fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e

Analysis

max time kernel
149s
max time network
118s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
02/10/2024, 08:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
Size

45KB
MD5

f6e9b0c9e02e4921fdd4867af862d291
SHA1

2446b33f5a1697f6427a17a72188f7f4317a4b09
SHA256

fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e
SHA512

f77f771672edc9aa23b8e173f293a79e290be7585ec723521e13a9858557d4f76806a53e61f66a5ab9fc04b80e1c8e6df43ecda8e004b015fff7413a46b5b046
SSDEEP

768:6CSO14C59uig7jSVP0xeeaKukD9vtPY3RJXQzWQ3655Kv1X/qY1MSd:Fd23SVBdY9vi9QzHqaNrFd

Score

6^/10

discovery

Malware Config

Signatures

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\X:	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File opened (read-only)	\??\M:	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File opened (read-only)	\??\I:	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File opened (read-only)	\??\J:	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File opened (read-only)	\??\Z:	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File opened (read-only)	\??\R:	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File opened (read-only)	\??\P:	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File opened (read-only)	\??\L:	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File opened (read-only)	\??\O:	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File opened (read-only)	\??\N:	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File opened (read-only)	\??\Y:	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File opened (read-only)	\??\W:	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File opened (read-only)	\??\V:	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File opened (read-only)	\??\S:	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File opened (read-only)	\??\H:	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File opened (read-only)	\??\G:	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File opened (read-only)	\??\E:	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File opened (read-only)	\??\U:	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File opened (read-only)	\??\T:	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File opened (read-only)	\??\Q:	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File opened (read-only)	\??\K:	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\_desktop.ini	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Fancy\_desktop.ini	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File opened for modification	C:\Program Files\Microsoft Games\Purble Place\ja-JP\_desktop.ini	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\lua\_desktop.ini	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUECALM\_desktop.ini	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PAPYRUS\_desktop.ini	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\_desktop.ini	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\_desktop.ini	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\_desktop.ini	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\_desktop.ini	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\_desktop.ini	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File created	C:\Program Files\Java\jre7\lib\zi\America\Kentucky\_desktop.ini	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\_desktop.ini	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\_desktop.ini	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\_desktop.ini	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\_desktop.ini	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\_desktop.ini	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ach\_desktop.ini	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\_desktop.ini	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\_desktop.ini	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\es-ES\_desktop.ini	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\_desktop.ini	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File created	C:\Program Files\VideoLAN\VLC\lua\http\css\_desktop.ini	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\_desktop.ini	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\_desktop.ini	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\_desktop.ini	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Calendar\_desktop.ini	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\_desktop.ini	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\_desktop.ini	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\_desktop.ini	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\css\_desktop.ini	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File created	C:\Program Files\VideoLAN\VLC\locale\an\_desktop.ini	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\_desktop.ini	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\_desktop.ini	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Solutions\_desktop.ini	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\_desktop.ini	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\en-US\_desktop.ini	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\_desktop.ini	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\_desktop.ini	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\css\_desktop.ini	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\css\_desktop.ini	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Asia\_desktop.ini	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Checkers\ja-JP\_desktop.ini	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\_desktop.ini	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\_desktop.ini	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File created	C:\Program Files\Java\jre7\lib\zi\Antarctica\_desktop.ini	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File opened for modification	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\_desktop.ini	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\_desktop.ini	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File created	C:\Program Files (x86)\Internet Explorer\_desktop.ini	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\misc\_desktop.ini	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AMT\_desktop.ini	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File opened for modification	C:\Program Files\Windows Defender\MSASCui.exe	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\de-DE\_desktop.ini	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\_desktop.ini	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\GrayCheck\_desktop.ini	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Library\SOLVER\_desktop.ini	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\_desktop.ini	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\_desktop.ini	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2532	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
2532	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
2532	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
2532	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
2532	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
2532	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
2532	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
2532	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
2532	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
2532	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
2532	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
2532	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
2532	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
2532	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
2532	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
2532	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
2532	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
2532	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
2532	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
2532	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 1524	2532	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe	31
PID 2532 wrote to memory of 1524	2532	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe	31
PID 2532 wrote to memory of 1524	2532	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe	31
PID 2532 wrote to memory of 1524	2532	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe	31
PID 1524 wrote to memory of 2480	1524	net.exe	33
PID 1524 wrote to memory of 2480	1524	net.exe	33
PID 1524 wrote to memory of 2480	1524	net.exe	33
PID 1524 wrote to memory of 2480	1524	net.exe	33
PID 2532 wrote to memory of 1192	2532	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe	21
PID 2532 wrote to memory of 1192	2532	fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1192
- C:\Users\Admin\AppData\Local\Temp\fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe
  "C:\Users\Admin\AppData\Local\Temp\fd4fa8c3d3d6a51f86c5592d05576cf74593b7da86bbc5a3c011ae73bb4b9b0e.exe"
  2⤵
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1524
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
270KB

MD5
96145f99f4a6e3fb74552d944bcd005d

SHA1
8d074fcd9b677763e3017edc8b963075e249bd97

SHA256
9f1d7af9c26c5d46a35903f26719b693e765e6ab4874a6bbbf9f6bb7f38b63d1

SHA512
79ceaf65a134c7bf6f574278be8b2acf14694a21e2ede33b1f0a2fe9276795c387f1df5548fd058bbbd46c6462f620231fe6c47406d822efa8bfce802bf78398

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
975KB

MD5
694ff7753871a5756dcf606e25637127

SHA1
414eff38e6fc311d46d29a79c40dd82dd9a628aa

SHA256
27741796103fe6d2e40c4a043a3bb29ed74e513524d3d36062dba053d37fe437

SHA512
4e28aa34829f0ffd90e16ee125742f8eeb355c9141280c6f7a38338306ec3f679c536043349a64b92b256f2425dd6fa3b0d56c0398be2325f9bf46f5bddc3b20

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
489KB

MD5
34a8a3942d30ad7099e8fb30e2e49497

SHA1
136f1ddb67c6818a2efe346690c5069243312135

SHA256
e3d8bed0a97288f78871b0be12b4d5eae27225340e3b9f278b48a812784d947d

SHA512
6f785f3f3f816f0e2a4fcfff55a013922ddb222d32332092b22ce5df7597ece0f165a90020518064a3d2e055d582b68a32eafc5931157afe7111e79697c229c7

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-312935884-697965778-3955649944-1000\_desktop.ini

Filesize
9B

MD5
d06309e93519e57d5287c344a384f6ff

SHA1
b8133d94ab653f905fdcc69f5026a8ec14bedcc7

SHA256
726a2e0d850f5f79845806d92a8cf6c98eb6182ba5098c0aab2d21ac5d5b4e82

SHA512
73392bb20e7c7300e4f6bdd271890a4164dfc895ac091e80787b53c745e153e6417bf18c44fe378716b35252cd164a64d9dae7b538a89bce7d6cdbdd5b4608a1

Download Submit
memory/1192-5-0x0000000002E20000-0x0000000002E21000-memory.dmp

Filesize
4KB

Download
memory/2532-65-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2532-0-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2532-72-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2532-20-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2532-324-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2532-1839-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2532-14-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2532-3286-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download
memory/2532-7-0x0000000000400000-0x0000000000437000-memory.dmp

Filesize
220KB

Download