4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c

Analysis

max time kernel
149s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
04-06-2024 20:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
Size

33KB
MD5

3905de443e3362c9a3cf7a99ec967853
SHA1

fad6b90d31da3df8c885fac5d78de93bec539fec
SHA256

4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c
SHA512

151968a824d131913cec483882b9a636aaa1202647f703b376b495e09f3ac1377aed756e85a449613a9cea4487cf9522ec2951e00ecb095e709eb55d21fe4183
SSDEEP

768:mYBuC+Vxr1x5cE9Fl5pz8UOutDlMXaoSunjXWNN:/BVsrz8VuJlMXaDuiN

Score

7^/10

spyware stealer

Malware Config

Signatures

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File opened (read-only)	\??\G:	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File opened (read-only)	\??\X:	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File opened (read-only)	\??\R:	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File opened (read-only)	\??\L:	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File opened (read-only)	\??\O:	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File opened (read-only)	\??\N:	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File opened (read-only)	\??\M:	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File opened (read-only)	\??\K:	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File opened (read-only)	\??\E:	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File opened (read-only)	\??\W:	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File opened (read-only)	\??\U:	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File opened (read-only)	\??\Q:	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File opened (read-only)	\??\Y:	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File opened (read-only)	\??\P:	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File opened (read-only)	\??\S:	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File opened (read-only)	\??\J:	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File opened (read-only)	\??\I:	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File opened (read-only)	\??\Z:	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File opened (read-only)	\??\V:	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File opened (read-only)	\??\T:	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\tr-tr\_desktop.ini	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\zh-tw\_desktop.ini	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\sl-sl\_desktop.ini	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\root\_desktop.ini	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\_desktop.ini	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File created	C:\Program Files\Microsoft Office\root\vfs\Fonts\_desktop.ini	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\es-es\_desktop.ini	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\nb-no\_desktop.ini	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\es-es\_desktop.ini	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\_desktop.ini	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File opened for modification	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\_desktop.ini	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ro-ro\_desktop.ini	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sv-se\_desktop.ini	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\_desktop.ini	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\_desktop.ini	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\_desktop.ini	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-il\_desktop.ini	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\he-il\_desktop.ini	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sl-si\_desktop.ini	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\zh-tw\_desktop.ini	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\_desktop.ini	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\_desktop.ini	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\_desktop.ini	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\dev\_desktop.ini	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\da-dk\_desktop.ini	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\_desktop.ini	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fr-fr\_desktop.ini	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\_desktop.ini	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\root\_desktop.ini	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\_desktop.ini	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\hu-hu\_desktop.ini	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File opened for modification	C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\B53A34F1-FF5D-4EF4-BFFA-089E897035BB\root\vfs\_desktop.ini	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\_desktop.ini	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\cs-cz\_desktop.ini	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\_desktop.ini	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\sl-si\_desktop.ini	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\css\_desktop.ini	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\en-US\_desktop.ini	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RADIAL\_desktop.ini	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\he-il\_desktop.ini	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hr-hr\_desktop.ini	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\hu-hu\_desktop.ini	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\es-es\_desktop.ini	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\nb-no\_desktop.ini	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File created	C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\_desktop.ini	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File created	C:\Program Files\Microsoft Office\root\fre\_desktop.ini	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\eu-es\_desktop.ini	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fr-ma\_desktop.ini	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\_desktop.ini	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ar-ae\_desktop.ini	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\_desktop.ini	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File created	C:\Program Files (x86)\Windows Defender\uk-UA\_desktop.ini	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File created	C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\_desktop.ini	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-tw\_desktop.ini	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\uk-ua\_desktop.ini	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\_desktop.ini	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\lib\_desktop.ini	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File created	C:\Program Files\VideoLAN\VLC\locale\oc\LC_MESSAGES\_desktop.ini	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_output\_desktop.ini	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Configuration\_desktop.ini	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nb-no\_desktop.ini	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\es-es\_desktop.ini	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\_desktop.ini	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
File created	C:\Windows\Dll.dll	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
3168	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
3168	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
3168	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
3168	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
3168	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
3168	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
3168	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
3168	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
3168	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
3168	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
3168	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
3168	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
3168	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
3168	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
3168	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
3168	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
3168	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
3168	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
3168	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
3168	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
3168	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
3168	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
3168	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
3168	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
3168	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
3168	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
3168	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
3168	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
3168	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
3168	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
3168	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
3168	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
3168	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
3168	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
3168	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
3168	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
3168	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
3168	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
3168	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
3168	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
3168	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
3168	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
3168	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
3168	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
3168	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
3168	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
3168	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
3168	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
3168	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
3168	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
3168	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
3168	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
3168	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
3168	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
3168	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
3168	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
3168	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
3168	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
3168	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
3168	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3168 wrote to memory of 4136	3168	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe	83
PID 3168 wrote to memory of 4136	3168	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe	83
PID 3168 wrote to memory of 4136	3168	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe	83
PID 4136 wrote to memory of 4380	4136	net.exe	85
PID 4136 wrote to memory of 4380	4136	net.exe	85
PID 4136 wrote to memory of 4380	4136	net.exe	85
PID 3168 wrote to memory of 4604	3168	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe	90
PID 3168 wrote to memory of 4604	3168	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe	90
PID 3168 wrote to memory of 4604	3168	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe	90
PID 4604 wrote to memory of 4192	4604	net.exe	92
PID 4604 wrote to memory of 4192	4604	net.exe	92
PID 4604 wrote to memory of 4192	4604	net.exe	92
PID 3168 wrote to memory of 3384	3168	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe	56
PID 3168 wrote to memory of 3384	3168	4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3384
- C:\Users\Admin\AppData\Local\Temp\4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe
  "C:\Users\Admin\AppData\Local\Temp\4cfb758bc8d779a7e4f3f549286ac83c8b98d5104f3efa056d8729462bf1645c.exe"
  2⤵
  - Drops startup file
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3168
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4136
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:4380
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4604
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:4192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
258KB

MD5
8a216d268fb4892b3af2e79a279a2a23

SHA1
51916b0eeb6d61280fac7de0363254427f245762

SHA256
c7a2a1b862ba9fdf706edd930c09dd07af8fb44f3edcfe0a22b41899eebae31d

SHA512
30adf4d918017584c668d9bacf0f6263a9f47087303aaa46ca6a0c9a1e96644fb54b7110ede95819e5782ca189909ce84af8bc80c2a5c1ac21cb62f33f729e93

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
177KB

MD5
300554142b399ee673d8bad80666f9de

SHA1
d94950ce2b9dcf8b9969755e33e4edb70cdee2c8

SHA256
304e3f7666d31246eab8711506a24c1c2c1698817ef410589e5e71e275e9fa40

SHA512
2d38228bfaef2c88eb33f1475843a909d9eba4aba3c6c98a601dbbdfffcadda367832d5a02e5c3952edaf008680b453c47339cc9dd20e4bca801d2280493ac75

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
644KB

MD5
e9d357d936630a4282349f034fb51052

SHA1
3905031236dfb21491e9ad23e35b0ae261e0739f

SHA256
c74cc9b57276c722bb9774cb84b7e4afd4ea5c9ba1f0fdd77dc21c81b8aaa8c4

SHA512
bf3439117541d47daee8cc6ca363c66dd3d46cbdc5009173572e383dce3b5b83c7575af3317bb2bd50dee757a9a16b82bf386b31d1ba805f23a4d57e484ba2a6

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-4124900551-4068476067-3491212533-1000\_desktop.ini

Filesize
8B

MD5
378d822ce12583d0d584184af22d1d77

SHA1
c062ac770b028df6db676099e02f09fc2f77b171

SHA256
1ad01f8e46c86dfa34468e306eabe54b58d56134130b53ea7677961e3baaf6c7

SHA512
23cf7b916de734c6bb6fd3b2beee21f3e82bc95e93d8662dca818d7cf13602706f22671dce61388b2a7e0b613c07c70512331c4132759b16cf438cb1750bc397

Download Submit
memory/3168-0-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3168-3-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3168-4625-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3168-8676-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download