8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
06/06/2024, 14:33

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
Size

26KB
MD5

e26ec91340a366199271c66f5e64fa68
SHA1

0436e9c4288a09bb6fa1246a57de8ddb04635392
SHA256

8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09
SHA512

29b206a7cc04d4c4e858e392b40d7172578cdc11ef9fd357b31e4b4215c3ff781851d94c4b914119af51df2e45521f519c96f09b00a00550ac856d728df29dcf
SSDEEP

768:i1ODKAaDMG8H92RwZNQSwcfymNBg+g61GoL:kfgLdQAQfcfymN

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File opened (read-only)	\??\T:	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File opened (read-only)	\??\P:	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File opened (read-only)	\??\I:	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File opened (read-only)	\??\H:	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File opened (read-only)	\??\Y:	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File opened (read-only)	\??\X:	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File opened (read-only)	\??\N:	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File opened (read-only)	\??\G:	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File opened (read-only)	\??\E:	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File opened (read-only)	\??\S:	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File opened (read-only)	\??\R:	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File opened (read-only)	\??\M:	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File opened (read-only)	\??\L:	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File opened (read-only)	\??\K:	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File opened (read-only)	\??\J:	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File opened (read-only)	\??\Z:	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File opened (read-only)	\??\V:	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File opened (read-only)	\??\U:	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File opened (read-only)	\??\Q:	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File opened (read-only)	\??\O:	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\_desktop.ini	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\_desktop.ini	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File created	C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\_desktop.ini	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\Thumbnails\_desktop.ini	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\_desktop.ini	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\pl-pl\_desktop.ini	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\_desktop.ini	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ko-KR\_desktop.ini	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ca-es\_desktop.ini	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\vlc.exe	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\VideoFrameExtractor\UserControls\_desktop.ini	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\hu-hu\_desktop.ini	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\_desktop.ini	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\win_x64\_desktop.ini	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File created	C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.2.2_2.2.27405.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ru-ru\_desktop.ini	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\css\_desktop.ini	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hu-hu\_desktop.ini	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ca-es\_desktop.ini	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\de-de\_desktop.ini	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\en-il\_desktop.ini	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\hu-hu\_desktop.ini	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\_desktop.ini	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\_desktop.ini	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\modules\_desktop.ini	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\_desktop.ini	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sl-sl\_desktop.ini	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ru-ru\_desktop.ini	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example1.Diagnostics\Diagnostics\Simple\_desktop.ini	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fr-fr\_desktop.ini	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\nb-no\_desktop.ini	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nl\_desktop.ini	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File created	C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\de-de\_desktop.ini	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\tr-tr\_desktop.ini	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ko-kr\_desktop.ini	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\css\_desktop.ini	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\_desktop.ini	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\_desktop.ini	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ar-ae\_desktop.ini	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\fr-fr\_desktop.ini	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\hu-hu\_desktop.ini	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\cs-cz\_desktop.ini	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\en-gb\_desktop.ini	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\_desktop.ini	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sm\_desktop.ini	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\fr-FR\_desktop.ini	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\cs-cz\_desktop.ini	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-il\_desktop.ini	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Shell\Themes\Glyphs\Font\_desktop.ini	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\PeopleApp.exe	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File created	C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_desktop.ini	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-gb\_desktop.ini	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File created	C:\Program Files (x86)\Windows Media Player\fr-FR\_desktop.ini	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\_desktop.ini	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\_desktop.ini	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\xaml\onenote\_desktop.ini	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-gb\_desktop.ini	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hr-hr\_desktop.ini	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fi-fi\_desktop.ini	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\_desktop.ini	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\_desktop.ini	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\_desktop.ini	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1280	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
1280	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
1280	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
1280	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
1280	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
1280	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
1280	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
1280	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
1280	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
1280	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
1280	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
1280	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
1280	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
1280	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
1280	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
1280	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
1280	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
1280	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
1280	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
1280	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1280 wrote to memory of 4348	1280	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe	83
PID 1280 wrote to memory of 4348	1280	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe	83
PID 1280 wrote to memory of 4348	1280	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe	83
PID 4348 wrote to memory of 2872	4348	net.exe	85
PID 4348 wrote to memory of 2872	4348	net.exe	85
PID 4348 wrote to memory of 2872	4348	net.exe	85
PID 1280 wrote to memory of 3448	1280	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe	56
PID 1280 wrote to memory of 3448	1280	8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3448
- C:\Users\Admin\AppData\Local\Temp\8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe
  "C:\Users\Admin\AppData\Local\Temp\8d9b1e96c5bc07cb4b17a4a28e5291124594d11b13149e8b8dda113667266f09.exe"
  2⤵
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1280
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4348
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
af0e6ef655f1d3e949f70ab7e294f17a

SHA1
d91f32acaf1e1cc197dff8406c14bcc504235252

SHA256
a10ee8e3ff0b923d6bc12b746ce2cd2784092589d4794273ded00be7f1dba9f0

SHA512
1f25dc94fb17cdaa46cee4873a00aae948e92e087738b698a60631d0a576c54f0c86cb098a05cf7f426efa0319a61c0a23111c1cedea174e2b9b8cfbb46b88fe

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
170KB

MD5
e197be7486f58f647a1655acfa023e13

SHA1
24868610bed0d610b66a2c2d4c88aa3dd23ecfec

SHA256
019c65b7efc2cba2c1f65d6b3c5e853e59a31993b54ade4488d6ada4f2ebce4b

SHA512
fde6855795412d02e520e16bc4d098f2f7733ccd679f9e76d9a206561d270eafec9b2cb3dc24d8fd8a4cb3ec39e985e1269b6ebe31c229df5d31ca63d9756333

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
636KB

MD5
2500f702e2b9632127c14e4eaae5d424

SHA1
8726fef12958265214eeb58001c995629834b13a

SHA256
82e5b0001f025ca3b8409c98e4fb06c119c68de1e4ef60a156360cb4ef61d19c

SHA512
f420c62fa1f6897f51dd7a0f0e910fb54ad14d51973a2d4840eeea0448c860bf83493fb1c07be65f731efc39e19f8a99886c8cfd058cee482fe52d255a33a55c

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3558294865-3673844354-2255444939-1000\_desktop.ini

Filesize
8B

MD5
8de83b88f7ab26b8a33a1eeb970a7bc8

SHA1
ad3208ec0bdfacd12ad7291d0259ef41b6bfc425

SHA256
499baf65b91c9fff00cab334a4d8ab59d253993f173da5c33ff01ea4afc217fe

SHA512
9272af088cc70ebeb388cefda678d35e649433d3a6c5715f3537e2832b3fead9568d58a026c36ab711fdef87597419e8be80a5d809530a933f72328c413a5d7e

Download Submit
memory/1280-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1280-5-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1280-12-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1280-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1280-22-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1280-1216-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1280-4782-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1280-5221-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download