	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File created	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\he-il\_desktop.ini	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\services_discovery\_desktop.ini	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ko-kr\_desktop.ini	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-tw\_desktop.ini	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ar-ae\_desktop.ini	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\it-it\_desktop.ini	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File created	C:\Program Files\VideoLAN\VLC\lua\meta\_desktop.ini	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\root\_desktop.ini	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\_desktop.ini	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\da-dk\_desktop.ini	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\nl-nl\_desktop.ini	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\pt-br\_desktop.ini	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\_desktop.ini	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File opened for modification	C:\Program Files\Google\Chrome\_desktop.ini	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\cs-cz\_desktop.ini	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\_desktop.ini	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ca-es\_desktop.ini	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\he-il\_desktop.ini	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ar-ae\_desktop.ini	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\de-de\_desktop.ini	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-black\_desktop.ini	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\th-TH\View3d\_desktop.ini	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\_desktop.ini	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\nb-no\_desktop.ini	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\en-il\_desktop.ini	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\_desktop.ini	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File created	C:\Program Files (x86)\Microsoft\Temp\_desktop.ini	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hu-hu\_desktop.ini	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\_desktop.ini	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_desktop.ini	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\dark\_desktop.ini	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\ja-JP\_desktop.ini	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\_desktop.ini	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\css\_desktop.ini	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\zh-tw\_desktop.ini	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\root\_desktop.ini	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\Diagnostics\_desktop.ini	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
3708	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
3708	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
3708	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
3708	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
3708	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
3708	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
3708	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
3708	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
3708	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
3708	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
3708	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
3708	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
3708	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
3708	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
3708	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
3708	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
3708	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
3708	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
3708	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
3708	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3708 wrote to memory of 2012	3708	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe	83
PID 3708 wrote to memory of 2012	3708	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe	83
PID 3708 wrote to memory of 2012	3708	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe	83
PID 2012 wrote to memory of 4644	2012	net.exe	85
PID 2012 wrote to memory of 4644	2012	net.exe	85
PID 2012 wrote to memory of 4644	2012	net.exe	85
PID 3708 wrote to memory of 3500	3708	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe	56
PID 3708 wrote to memory of 3500	3708	f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3500
- C:\Users\Admin\AppData\Local\Temp\f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe
  "C:\Users\Admin\AppData\Local\Temp\f1f5e8ce0164a726bf1a38b5a1789aa1c770044184a4e4f0951165453737ef69.exe"
  2⤵
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3708
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2012
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:4644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe

Filesize
244KB

MD5
494ea0f0f9f42dfbde38b70f28105502

SHA1
fd3d48cbed282e4dd30530572eaf01eec4d0ca20

SHA256
79be76828ea2db5b67eddcb903fa1a55be174d84d77eac8f38370f8d4ef91cff

SHA512
5a8b6db4589bdef40a98db48af78d6ed6b9f83d7b37ecf60137d5fa99e131a235945ca240faea0d94ff78e7a3d639534167330a27641719b2c1bb64887480035

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
710KB

MD5
97b10d1536ef901a0a127a623de9e330

SHA1
0bdfd67abd6638abcee0f3c0db47b8e092304d50

SHA256
f7ad447c853c305d879840129e0b50b2d9ccc61508ede9a02995a3a104f95b3d

SHA512
07a75e981a64c614b9a40b9250bf3f1e48f12ef18fc2248fcb7d7dae5ba6d8b7ee6bba09c14e7f606724db555b696ba546361ad59f63fa629bc40da6d9424924

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
636KB

MD5
2500f702e2b9632127c14e4eaae5d424

SHA1
8726fef12958265214eeb58001c995629834b13a

SHA256
82e5b0001f025ca3b8409c98e4fb06c119c68de1e4ef60a156360cb4ef61d19c

SHA512
f420c62fa1f6897f51dd7a0f0e910fb54ad14d51973a2d4840eeea0448c860bf83493fb1c07be65f731efc39e19f8a99886c8cfd058cee482fe52d255a33a55c

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2818691465-3043947619-2475182763-1000\_desktop.ini

Filesize
8B

MD5
5979a5ab5d6ce7068aff133101a79c52

SHA1
8ec7729d3782fc978cc50f9b3217fc8309ae7733

SHA256
6b009cde89047fc55503dc0b3649d341e98320a0438d044bc8fb068d0c919ef1

SHA512
213c10a6b5b394b2736619ed0418ba715e643dfa08b5827757dd64b1718ddec6a44822ff4b192bd594997cc13bc2027d03c029537ed2f12591b370ec1f242f2d

Download Submit
memory/3708-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3708-5-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3708-12-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3708-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3708-22-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3708-1223-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3708-4789-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3708-5252-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download