a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240705-en
resource tags

arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
submitted
02-08-2024 17:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
Size

29KB
MD5

2d3658d5db691d9c616d54054b23227e
SHA1

0c6fc3568cffa7b16a4d662057ceb57d8d7b84a1
SHA256

a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff
SHA512

3cd103430d517aae3180d71cf54005b6921a2d36ef373fee43cca97ddeed7720b4c16853d066e80af6156748f399d194f2e58c71f6366599c24abaf264a55cf8
SSDEEP

384:NbbRrwh+uPW1Gt5M0zhIV/DZ3KZp7JcTO4yf9Knuf2MqlUV2V9wVfUnfRqOzGOnj:pi1PW16GVRu1yK9fMnJG2V9dHS8

Score

6^/10

discovery

Malware Config

Signatures

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File opened (read-only)	\??\Q:	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File opened (read-only)	\??\U:	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File opened (read-only)	\??\W:	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File opened (read-only)	\??\V:	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File opened (read-only)	\??\P:	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File opened (read-only)	\??\O:	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File opened (read-only)	\??\M:	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File opened (read-only)	\??\L:	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File opened (read-only)	\??\I:	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File opened (read-only)	\??\X:	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File opened (read-only)	\??\G:	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File opened (read-only)	\??\R:	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File opened (read-only)	\??\K:	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File opened (read-only)	\??\J:	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File opened (read-only)	\??\H:	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File opened (read-only)	\??\E:	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File opened (read-only)	\??\Z:	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File opened (read-only)	\??\S:	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File opened (read-only)	\??\N:	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File opened (read-only)	\??\Y:	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\_desktop.ini	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe AIR\_desktop.ini	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\_desktop.ini	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\js\_desktop.ini	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\video_filter\_desktop.ini	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\_desktop.ini	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1036\_desktop.ini	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\_desktop.ini	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\_desktop.ini	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\_desktop.ini	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\_desktop.ini	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\_desktop.ini	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File created	C:\Program Files (x86)\Common Files\Adobe AIR\Versions\_desktop.ini	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File created	C:\Program Files\Microsoft Games\Hearts\de-DE\_desktop.ini	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\_desktop.ini	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\_desktop.ini	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\InfoPath.en-us\_desktop.ini	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\es-ES\_desktop.ini	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\_desktop.ini	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\css\_desktop.ini	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ca@valencia\_desktop.ini	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\Components\_desktop.ini	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\css\_desktop.ini	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\_desktop.ini	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Cultures\_desktop.ini	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\_desktop.ini	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\_desktop.ini	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\_desktop.ini	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File created	C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\_desktop.ini	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Slate\_desktop.ini	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\_desktop.ini	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\_desktop.ini	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File created	C:\Program Files\Java\jre7\bin\server\_desktop.ini	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File opened for modification	C:\Program Files\Java\jre7\lib\management\_desktop.ini	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File created	C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\_desktop.ini	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File opened for modification	C:\Program Files (x86)\Windows NT\Accessories\it-IT\_desktop.ini	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\_desktop.ini	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\_desktop.ini	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\_desktop.ini	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javafxpackager.exe	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\_desktop.ini	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File created	C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\_desktop.ini	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\_desktop.ini	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\DW\_desktop.ini	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\_desktop.ini	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\_desktop.ini	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\XLSTART\_desktop.ini	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\_desktop.ini	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File created	C:\Program Files\Java\jre7\lib\security\_desktop.ini	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Kentucky\_desktop.ini	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\_desktop.ini	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\_desktop.ini	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\_desktop.ini	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\_desktop.ini	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\_desktop.ini	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File created	C:\Program Files\VideoLAN\VLC\locale\as_IN\_desktop.ini	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\css\_desktop.ini	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File opened for modification	C:\Program Files (x86)\MSBuild\_desktop.ini	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\es-ES\_desktop.ini	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\_desktop.ini	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
File created	C:\Program Files\Microsoft Games\Solitaire\es-ES\_desktop.ini	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2968	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
2968	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
2968	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
2968	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
2968	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
2968	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
2968	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
2968	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
2968	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
2968	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2968 wrote to memory of 2356	2968	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe	30
PID 2968 wrote to memory of 2356	2968	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe	30
PID 2968 wrote to memory of 2356	2968	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe	30
PID 2968 wrote to memory of 2356	2968	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe	30
PID 2356 wrote to memory of 2544	2356	net.exe	32
PID 2356 wrote to memory of 2544	2356	net.exe	32
PID 2356 wrote to memory of 2544	2356	net.exe	32
PID 2356 wrote to memory of 2544	2356	net.exe	32
PID 2968 wrote to memory of 1256	2968	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe	21
PID 2968 wrote to memory of 1256	2968	a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1256
- C:\Users\Admin\AppData\Local\Temp\a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe
  "C:\Users\Admin\AppData\Local\Temp\a1fb462e5251f6cbeb297bfca4e48872d92cc2f89b5a7d43d0a5f9e28e1705ff.exe"
  2⤵
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2356
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
0d251b00fba311b711741b93516a3785

SHA1
81c9483c604969b5a77f624aae23bd77e70323db

SHA256
5d532031d275b82ff3ba64688b6db263b6ec730f562ca11f0149b6ec14ff5287

SHA512
79b29b9a7738bf5ff1ae82e78c55729ce1f1b75144cbe8437939b35057f1a2f66903af3691febf52944d5a4defe23645a411ad7ab46457332ad76094007ba842

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
959KB

MD5
4be17251a10425f5b608ef1d18eab4d9

SHA1
6b59a7c570b957d72d21360a3c367a43f0373da2

SHA256
50102855acd670dd5e5cea3ff41f061276320794c07db4a692dbfdedf2944276

SHA512
2e3a4de1c0069c5784539c3be1938f3a3375b555d1c375152fed3ebf2ce04717c2a9d224d9f73c5a79afacd478492e878cd9cf8fee63387ac7a4d18268424673

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
474KB

MD5
17e5de36cf448d652adab881a4557ec2

SHA1
c45337444120f4cc4a9a65b2bee63cd61618ca2a

SHA256
32568fb07078e0d4e77efac9ad862454dba63de5c5f920d9a14de709372f2430

SHA512
22678c9ca2d70d9a3377d1f2c6c91d7649adcaccee564acdf1bd6373e60f13f6e21fc09feed5b590475889996287961a1450542741ef0888a4a0b5e9c9812b92

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3502430532-24693940-2469786940-1000\_desktop.ini

Filesize
8B

MD5
5e797d005cfee3b802f98412c511983c

SHA1
1c65a747549afbed9971b65c604d64ec1f1ab898

SHA256
dcb1b824282c0cca0aaad7a62d7857039122e25a100766f82c85f227b36e4c88

SHA512
41116f81a81859b0608b0150a4cd791b3fba9e7516ff3eb98494a3802a3532dda052a2ed955d64c023fe6d8113079d7190df6f5bcc7ef86c8e743419a758706b

Download Submit
memory/1256-5-0x0000000002E80000-0x0000000002E81000-memory.dmp

Filesize
4KB

Download
memory/2968-66-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2968-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2968-72-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2968-20-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2968-519-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2968-1849-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2968-14-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2968-3309-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2968-7-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download