Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 18:49
Static task
static1
Behavioral task
behavioral1
Sample
4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe
Resource
win10v2004-20240508-en
General
-
Target
4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe
-
Size
29KB
-
MD5
f0701d493c575432a1fc5e5fe6b323f7
-
SHA1
b17d93ef21a614224ea906ddf17ccd565433f3d3
-
SHA256
4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc
-
SHA512
b9cf21304e0a86ccf411b7c62fea57780f7be83d77993b71d8dd9ecf7c17ac075c87b01f36286b82a94953012c78da5d2298bd6a210bbba45342b2988933d3e7
-
SSDEEP
384:NbbtQY8N4g1Gt5M0zhIV/DZ3KZp7JcTO4yf9Knuf2MqlUV2V9wVfUnfRqOzGOnJh:pBsT16GVRu1yK9fMnJG2V9dHS8
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exedescription ioc process File opened (read-only) \??\T: 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File opened (read-only) \??\H: 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File opened (read-only) \??\E: 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File opened (read-only) \??\U: 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File opened (read-only) \??\R: 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File opened (read-only) \??\Q: 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File opened (read-only) \??\J: 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File opened (read-only) \??\S: 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File opened (read-only) \??\P: 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File opened (read-only) \??\O: 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File opened (read-only) \??\Z: 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File opened (read-only) \??\Y: 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File opened (read-only) \??\X: 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File opened (read-only) \??\W: 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File opened (read-only) \??\K: 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File opened (read-only) \??\I: 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File opened (read-only) \??\G: 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File opened (read-only) \??\V: 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File opened (read-only) \??\N: 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File opened (read-only) \??\M: 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File opened (read-only) \??\L: 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe -
Drops file in Program Files directory 64 IoCs
Processes:
4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exedescription ioc process File created C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\_desktop.ini 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\StoreLogo\_desktop.ini 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File created C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.2.2_2.2.27405.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\_desktop.ini 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-black\_desktop.ini 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\da-dk\_desktop.ini 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-il\_desktop.ini 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fr-ma\_desktop.ini 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\unpack200.exe 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBridge\_desktop.ini 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\cs-cz\_desktop.ini 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\nb-no\_desktop.ini 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sl-sl\_desktop.ini 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File created C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\_desktop.ini 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-sl\_desktop.ini 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\pt-br\_desktop.ini 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\_desktop.ini 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\tr-tr\_desktop.ini 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\de-DE\_desktop.ini 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\eo\LC_MESSAGES\_desktop.ini 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-black\_desktop.ini 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-ae\_desktop.ini 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\cs-cz\_desktop.ini 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\zh-cn\_desktop.ini 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\it-it\_desktop.ini 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File opened for modification C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBackgroundHost.exe 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File opened for modification C:\Program Files\Mozilla Firefox\browser\_desktop.ini 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Resources\RetailDemo\strings\en-us\_desktop.ini 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File created C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_~_8wekyb3d8bbwe\_desktop.ini 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\cs-cz\_desktop.ini 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ko-kr\_desktop.ini 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fr-fr\_desktop.ini 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\cs-cz\_desktop.ini 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\_desktop.ini 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ne\_desktop.ini 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Light\_desktop.ini 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hr-hr\_desktop.ini 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\_desktop.ini 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File created C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\da-dk\_desktop.ini 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\es-es\_desktop.ini 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\pl-pl\_desktop.ini 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\_desktop.ini 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File created C:\Program Files\Java\jre-1.8\lib\_desktop.ini 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ru-ru\_desktop.ini 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\zh-cn\_desktop.ini 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\_desktop.ini 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\_desktop.ini 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File created C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\_desktop.ini 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\dtplugin\_desktop.ini 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File created C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_desktop.ini 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File created C:\Program Files\WindowsApps\Microsoft.MicrosoftEdge.Stable_92.0.902.67_neutral__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File created C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x86__8wekyb3d8bbwe\AppxMetadata\_desktop.ini 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\css\_desktop.ini 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ca-es\_desktop.ini 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\de-de\_desktop.ini 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\_desktop.ini 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\_desktop.ini 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\es_MX\_desktop.ini 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Images\Ratings\_desktop.ini 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\uk-ua\_desktop.ini 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\pt-br\_desktop.ini 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File opened for modification C:\Program Files\Java\jre-1.8\lib\applet\_desktop.ini 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sw-KE\View3d\_desktop.ini 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe -
Drops file in Windows directory 1 IoCs
Processes:
4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exedescription ioc process File created C:\Windows\rundl132.exe 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exepid process 3496 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe 3496 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe 3496 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe 3496 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe 3496 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe 3496 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe 3496 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe 3496 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe 3496 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe 3496 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe 3496 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe 3496 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe 3496 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe 3496 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe 3496 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe 3496 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe 3496 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe 3496 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe 3496 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe 3496 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exenet.exedescription pid process target process PID 3496 wrote to memory of 1988 3496 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe net.exe PID 3496 wrote to memory of 1988 3496 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe net.exe PID 3496 wrote to memory of 1988 3496 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe net.exe PID 1988 wrote to memory of 1348 1988 net.exe net1.exe PID 1988 wrote to memory of 1348 1988 net.exe net1.exe PID 1988 wrote to memory of 1348 1988 net.exe net1.exe PID 3496 wrote to memory of 3532 3496 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe Explorer.EXE PID 3496 wrote to memory of 3532 3496 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe Explorer.EXE
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3532
-
C:\Users\Admin\AppData\Local\Temp\4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe"C:\Users\Admin\AppData\Local\Temp\4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe"2⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3496 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- Suspicious use of WriteProcessMemory
PID:1988 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵PID:1348
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
254KB
MD51cc007ad1cf7a7166c5948204c910c52
SHA1378f62d6d34f7ce4ca389bd378ff9bce27222731
SHA256302563b3bc71e1ec5178f58aceed32cf6c91664372d00f61038880b31b6bbecb
SHA5129f6de25ba108d143d391b876658997c7f31989ca57f0d2783d45a23c721996c7c76cbd1f89c98feed38d55b5d11c1098898549872671164a688bef4e934fd463
-
Filesize
173KB
MD5789727db484b9ccef228b4540c976c77
SHA13f425d7dec5abc50878707f219dfe8f752a2eeb0
SHA2567e78362685f2259541422899c96484544bbfd14f2b9f75a5ecb77c0a7758a4f9
SHA5122184a0c02506b10eb77311448247104163106e6da8dadc55eeff0cb77d57f2bfd90eb01fcb907527a204347cea406781483ecb5eaaa4a070f5af23ba88c2e6e3
-
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
Filesize639KB
MD5ad5a7e5eb1a1cdd791957e07c93748ae
SHA16e4f8c5f4d791327e11d0d68ca6f514554af8481
SHA256cfee92d916fbbb95d8282c3264d3708ad1ddfdd9db4daaf00e0c96a22854c4dc
SHA512a8acd191aec48dac8d5808a93ee973ea52793140e318b4d870fb10e4e8ba0756fe95654134dd1c175168375a0f7caebfd8a7d46a9b3dc71006f830b53dd9fefe
-
Filesize
9B
MD54f2460b507685f7d7bfe6393f335f1c9
SHA1378d42f114b1515872e58de6662373af31ab8c7b
SHA25647a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42
SHA51275dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb