e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 22:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
Size

29KB
MD5

c5f8315b200df9ab7e42897400c35321
SHA1

d0626edbd803f1cfa0f5ce040840b7faa79b6ac6
SHA256

e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f
SHA512

734c0ae7de718f6bbb85623d639c497af458615e790bbbd656b7142165df8de5d114c62b66831071a7e05684188ca7e8d57f4b545b8ab6846e1c0e3c5edf9a02
SSDEEP

384:NbbvOPk4zaAc1Gt5M0zhIV/DZ3KZp7JcTO4yf9Knuf2MqlUV2V9wVfUnfRqOzGOj:pp4m16GVRu1yK9fMnJG2V9dHS8

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File opened (read-only)	\??\H:	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File opened (read-only)	\??\Z:	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File opened (read-only)	\??\Y:	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File opened (read-only)	\??\J:	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File opened (read-only)	\??\O:	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File opened (read-only)	\??\K:	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File opened (read-only)	\??\X:	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File opened (read-only)	\??\T:	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File opened (read-only)	\??\P:	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File opened (read-only)	\??\S:	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File opened (read-only)	\??\R:	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File opened (read-only)	\??\W:	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File opened (read-only)	\??\V:	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File opened (read-only)	\??\U:	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File opened (read-only)	\??\L:	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File opened (read-only)	\??\G:	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File opened (read-only)	\??\E:	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File opened (read-only)	\??\Q:	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File opened (read-only)	\??\N:	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File opened (read-only)	\??\M:	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\root\_desktop.ini	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\he-il\_desktop.ini	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\hu-hu\_desktop.ini	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\sl-sl\_desktop.ini	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sv-se\_desktop.ini	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\pl-pl\_desktop.ini	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fi-fi\_desktop.ini	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\zh-tw\_desktop.ini	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\nb-no\_desktop.ini	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\x86\_desktop.ini	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\pt-br\_desktop.ini	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File created	C:\Program Files (x86)\Google\Update\Offline\_desktop.ini	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe\_desktop.ini	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\en-gb\_desktop.ini	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\eu-es\_desktop.ini	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\tr-tr\_desktop.ini	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\_desktop.ini	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\he-il\_desktop.ini	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\fi-fi\_desktop.ini	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\tr-tr\_desktop.ini	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ko-kr\_desktop.ini	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\hr-hr\_desktop.ini	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access_output\_desktop.ini	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\_desktop.ini	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-150_8wekyb3d8bbwe\Assets\_desktop.ini	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-white\_desktop.ini	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\css\_desktop.ini	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ro-ro\_desktop.ini	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\en-US\_desktop.ini	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\uk-UA\_desktop.ini	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\es_MX\_desktop.ini	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sk-sk\_desktop.ini	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\en-gb\_desktop.ini	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\es\_desktop.ini	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\_desktop.ini	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\fi-fi\_desktop.ini	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\nl-nl\_desktop.ini	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\pt-br\_desktop.ini	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ja-jp\_desktop.ini	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\fr-ma\_desktop.ini	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sk\_desktop.ini	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\_desktop.ini	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\tr-TR\View3d\_desktop.ini	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Images\_desktop.ini	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\da-dk\_desktop.ini	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\en-il\_desktop.ini	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\3DViewer.exe	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\HelpAndFeedback\_desktop.ini	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\Simple\_desktop.ini	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\en-gb\_desktop.ini	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\images\themes\dark\_desktop.ini	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ko-kr\_desktop.ini	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\zh-cn\_desktop.ini	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\_desktop.ini	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square310x310\_desktop.ini	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\ImmersiveVideoPlayback\Content\_desktop.ini	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\root\_desktop.ini	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\_desktop.ini	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\it-it\_desktop.ini	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\zh-tw\_desktop.ini	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\versions\_desktop.ini	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\_desktop.ini	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sv\_desktop.ini	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1448	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
1448	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
1448	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
1448	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
1448	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
1448	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
1448	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
1448	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
1448	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
1448	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
1448	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
1448	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
1448	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
1448	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
1448	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
1448	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
1448	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
1448	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
1448	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
1448	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 4740	1448	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe	82
PID 1448 wrote to memory of 4740	1448	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe	82
PID 1448 wrote to memory of 4740	1448	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe	82
PID 4740 wrote to memory of 1048	4740	net.exe	84
PID 4740 wrote to memory of 1048	4740	net.exe	84
PID 4740 wrote to memory of 1048	4740	net.exe	84
PID 1448 wrote to memory of 3488	1448	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe	56
PID 1448 wrote to memory of 3488	1448	e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3488
- C:\Users\Admin\AppData\Local\Temp\e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe
  "C:\Users\Admin\AppData\Local\Temp\e47b4419438d910621f6f96f9d0eb1c8c4c5e2804df7c9c0837081c9ae7e012f.exe"
  2⤵
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1448
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4740
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:1048

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
f35eeb93c627f1f86a3833716bd43b6f

SHA1
dad2838568e979c1cc11ec0e7d18a869c984842a

SHA256
06da7d6de7cc0bf44d747565058bec46c996dcc2d5deb48e48839459718a967b

SHA512
1344a5244733f10ff1b23ebfb448fbafb2ea34f613ba3f662699b6bdf581b8cef3a102edeb576bc0035cabd6516cb48e7635f0636dd983c04e2f04d41f7b3a0b

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
173KB

MD5
77c15268217708a2c9f00da6a5be5042

SHA1
1215bfc30879b91861a836d0c7f07883fd8dec5d

SHA256
922937eadb7c8d636f8694aad275cb8de9b25e3b779fe3d6cbf1c6631e5ac9ea

SHA512
6194e44c03030d8046e7b98c4063845c2e966858964a4bec663139301c4b88b8dde4a3c9b6e2d65134cd5184e14e793d8f8e599e9b86bbfc70b9bcf067ce7847

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
639KB

MD5
acd457ec0b598bd9950de37255ce2d30

SHA1
7886780402cfc221cd48914ab94f8c6c448597e9

SHA256
fd4ebcb132895ef098c047db75cd9477bd628db74dba0083e2597e8525b890ac

SHA512
841e948953b31a122ec776c26b0bb4ee5d8b23be96fa8ae0128fb2a4530bb891887f992f5da116613aff87e6bbbbb24a4c72e77e74e505afc43d8dc8f1b97d1b

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3558294865-3673844354-2255444939-1000\_desktop.ini

Filesize
8B

MD5
d970a2bfcaa076939c06270d1a48dec8

SHA1
7a558f4d64c3e98bcfd2af83f28e6fbd207a39e1

SHA256
bdc6872f9a0a011a670907f0fedad9b88e283c5af545cf9f6bd73c3709967d44

SHA512
ea4c16930628455852ce343f8ae248b6df869b8da10b10928ebb802129f73d9761971811de317c7d3121b815340027782ec15d385d1d2d7df8fd0a46b62974c2

Download Submit
memory/1448-12-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1448-18-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1448-22-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1448-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1448-1182-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1448-1217-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1448-5-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1448-4782-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1448-5221-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download