Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
09/06/2024, 07:34
Static task
static1
Behavioral task
behavioral1
Sample
fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe
Resource
win10v2004-20240226-en
General
-
Target
fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe
-
Size
26KB
-
MD5
d880c45f5fdc437b2171ca08b6fe4bd7
-
SHA1
32e2fe3f1dec04977e99f4703ec91ace6ddeb92e
-
SHA256
fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90
-
SHA512
420537ed44be11fa1364a9ade913e4e2adb5e90a8c18ad24a41159b9aefdbd246daf8f1abb562a07a44091336034a0f680bb0e444e0315b5bd853b2c6d43a9b5
-
SSDEEP
768:B1ODKAaDMG8H92RwZNQSwcfymNBg+g61GoL:XfgLdQAQfcfymN
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\W: fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened (read-only) \??\T: fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened (read-only) \??\S: fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened (read-only) \??\P: fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened (read-only) \??\J: fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened (read-only) \??\G: fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened (read-only) \??\Z: fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened (read-only) \??\Y: fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened (read-only) \??\X: fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened (read-only) \??\V: fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened (read-only) \??\U: fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened (read-only) \??\R: fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened (read-only) \??\M: fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened (read-only) \??\K: fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened (read-only) \??\Q: fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened (read-only) \??\N: fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened (read-only) \??\L: fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened (read-only) \??\H: fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened (read-only) \??\O: fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened (read-only) \??\I: fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened (read-only) \??\E: fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\cs-cz\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\da-dk\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fr-fr\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\fi-fi\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\brx\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\cs-CZ\View3d\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File created C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Resources\Fonts\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\root\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File created C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\Diagnostics\Simple\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\gui\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\bn-BD\View3d\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\de-de\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\en-ae\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-us\jscripts\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-gb\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ro-ro\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sv-se\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File created C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File created C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\MixerBranding\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\es-es\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File created C:\Program Files\VideoLAN\VLC\plugins\services_discovery\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File created C:\Program Files\WindowsApps\Microsoft.MSPaint_2019.729.2301.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\hu-hu\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-il\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\nl-nl\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File created C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\he-il\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Installer\setup.exe fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File created C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\da-dk\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ar-ae\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\themes\dark\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\gl-ES\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\uz-Latn-UZ\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\it-IT\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\javafx\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-fr\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-gb\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File created C:\Program Files\Windows Photo Viewer\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\TCUI-App.exe fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\collect_feedback\css\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ca-es\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-il\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File opened for modification C:\Program Files (x86)\Internet Explorer\it-IT\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.17\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe File created C:\Program Files\dotnet\host\fxr\6.0.25\_desktop.ini fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\rundl132.exe fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 4888 fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe 4888 fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe 4888 fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe 4888 fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe 4888 fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe 4888 fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe 4888 fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe 4888 fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe 4888 fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe 4888 fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe 4888 fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe 4888 fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe 4888 fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe 4888 fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe 4888 fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe 4888 fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe 4888 fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe 4888 fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe 4888 fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe 4888 fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 4888 wrote to memory of 2156 4888 fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe 91 PID 4888 wrote to memory of 2156 4888 fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe 91 PID 4888 wrote to memory of 2156 4888 fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe 91 PID 2156 wrote to memory of 840 2156 net.exe 93 PID 2156 wrote to memory of 840 2156 net.exe 93 PID 2156 wrote to memory of 840 2156 net.exe 93 PID 4888 wrote to memory of 3360 4888 fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe 57 PID 4888 wrote to memory of 3360 4888 fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe 57
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3360
-
C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe"C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe"2⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵PID:840
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4256 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:81⤵PID:4388
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD51739f92ac794136b7b005e3a65d03e22
SHA13aff88b7c7601941cba191ce2817c3bea01b834a
SHA256e263b8c0eab9cbdf8a0fa5360727bdf6ed892097a0990e688de929195f63508f
SHA51235d8a8b579241000bd7cca8c3ec80e3a02d4ae569c08b7fcd2b9d9c028e60954678825c2b26c0efe7fe17f2f46cc00fc839b0d542100296f71201b261a69bb85
-
Filesize
165KB
MD5dbe4e1e5bdd0b3e9eb76d56e4b6e7fb6
SHA19295f140456e6f877267194c0c8669d847847c53
SHA25629a2b4e8aa964811ed07d719203e3791a35fc006f6ca9545ca0aeed7df4758d2
SHA5127aadc949c70fd64f030ed2e930c33a9b60df3d22b04e06a1c37b02e0c4a32c3ac8af52abad0d3142da344b7648d9bb0f79cf2ece346fd8ebe22664bfd3478142
-
Filesize
8B
MD59bf5ad0e8bbf0ba1630c244358e5c6dd
SHA125918532222a7063195beeb76980b6ec9e59e19a
SHA256551cc5b618f0fa78108dd2388d9136893adb10499e4836e9728f4e96530bf02f
SHA5127fdce76bb191d4988d92e3d97ce8db4cae1b5c1f93198bffc4e863d324d814246353200d32ea730f83345fcb7ad82213c2bcd31351e905e473d9596bc7b43ad3