Analysis
-
max time kernel
149s -
max time network
57s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
12/06/2024, 23:43
Static task
static1
Behavioral task
behavioral1
Sample
470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe
Resource
win10v2004-20240508-en
General
-
Target
470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe
-
Size
29KB
-
MD5
9fcfb6b631b5a62c2af6f852de61dc71
-
SHA1
02149b5ae9d7c72cc2df500a9cf25ef4234614e1
-
SHA256
470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a
-
SHA512
69076244e4c53b09a9d3595e6b53201013ce006da986542f8375223640e5ce66d000c9f02c71d3856ea0f3f788c139fce670ae26c571bd71d801bd67e15cb66a
-
SSDEEP
384:Nbbthukfv1Gt5M0zhIV/DZ3KZp7JcTO4yf9Knuf2MqlUV2V9wVfUnfRqOzGOnJh:p3Hv16GVRu1yK9fMnJG2V9dHS8
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\V: 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File opened (read-only) \??\S: 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File opened (read-only) \??\H: 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File opened (read-only) \??\G: 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File opened (read-only) \??\Y: 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File opened (read-only) \??\Q: 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File opened (read-only) \??\O: 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File opened (read-only) \??\N: 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File opened (read-only) \??\P: 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File opened (read-only) \??\M: 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File opened (read-only) \??\L: 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File opened (read-only) \??\K: 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File opened (read-only) \??\X: 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File opened (read-only) \??\W: 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File opened (read-only) \??\U: 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File opened (read-only) \??\T: 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File opened (read-only) \??\I: 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File opened (read-only) \??\E: 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File opened (read-only) \??\Z: 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File opened (read-only) \??\R: 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File opened (read-only) \??\J: 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files\VideoLAN\VLC\locale\co\_desktop.ini 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File created C:\Program Files\VideoLAN\VLC\locale\eu\_desktop.ini 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File created C:\Program Files\VideoLAN\VLC\locale\ml\_desktop.ini 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\en-us\_desktop.ini 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\uk-ua\_desktop.ini 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\de-de\_desktop.ini 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File opened for modification C:\Program Files (x86)\Google\Update\Install\{28C8484C-303E-4CB2-A704-E3FF47E10F7C}\chrome_installer.exe 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File created C:\Program Files\Java\jdk-1.8\jre\lib\_desktop.ini 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\_desktop.ini 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-125_8wekyb3d8bbwe\_desktop.ini 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fr-fr\_desktop.ini 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\sk-sk\_desktop.ini 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\mn\_desktop.ini 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File opened for modification C:\Program Files (x86)\Adobe\_desktop.ini 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\hr-hr\_desktop.ini 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ru-ru\_desktop.ini 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\cs-cz\_desktop.ini 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\en-US\_desktop.ini 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-ma\_desktop.ini 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\hr-hr\_desktop.ini 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-tw\_desktop.ini 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File created C:\Program Files\VideoLAN\VLC\locale\lv\_desktop.ini 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File opened for modification C:\Program Files\Windows Defender\it-IT\_desktop.ini 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\fr-ma\_desktop.ini 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\eu-es\_desktop.ini 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\sv-se\_desktop.ini 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\_desktop.ini 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\_desktop.ini 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File created C:\Program Files\VideoLAN\VLC\locale\ne\_desktop.ini 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\_desktop.ini 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\en-us\_desktop.ini 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ro-ro\_desktop.ini 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File opened for modification C:\Program Files (x86)\Google\_desktop.ini 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\it\_desktop.ini 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\css\_desktop.ini 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\PhotosApp\Assets\ThirdPartyNotices\_desktop.ini 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\zh-tw\_desktop.ini 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\zh-cn\_desktop.ini 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\de-de\_desktop.ini 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\zh-cn\_desktop.ini 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\css\_desktop.ini 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ko-kr\_desktop.ini 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File created C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\_desktop.ini 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-tw\_desktop.ini 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\_desktop.ini 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\uk-ua\_desktop.ini 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Resources\_desktop.ini 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\_desktop.ini 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\_desktop.ini 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ro-ro\_desktop.ini 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\msedge_proxy.exe 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\cgg\_desktop.ini 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File created C:\Program Files\VideoLAN\VLC\locale\ru\_desktop.ini 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\LTR\_desktop.ini 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sl-sl\_desktop.ini 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\_desktop.ini 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\_desktop.ini 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\hr-hr\_desktop.ini 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ca-es\_desktop.ini 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\de-DE\_desktop.ini 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\_desktop.ini 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\_desktop.ini 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\en-ae\_desktop.ini 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe -
Drops file in Windows directory 1 IoCs
description ioc Process File created C:\Windows\rundl132.exe 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 3472 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe 3472 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe 3472 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe 3472 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe 3472 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe 3472 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe 3472 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe 3472 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe 3472 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe 3472 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe 3472 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe 3472 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe 3472 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe 3472 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe 3472 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe 3472 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe 3472 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe 3472 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe 3472 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe 3472 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3472 wrote to memory of 1896 3472 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe 82 PID 3472 wrote to memory of 1896 3472 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe 82 PID 3472 wrote to memory of 1896 3472 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe 82 PID 1896 wrote to memory of 4848 1896 net.exe 84 PID 1896 wrote to memory of 4848 1896 net.exe 84 PID 1896 wrote to memory of 4848 1896 net.exe 84 PID 3472 wrote to memory of 3552 3472 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe 56 PID 3472 wrote to memory of 3552 3472 470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe 56
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3552
-
C:\Users\Admin\AppData\Local\Temp\470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe"C:\Users\Admin\AppData\Local\Temp\470ca7731bbe27be0922d68e5479cc10f87a1b29acfbe44a506414761a379a2a.exe"2⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- Suspicious use of WriteProcessMemory
PID:1896 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵PID:4848
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
254KB
MD548b536408ac1a66263ed8da4ec21add8
SHA162d20d73d6035d5ce1e1bf1068ff3bf52d609c3b
SHA256fbc2cf414606174f3555d76fe647557b72ac47e6bda0864fd8c5dad738df1733
SHA51244f09df70cb4cafa63f88899b0b0fa07bf8fcd5d0106a9a945453de7570c37985039c4a7267708815b6c707539e9a4472d329f010f6a692c5c1fcaab6c41f1c0
-
Filesize
173KB
MD53663d2163269293cc25be97396086736
SHA10ce262073ab6b6e8e5df6ad26aaed4ee7bdc4b95
SHA2561862fb96abe7cf6ff05b0ce2b9db6b98b9aab219b96f49791438d053adfadeb7
SHA512a81b044ca46f55ad2045aa6c241b0b42621a7a10e26c0fe4d304f8bee63d9f3285c6fee6e253c0883e337904d0fe4626dd12b6b291b61c35632b69cc4269ae0c
-
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize639KB
MD5f1a31b2ce27caa12b0c83698d2266dbe
SHA141d0f0731185588db910853ce965e677bd2e53e5
SHA256c013780783b3c6105da7ffd4b46452fadec0336c22a310fc20a3b67778855105
SHA512a12d12be843f39c38bc6e596c08760744bf07f4a06636a592a883989ec4467b76b9ca6b859bfd997a9d6cb85e3abbac82729e71ea989df9d3ba065e740e12206
-
Filesize
9B
MD51f206a052c160fd77308863abd810887
SHA13b27ec1dc4b51fb7f1793a9ca9bb0d2e53e60eb1
SHA25645129bd309ca763a88c6bf438896e82b939d6491036658c4512c57f8353938c1
SHA512bd7857c146b01a49d34d4eb84053353eeb586bee6916426179305d5e2360559adea4040fe2184a3a803943ff4e6526cc38c665f9a808355619628868d53fbed5