8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0

Analysis

max time kernel
149s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
29/05/2024, 15:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
Size

29KB
MD5

4f5d22667d150fcb87a131ecf4f18373
SHA1

ea6b17b4d068f007f17dcc1d2af587a5969ae213
SHA256

8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0
SHA512

cbce12b897e11aab465fc244a7442f89ea5eac1a0e3bea595eae4951a454a51e065063a68771ee96588ed0b9674777f25776221bed1829075540541a9e28f6e1
SSDEEP

384:NbbfY3kjoTR1V1Gt5M0zhIV/DZ3KZp7JcTO4yf9Knuf2MqlUV2V9wVfUnfRqOzG4:pVjK7V16GVRu1yK9fMnJG2V9dHS8

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File opened (read-only)	\??\G:	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File opened (read-only)	\??\E:	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File opened (read-only)	\??\I:	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File opened (read-only)	\??\X:	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File opened (read-only)	\??\T:	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File opened (read-only)	\??\R:	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File opened (read-only)	\??\P:	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File opened (read-only)	\??\K:	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File opened (read-only)	\??\O:	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File opened (read-only)	\??\M:	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File opened (read-only)	\??\Y:	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File opened (read-only)	\??\V:	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File opened (read-only)	\??\U:	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File opened (read-only)	\??\S:	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File opened (read-only)	\??\Q:	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File opened (read-only)	\??\Z:	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File opened (read-only)	\??\W:	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File opened (read-only)	\??\N:	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File opened (read-only)	\??\L:	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File opened (read-only)	\??\J:	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nl-nl\_desktop.ini	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\_desktop.ini	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File created	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_desktop.ini	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\contrast-white\_desktop.ini	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ar-ae\_desktop.ini	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\_desktop.ini	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File opened for modification	C:\Program Files (x86)\Windows NT\TableTextService\_desktop.ini	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\_desktop.ini	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\Attribution\_desktop.ini	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\de-de\_desktop.ini	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\eu-es\_desktop.ini	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\cs-cz\_desktop.ini	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\_desktop.ini	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ja-jp\_desktop.ini	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\it-it\_desktop.ini	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\cs-cz\_desktop.ini	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\_desktop.ini	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File created	C:\Program Files\VideoLAN\VLC\locale\is\_desktop.ini	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File created	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\_desktop.ini	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\de-de\_desktop.ini	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\_desktop.ini	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\serialver.exe	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File created	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Speech\en-US\_desktop.ini	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\es-ES\_desktop.ini	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\uk-ua\_desktop.ini	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\pl-pl\_desktop.ini	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\root\_desktop.ini	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\_desktop.ini	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\lt-LT\_desktop.ini	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ru-RU\View3d\_desktop.ini	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\_desktop.ini	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\_desktop.ini	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files-select\js\_desktop.ini	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\uk-ua\_desktop.ini	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jabswitch.exe	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\_desktop.ini	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gl\_desktop.ini	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\it-IT\_desktop.ini	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\_desktop.ini	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ro-ro\_desktop.ini	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-ae\_desktop.ini	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\da-dk\_desktop.ini	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\_desktop.ini	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\_desktop.ini	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\bn-BD\_desktop.ini	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-white\_desktop.ini	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\Diagnostics\Simple\_desktop.ini	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\_desktop.ini	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\he-il\_desktop.ini	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\_desktop.ini	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Temp\EUB476.tmp\_desktop.ini	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\_desktop.ini	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_desktop.ini	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\_desktop.ini	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ko-kr\_desktop.ini	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\nl-nl\_desktop.ini	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\win_x64\_desktop.ini	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.29\MicrosoftEdgeComRegisterShellARM64.exe	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\meta_engine\_desktop.ini	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
File created	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_~_8wekyb3d8bbwe\_desktop.ini	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1472	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
1472	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
1472	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
1472	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
1472	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
1472	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
1472	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
1472	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
1472	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
1472	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
1472	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
1472	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
1472	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
1472	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
1472	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
1472	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
1472	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
1472	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
1472	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
1472	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1472 wrote to memory of 2804	1472	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe	82
PID 1472 wrote to memory of 2804	1472	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe	82
PID 1472 wrote to memory of 2804	1472	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe	82
PID 2804 wrote to memory of 2660	2804	net.exe	84
PID 2804 wrote to memory of 2660	2804	net.exe	84
PID 2804 wrote to memory of 2660	2804	net.exe	84
PID 1472 wrote to memory of 3452	1472	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe	56
PID 1472 wrote to memory of 3452	1472	8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3452
- C:\Users\Admin\AppData\Local\Temp\8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe
  "C:\Users\Admin\AppData\Local\Temp\8aaa8b892b24ec2f7f914fca94a3e72952178ab6e732a8342f18e737060ed1a0.exe"
  2⤵
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1472
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:2660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
d86e00fdec23784005bc452f437fedb8

SHA1
5c8d5c4952600659f2177262c2b0554e5dcebd64

SHA256
aa56ba1e1b10017ed23bccf1d5ba69dede6dc8dfa40ea585bce45dfd8ae3f0c3

SHA512
648667cbdbf62b8ca75fc0091f9313a0a0d76bb2b2f3c1db4464bb8f3299562bcd247a7443dc55af7a05090a6e3acc98d8af10fd33ffad543f841152a1ccef77

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
713KB

MD5
137dbc03d26ff317da5b903922cd14ba

SHA1
953da8f440f9658d5bab99d21445cdcb93da77fb

SHA256
aeea98e498eb922d5f8d599a8551362a2235fa13e9c8736ef2135522eeee13d4

SHA512
7bf5ba297f8694eb957115b4b385b1aa3761f9a180dc2e63d48479cc790ddc83ce6aafce370bec95f8ae821e6cabb7c36e1fdaeeab03b9cea0e7ae36232fc08b

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
639KB

MD5
a3605b51d03ea8bc68b35024e3706893

SHA1
6c38dddfa42e9a668cdc457a931799ed35e2db9b

SHA256
351fb1ee45499709bec5874e2bedd85b14730aad55d91a1f31a28a23c83ae903

SHA512
4d7e3f4704132ef680054c46f06879f8028e103b36a6c9d640ea155b8ee660402efd31469cc3857b1fc10f904ac9e41d2e85f88c18ad5d5c841d30b93de30533

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3571316656-3665257725-2415531812-1000\_desktop.ini

Filesize
9B

MD5
4b2b75605a65a6762ec4715de0a70902

SHA1
3b85993ef06d2d814abc405188fdd19a1bffea0c

SHA256
77072cc5a7b394508cf5d819ff8cf4385a9b3cb15d8715a59845ccfa235ea34e

SHA512
888361e75afd4308bdad817af543704a42ffdf2d798acef619459e9978ac68f1cf4d468c6e0b146ab738b0109fdf331c4380471aa83f637b0f6ab06164840c65

Download Submit
memory/1472-12-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1472-18-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1472-22-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1472-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1472-1137-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1472-1218-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1472-5-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1472-4796-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1472-5235-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download