0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799

Analysis

max time kernel
150s
max time network
106s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
21/09/2024, 15:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
Size

26KB
MD5

e207b9fe562e784a003de76c8985e4b0
SHA1

a913efadc46fbea856276be5133f6e5f070cc582
SHA256

0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799
SHA512

8026fd862af1fdbb2486d05be17a2cd71bb54d6c6dc019ad8936aefbb1c601019486ad1e3b3b3b48820aa52da0fc06190f1a58c2292f4e898bc138a932538d32
SSDEEP

768:t1ODKAaDMG8H92RwZNQSwcfymNBg+g61GoLvC:rfgLdQAQfcfymN

Score

6^/10

discovery

Malware Config

Signatures

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\O:	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened (read-only)	\??\M:	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened (read-only)	\??\I:	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened (read-only)	\??\H:	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened (read-only)	\??\V:	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened (read-only)	\??\S:	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened (read-only)	\??\P:	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened (read-only)	\??\N:	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened (read-only)	\??\J:	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened (read-only)	\??\G:	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened (read-only)	\??\E:	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened (read-only)	\??\Z:	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened (read-only)	\??\R:	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened (read-only)	\??\W:	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened (read-only)	\??\L:	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened (read-only)	\??\U:	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened (read-only)	\??\T:	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened (read-only)	\??\Q:	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened (read-only)	\??\K:	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened (read-only)	\??\Y:	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened (read-only)	\??\X:	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ru-ru\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-ma\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ja-jp\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ko-kr\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\en-gb\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\es-es\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ca-es\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\fr-ma\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\he-il\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\HelpCfg\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hr-hr\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File created	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\js\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ru-ru\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\dc-annotations\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\nl-nl\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\fr-fr\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tr\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File created	C:\Program Files\Windows Photo Viewer\ja-JP\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sv-se\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\sl-sl\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\sv-se\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.195.15\MicrosoftEdgeUpdateOnDemand.exe	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ro-ro\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\cs-cz\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\hu-hu\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened for modification	C:\Program Files (x86)\Google\Update\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\fr-FR\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\pa\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File created	C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\cs-cz\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account-select\js\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\en-il\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\cs-cz\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\mk-MK\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ja-jp\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\zh-tw\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened for modification	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ar-ae\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ca-es\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sk-sk\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\WidevineCdm\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-black\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\zh-tw\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-il\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ru-ru\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\tr-tr\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\de-de\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File opened for modification	C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File created	C:\Program Files\dotnet\host\fxr\7.0.16\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PlaceCard\contrast-white\_desktop.ini	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
4864	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
4864	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
4864	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
4864	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
4864	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
4864	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
4864	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
4864	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
4864	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
4864	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
4864	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
4864	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
4864	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
4864	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
4864	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
4864	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
4864	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
4864	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
4864	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
4864	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4864 wrote to memory of 3084	4864	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe	82
PID 4864 wrote to memory of 3084	4864	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe	82
PID 4864 wrote to memory of 3084	4864	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe	82
PID 3084 wrote to memory of 4784	3084	net.exe	84
PID 3084 wrote to memory of 4784	3084	net.exe	84
PID 3084 wrote to memory of 4784	3084	net.exe	84
PID 4864 wrote to memory of 3496	4864	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe	56
PID 4864 wrote to memory of 3496	4864	0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3496
- C:\Users\Admin\AppData\Local\Temp\0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe
  "C:\Users\Admin\AppData\Local\Temp\0e1d7b1bc93df70ebd41fb4b5a2ae0e85f519568786e352f1404a425b2ee3799.exe"
  2⤵
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4864
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3084
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:4784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe

Filesize
244KB

MD5
c101fbd18e88122722036b2e366e9c51

SHA1
0b67b3ca71c212afab2259d198bf9510b71725cb

SHA256
209515464e58a67a65a06be221740a43dbb54adfbc55d629a8087796380f388b

SHA512
5c4561c56ad02ff968820cb00a2f7b119637971d141dc9ee2e7de805e1325dcfca8903e82a517d7f05ea1a69b044e45dde2f0b349cd83ec325d42606bf2b73f3

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
170KB

MD5
6a73a842894df7a135f8047c7ab29c46

SHA1
df2359f8682200009cfd541ec9c1cca797e49f5f

SHA256
d994fdd69262790f9eaf14353183e26b4d5d54d1497c5692b499861f3e61653b

SHA512
1a73c9415f997a1ac8f38f645212ba38bfed9591b06c25a0c0ae597cbb3172b85e0a12d132819a07ae63568d08c90894fc89c3edc3039ec42b7c7636ba9a52ce

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
636KB

MD5
82168b5f40194e6e86457c2b534cfc21

SHA1
3e2702a384a03243e98ee6866e09f6d5df9b5de5

SHA256
c2f452c90356d0070c71ce17da69c4245dc24f46e1215eca22748567e48279d9

SHA512
6d041166b41e4608aa46b1724322a22d49e5d709f4b1bf89d2c6819282a813c88cd74ba6167f337d4d36a741ae53830b04e58e92fbfc597f85cd7f763284c774

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-656926755-4116854191-210765258-1000\_desktop.ini

Filesize
9B

MD5
5412111268dd2c1fb1cf8697bfab9b6c

SHA1
16d0b289e83c74cb50a004edd7c5750ac706f321

SHA256
f3aa35be7048ddbf11fc581e5f9476745d75bcf097e121ba2915614e360a0cdc

SHA512
13fc5bf11faaf5471fde8a1bafdcc6d27521bad796e5e532c94d9c8232dd70088e70b6d5ac60c4c15d13e59926ac38e9a9e01b4dd4694a77d70bdd1ae7005ccf

Download Submit
memory/4864-12-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4864-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4864-22-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4864-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4864-528-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4864-1219-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4864-5-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4864-4777-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4864-5222-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download