Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 18:43
Static task
static1
Behavioral task
behavioral1
Sample
3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe
Resource
win10v2004-20240508-en
General
-
Target
3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe
-
Size
27KB
-
MD5
522f5828b177b3aa961c91c390994c15
-
SHA1
5942de653667031a36340cce4099e3f6a28d3d51
-
SHA256
3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd
-
SHA512
91be6026a7633ec5951f4a9e7ca55cf6d0050b3e03f6746e39d71dbc215fb43b7a3a57ac996d5dd32c4b00d98714cc354cebc2d3c2c2a526a05e982bf4540711
-
SSDEEP
384:Mb1Gt5M0zhIV/DZ3KZp7JcTO4yf9KFL/KaUUqd3qR+FlYTj9QTN0wpD9p5Cs:S16GVRu1yK9fMFLKaTxsujCT7pZpY
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exedescription ioc process File opened (read-only) \??\U: 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File opened (read-only) \??\S: 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File opened (read-only) \??\Q: 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File opened (read-only) \??\O: 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File opened (read-only) \??\L: 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File opened (read-only) \??\V: 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File opened (read-only) \??\G: 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File opened (read-only) \??\Z: 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File opened (read-only) \??\W: 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File opened (read-only) \??\T: 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File opened (read-only) \??\P: 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File opened (read-only) \??\E: 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File opened (read-only) \??\K: 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File opened (read-only) \??\J: 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File opened (read-only) \??\I: 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File opened (read-only) \??\Y: 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File opened (read-only) \??\X: 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File opened (read-only) \??\R: 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File opened (read-only) \??\N: 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File opened (read-only) \??\M: 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File opened (read-only) \??\H: 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe -
Drops file in Program Files directory 64 IoCs
Processes:
3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exedescription ioc process File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ar-ae\_desktop.ini 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fr-fr\_desktop.ini 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\uk-ua\_desktop.ini 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File opened for modification C:\Program Files (x86)\Google\CrashReports\_desktop.ini 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\_desktop.ini 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\_desktop.ini 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File created C:\Program Files\WindowsPowerShell\Modules\Pester\_desktop.ini 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sk-sk\_desktop.ini 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fi-fi\_desktop.ini 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-cn\_desktop.ini 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sk-sk\_desktop.ini 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ja-jp\_desktop.ini 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ru-ru\_desktop.ini 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\tr-tr\_desktop.ini 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\nb-no\_desktop.ini 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File created C:\Program Files\ModifiableWindowsApps\_desktop.ini 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\models\_desktop.ini 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File created C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\Diagnostics\_desktop.ini 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\en\_desktop.ini 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\_desktop.ini 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\css\_desktop.ini 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\_desktop.ini 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\_desktop.ini 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\css\_desktop.ini 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\he-il\_desktop.ini 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\zh-cn\_desktop.ini 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ko-kr\_desktop.ini 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ko-kr\_desktop.ini 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\_desktop.ini 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\GameBar.exe 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\ja-jp\_desktop.ini 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\de-de\_desktop.ini 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\cs-cz\_desktop.ini 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\_desktop.ini 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\en-US\_desktop.ini 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\SlowMotionEditor\UserControls\_desktop.ini 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.513.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_desktop.ini 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\root\_desktop.ini 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-ae\_desktop.ini 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\identity_proxy\_desktop.ini 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\images\_desktop.ini 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sv-se\_desktop.ini 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\_desktop.ini 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\pt-br\_desktop.ini 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\hr-hr\_desktop.ini 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\zh-tw\_desktop.ini 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\en-ae\_desktop.ini 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\cs-cz\_desktop.ini 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\_desktop.ini 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File created C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\_desktop.ini 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_neutral_~_8wekyb3d8bbwe\_desktop.ini 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\sv-se\_desktop.ini 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\zh-cn\_desktop.ini 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\_desktop.ini 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File created C:\Program Files (x86)\Windows Photo Viewer\_desktop.ini 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\_desktop.ini 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File created C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\_desktop.ini 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\_desktop.ini 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\_desktop.ini 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\hu-hu\_desktop.ini 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\_desktop.ini 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\cs-cz\_desktop.ini 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ca-es\_desktop.ini 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe -
Drops file in Windows directory 1 IoCs
Processes:
3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exedescription ioc process File created C:\Windows\rundl132.exe 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exepid process 3552 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe 3552 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe 3552 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe 3552 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe 3552 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe 3552 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe 3552 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe 3552 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe 3552 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe 3552 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe 3552 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe 3552 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe 3552 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe 3552 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe 3552 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe 3552 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe 3552 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe 3552 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe 3552 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe 3552 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exenet.exedescription pid process target process PID 3552 wrote to memory of 4456 3552 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe net.exe PID 3552 wrote to memory of 4456 3552 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe net.exe PID 3552 wrote to memory of 4456 3552 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe net.exe PID 4456 wrote to memory of 232 4456 net.exe net1.exe PID 4456 wrote to memory of 232 4456 net.exe net1.exe PID 4456 wrote to memory of 232 4456 net.exe net1.exe PID 3552 wrote to memory of 3396 3552 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe Explorer.EXE PID 3552 wrote to memory of 3396 3552 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3396
-
C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe"C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe"2⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3552 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- Suspicious use of WriteProcessMemory
PID:4456 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵PID:232
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
252KB
MD5e723a1bc7f82cb9ebbb977cdc1fb1be3
SHA169f4ed87384d009a9669dfb8f26482e1435bcdb1
SHA2562cea9cadd842f36c80e051ed4cbd759e6269674d54ef65ec7056b5ac71ee4913
SHA5122c79d02c7e32c37e46f18996fe87e3b269068449d4df2e0539ef63c01cd4be8a84c8e3954f5985159eb2428fdd5bb62ca2eafa3c3c4bae51a3b4a64facaa0c0c
-
Filesize
170KB
MD5731b6158a0a0082c18c16fbfbb3a6764
SHA120ec0f4e81aa5ae2ad130398ac0c4e3bc6090b7a
SHA256e53de6167e05ee183ca963d8e452efa2f8f01689144b787ce3d117120abb8635
SHA5124a88ef57edae6e213dd4975abb19f6289a3c7b232c1e6a8edb7ed1a95eaa8c248122867d07c5b9d6f62960fde89b66de4b9b7a268825be1d18db808650f70b32
-
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize637KB
MD59cba1e86016b20490fff38fb45ff4963
SHA1378720d36869d50d06e9ffeef87488fbc2a8c8f7
SHA256a22e6d0f5c7d44fefc2204e0f7c7b048e1684f6cf249ba98c006bbf791c22d19
SHA5122f3737d29ea3925d10ea5c717786425f6434be732974586328f03691a35cd1539828e3301685749e5c4135b8094f15b87fb9659915de63678a25749e2f8f5765
-
Filesize
9B
MD54f2460b507685f7d7bfe6393f335f1c9
SHA1378d42f114b1515872e58de6662373af31ab8c7b
SHA25647a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42
SHA51275dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb