Analysis
-
max time kernel
100s -
max time network
109s -
platform
windows11-21h2_x64 -
resource
win11-20250619-en -
resource tags
arch:x64arch:x86image:win11-20250619-enlocale:en-usos:windows11-21h2-x64system -
submitted
30/06/2025, 17:43
Static task
static1
Behavioral task
behavioral1
Sample
f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe
Resource
win10v2004-20250619-en
Behavioral task
behavioral2
Sample
f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe
Resource
win11-20250619-en
General
-
Target
f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe
-
Size
32KB
-
MD5
cdaabb480b7d3c10c6f4f451c8c08d69
-
SHA1
667ce007c73b1d663decd86d730227569d23acbb
-
SHA256
f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842
-
SHA512
389083da42235678a2d2b3420729fd46be6c0139b9177dc39108252cbbc24881d610e0637f12980f86c042ec79abcf0bdbac7d94610ab11269f8b0f44a6bbc31
-
SSDEEP
768:5EW5CT2ljlL5b+n8WF6mucTqDf2KDVOPLa:5Eaj95b+n8wKcTDKDVO
Malware Config
Signatures
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\G: f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File opened (read-only) \??\E: f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File opened (read-only) \??\K: f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File opened (read-only) \??\J: f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File opened (read-only) \??\M: f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File opened (read-only) \??\Y: f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File opened (read-only) \??\T: f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File opened (read-only) \??\R: f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File opened (read-only) \??\P: f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File opened (read-only) \??\I: f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File opened (read-only) \??\H: f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File opened (read-only) \??\X: f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File opened (read-only) \??\U: f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File opened (read-only) \??\S: f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File opened (read-only) \??\O: f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File opened (read-only) \??\L: f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File opened (read-only) \??\N: f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File opened (read-only) \??\Z: f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File opened (read-only) \??\W: f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File opened (read-only) \??\V: f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File opened (read-only) \??\Q: f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\_desktop.ini f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\en\_desktop.ini f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ca-es\_desktop.ini f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ca-es\_desktop.ini f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sv-se\_desktop.ini f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\_desktop.ini f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File created C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\_desktop.ini f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ko-kr\_desktop.ini f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\zh-tw\_desktop.ini f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fi-fi\_desktop.ini f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\ms\_desktop.ini f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\_desktop.ini f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\he-il\_desktop.ini f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\_desktop.ini f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\zh-cn\_desktop.ini f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File opened for modification C:\Program Files\Internet Explorer\SIGNUP\_desktop.ini f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\ar\_desktop.ini f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\ru\_desktop.ini f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\fa\_desktop.ini f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\_desktop.ini f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\sv-se\_desktop.ini f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\sl-si\_desktop.ini f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\_desktop.ini f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pl\_desktop.ini f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\fr\_desktop.ini f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\BORDERS\_desktop.ini f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File opened for modification C:\Program Files\Windows Media Player\it-IT\_desktop.ini f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File opened for modification C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\_desktop.ini f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\_desktop.ini f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-si\_desktop.ini f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ro-ro\_desktop.ini f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\_desktop.ini f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ks_IN\_desktop.ini f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\ky\_desktop.ini f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File created C:\Program Files\VideoLAN\VLC\locale\th\LC_MESSAGES\_desktop.ini f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File created C:\Program Files\VideoLAN\VLC\lua\extensions\_desktop.ini f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ko-kr\_desktop.ini f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-gb\_desktop.ini f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ro-ro\_desktop.ini f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File created C:\Program Files\VideoLAN\VLC\locale\zu\_desktop.ini f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-cn\_desktop.ini f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\css\_desktop.ini f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sk-sk\_desktop.ini f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\_desktop.ini f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\_desktop.ini f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\_desktop.ini f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File opened for modification C:\Program Files\MSBuild\Microsoft\_desktop.ini f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File created C:\Program Files\VideoLAN\VLC\locale\ff\_desktop.ini f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File created C:\Program Files\VideoLAN\VLC\locale\ko\_desktop.ini f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File created C:\Program Files\VideoLAN\VLC\locale\vi\_desktop.ini f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\sv-se\_desktop.ini f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CONCRETE\_desktop.ini f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nb-no\_desktop.ini f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\cs-cz\_desktop.ini f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\de-de\_desktop.ini f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\sl-sl\_desktop.ini f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\_desktop.ini f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File created C:\Program Files\7-Zip\Lang\_desktop.ini f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\FPA_f2\_desktop.ini f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EDGE\_desktop.ini f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File created C:\Program Files\VideoLAN\VLC\plugins\stream_filter\_desktop.ini f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\da-dk\_desktop.ini f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\uk-ua\_desktop.ini f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\de-de\_desktop.ini f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\rundl132.exe f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe File created C:\Windows\Dll.dll f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe -
Program crash 2 IoCs
pid pid_target Process procid_target 2480 3472 WerFault.exe 81 6072 3472 WerFault.exe 81 -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language net.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 44 IoCs
pid Process 3472 f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe 3472 f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe 3472 f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe 3472 f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe 3472 f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe 3472 f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe 3472 f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe 3472 f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe 3472 f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe 3472 f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe 3472 f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe 3472 f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe 3472 f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe 3472 f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe 3472 f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe 3472 f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe 3472 f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe 3472 f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe 3472 f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe 3472 f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe 3472 f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe 3472 f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe 3472 f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe 3472 f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe 3472 f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe 3472 f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe 3472 f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe 3472 f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe 3472 f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe 3472 f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe 3472 f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe 3472 f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe 3472 f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe 3472 f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe 3472 f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe 3472 f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe 3472 f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe 3472 f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe 3472 f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe 3472 f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe 3472 f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe 3472 f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe 3472 f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe 3472 f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 3472 wrote to memory of 4236 3472 f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe 82 PID 3472 wrote to memory of 4236 3472 f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe 82 PID 3472 wrote to memory of 4236 3472 f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe 82 PID 4236 wrote to memory of 4228 4236 net.exe 84 PID 4236 wrote to memory of 4228 4236 net.exe 84 PID 4236 wrote to memory of 4228 4236 net.exe 84 PID 3472 wrote to memory of 3308 3472 f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe 52 PID 3472 wrote to memory of 3308 3472 f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe 52
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3308
-
C:\Users\Admin\AppData\Local\Temp\f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe"C:\Users\Admin\AppData\Local\Temp\f8e7945bf1f2f610dfed315fe36f32fcc7cfe51b8b9745e03499aeba6d4ba842.exe"2⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Windows\SysWOW64\net.exenet stop "Kingsoft AntiVirus Service"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4236 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"4⤵
- System Location Discovery: System Language Discovery
PID:4228
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 7923⤵
- Program crash
PID:2480
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3472 -s 8003⤵
- Program crash
PID:6072
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 3472 -ip 34721⤵PID:2360
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 3472 -ip 34721⤵PID:5264
Network
MITRE ATT&CK Enterprise v16
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
9B
MD58d5d367ed8a2afc1fc0b8fc7d14da98c
SHA1fddfad39cd8b448d0d3dbb6e9c67752999568783
SHA25693740c0db50f557803e16032194380e92e586f9cd845c4543eae2c3aa97d95f6
SHA5123215518f650fe697fa80054e2e7e98a55a23832309347704985d502ecf46726048291ace0a619b669726fda404c9235047a21563971a238864ee3523f5bbe96b