46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87

Analysis

max time kernel
150s
max time network
97s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09/09/2024, 15:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
Size

29KB
MD5

3d2370b1a6ab3ea2c9edd2ea27d8bc5c
SHA1

3be9754c3a1305ab58337e7412a384259d1da910
SHA256

46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87
SHA512

b02ae7cafe3469a4a5a03a19862774e52186a0b7305865807457af1d828c0dfbc52755c89b0c0caaab7fe9828fe948d91b8ea8a1ff1a9a5a73efc7a334faa805
SSDEEP

384:NbbA8N4g1Gt5M0zhIV/DZ3KZp7JcTO4yf9Knuf2MqlUV2V9wVfUnfRqOzGOnJh:p5T16GVRu1yK9fMnJG2V9dHS8

Score

6^/10

discovery

Malware Config

Signatures

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File opened (read-only)	\??\P:	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File opened (read-only)	\??\O:	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File opened (read-only)	\??\M:	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File opened (read-only)	\??\J:	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File opened (read-only)	\??\E:	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File opened (read-only)	\??\Y:	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File opened (read-only)	\??\W:	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File opened (read-only)	\??\V:	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File opened (read-only)	\??\U:	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File opened (read-only)	\??\R:	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File opened (read-only)	\??\K:	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File opened (read-only)	\??\T:	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File opened (read-only)	\??\Q:	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File opened (read-only)	\??\N:	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File opened (read-only)	\??\L:	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File opened (read-only)	\??\I:	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File opened (read-only)	\??\H:	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File opened (read-only)	\??\G:	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File opened (read-only)	\??\Z:	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File opened (read-only)	\??\S:	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\de-de\_desktop.ini	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\wab.exe	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\he-il\_desktop.ini	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\hu-hu\_desktop.ini	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\es-ES\_desktop.ini	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\intf\_desktop.ini	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\es-es\_desktop.ini	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\_desktop.ini	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\pt-br\_desktop.ini	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\pt-br\_desktop.ini	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\nl-nl\_desktop.ini	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\nl-nl\_desktop.ini	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\nb-no\_desktop.ini	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\codec\_desktop.ini	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File opened for modification	C:\Program Files\Windows Security\BrowserCore\en-US\_desktop.ini	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\_desktop.ini	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pt-br\_desktop.ini	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\eu-es\_desktop.ini	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\es-es\_desktop.ini	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\_desktop.ini	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\_desktop.ini	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File created	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\_desktop.ini	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\eu-es\_desktop.ini	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\it-it\_desktop.ini	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\_desktop.ini	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File opened for modification	C:\Program Files\Java\jre-1.8\lib\management\_desktop.ini	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File created	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\_desktop.ini	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\css\_desktop.ini	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\_desktop.ini	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\pt-br\_desktop.ini	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\_desktop.ini	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File created	C:\Program Files (x86)\Internet Explorer\es-ES\_desktop.ini	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\kab\_desktop.ini	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\collect_feedback\css\_desktop.ini	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\_desktop.ini	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\nb-no\_desktop.ini	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\VisualElements\_desktop.ini	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File opened for modification	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\_desktop.ini	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\d3d9\_desktop.ini	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File created	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\WinMetadata\_desktop.ini	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ja-jp\_desktop.ini	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\da-dk\_desktop.ini	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\hr-hr\_desktop.ini	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\sv-se\_desktop.ini	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ru-ru\_desktop.ini	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\zh-cn\_desktop.ini	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File created	C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\_desktop.ini	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\_desktop.ini	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\_desktop.ini	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\_desktop.ini	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account-select\css\_desktop.ini	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ar-ae\_desktop.ini	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\plugins\_desktop.ini	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\zh-tw\_desktop.ini	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\_desktop.ini	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\PhotosApp\Assets\ThirdPartyNotices\_desktop.ini	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-tw\_desktop.ini	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File created	C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\fmui\_desktop.ini	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\da-dk\_desktop.ini	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\_desktop.ini	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\nb-no\_desktop.ini	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\it-it\_desktop.ini	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\css\_desktop.ini	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\_desktop.ini	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
1364	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
1364	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
1364	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
1364	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
1364	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
1364	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
1364	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
1364	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
1364	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
1364	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
1364	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
1364	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
1364	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
1364	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
1364	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
1364	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
1364	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
1364	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
1364	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
1364	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 4784	1364	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe	83
PID 1364 wrote to memory of 4784	1364	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe	83
PID 1364 wrote to memory of 4784	1364	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe	83
PID 4784 wrote to memory of 1740	4784	net.exe	85
PID 4784 wrote to memory of 1740	4784	net.exe	85
PID 4784 wrote to memory of 1740	4784	net.exe	85
PID 1364 wrote to memory of 3496	1364	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe	56
PID 1364 wrote to memory of 3496	1364	46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3496
- C:\Users\Admin\AppData\Local\Temp\46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe
  "C:\Users\Admin\AppData\Local\Temp\46d6ac3cdd7b6e5860d9bd7ac428d1b83910ab1d534ea1c24102f281619cde87.exe"
  2⤵
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1364
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4784
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\dotnet\dotnet.exe

Filesize
173KB

MD5
18a033ef9cf15e69f34dffaef206a792

SHA1
e3f8fc3a593695fe076bee26695d0d1c358665d0

SHA256
39052460b70717372a53352cbc909d6d655ae98040e5935f9dfcc00ba36a50d1

SHA512
e233c366c37513fea8e4c4d3e387d91b6cc7cc512f1aff60f19a2681df3ce672ffc17e9361120b2bd885851019afe3108780482f50954c67cf5ad932f0b094bf

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
639KB

MD5
ad5a7e5eb1a1cdd791957e07c93748ae

SHA1
6e4f8c5f4d791327e11d0d68ca6f514554af8481

SHA256
cfee92d916fbbb95d8282c3264d3708ad1ddfdd9db4daaf00e0c96a22854c4dc

SHA512
a8acd191aec48dac8d5808a93ee973ea52793140e318b4d870fb10e4e8ba0756fe95654134dd1c175168375a0f7caebfd8a7d46a9b3dc71006f830b53dd9fefe

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-656926755-4116854191-210765258-1000\_desktop.ini

Filesize
8B

MD5
5d65d1288c9ecedfd5f28d17a01a30bc

SHA1
e5bb89b8ad5c73516abf7e3baeaf1855154381dc

SHA256
3501728ad227b52ce4d4f85ddd0e6d28dfa7acce977ae27f1e337be209825a5f

SHA512
6177ce001dd535382c3bae5e8c3cfda85d8d8b76b68bce10fa8e5e1e748fd1512a531ffc93fef1316f2c27d93b5b4a5b60a6391f0e131ccc5cc0a65c2755868e

Download Submit
memory/1364-23-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1364-14-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1364-19-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1364-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1364-7-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1364-405-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1364-1220-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1364-4778-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1364-6-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/1364-5223-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download