deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6

Analysis

max time kernel
149s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29/03/2024, 02:58

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
Size

29KB
MD5

0da193b37731c91309428a5f9c4e3867
SHA1

650eb41a2b9453cae174f07caeb434880c31ff0c
SHA256

deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6
SHA512

83b949bab0be69b8745c60734dc411af1c4e54508519e392d3017075ae181a9436828c95896d0e55a038c0a789d92a683e14c5ef09a6463b018f45e74e4b11e8
SSDEEP

384:z7nbbK9FQ5MRA91Gt5M0zhIV/DZ3KZp7JcTO4yf9Knuf2MqlUV2V9wVfUnfR9C55:/b2nR+16GVRu1yK9fMnJG2V9dDClcx

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File opened (read-only)	\??\V:	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File opened (read-only)	\??\S:	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File opened (read-only)	\??\M:	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File opened (read-only)	\??\J:	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File opened (read-only)	\??\I:	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File opened (read-only)	\??\G:	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File opened (read-only)	\??\Z:	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File opened (read-only)	\??\R:	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File opened (read-only)	\??\N:	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File opened (read-only)	\??\Q:	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File opened (read-only)	\??\P:	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File opened (read-only)	\??\O:	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File opened (read-only)	\??\X:	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File opened (read-only)	\??\U:	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File opened (read-only)	\??\T:	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File opened (read-only)	\??\K:	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File opened (read-only)	\??\E:	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File opened (read-only)	\??\Y:	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File opened (read-only)	\??\W:	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File opened (read-only)	\??\L:	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\_desktop.ini	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account-select\css\_desktop.ini	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\eu-es\_desktop.ini	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\_desktop.ini	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\sk-sk\_desktop.ini	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\_desktop.ini	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\_desktop.ini	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\hi\_desktop.ini	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File created	C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\WinMetadata\_desktop.ini	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sk-sk\_desktop.ini	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\_desktop.ini	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ar-ae\_desktop.ini	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\ja-JP\_desktop.ini	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\_desktop.ini	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-white\_desktop.ini	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_2019.1111.2029.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_desktop.ini	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sl-si\_desktop.ini	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\en-il\_desktop.ini	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ko-kr\_desktop.ini	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\_desktop.ini	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File created	C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\_desktop.ini	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\dark\_desktop.ini	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-cn\_desktop.ini	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\_desktop.ini	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\en-gb\_desktop.ini	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_proxy\_desktop.ini	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\_desktop.ini	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\images\_desktop.ini	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\fi-fi\_desktop.ini	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ru-ru\_desktop.ini	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\_desktop.ini	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Network Sharing\_desktop.ini	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tl\LC_MESSAGES\_desktop.ini	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File created	C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\_desktop.ini	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\en-gb\_desktop.ini	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fi\_desktop.ini	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\_desktop.ini	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AIR\_desktop.ini	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fr-ma\_desktop.ini	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\eu-es\_desktop.ini	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\it-it\_desktop.ini	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\_desktop.ini	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\PeopleAppAssets\_desktop.ini	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nb-no\_desktop.ini	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\eu-es\_desktop.ini	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\root\_desktop.ini	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\he-il\_desktop.ini	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\de-de\_desktop.ini	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\_desktop.ini	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\_desktop.ini	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\et-EE\_desktop.ini	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\PilotshubApp.exe	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\cs-cz\_desktop.ini	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-il\_desktop.ini	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\root\_desktop.ini	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\es-es\_desktop.ini	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\View3D.ResourceResolver.exe	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\_desktop.ini	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themes\_desktop.ini	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-tw\_desktop.ini	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
468	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
468	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
468	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
468	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
468	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
468	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
468	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
468	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
468	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
468	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
468	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
468	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
468	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
468	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
468	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
468	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
468	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
468	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
468	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
468	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 468 wrote to memory of 208	468	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe	86
PID 468 wrote to memory of 208	468	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe	86
PID 468 wrote to memory of 208	468	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe	86
PID 208 wrote to memory of 4740	208	net.exe	88
PID 208 wrote to memory of 4740	208	net.exe	88
PID 208 wrote to memory of 4740	208	net.exe	88
PID 468 wrote to memory of 3428	468	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe	57
PID 468 wrote to memory of 3428	468	deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe	57

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3428
- C:\Users\Admin\AppData\Local\Temp\deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe
  "C:\Users\Admin\AppData\Local\Temp\deb26a15045662db922746167c0d1e6f12c5c687da57804d4215b2f49162e0f6.exe"
  2⤵
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:468
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:208
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:4740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
254KB

MD5
8cb0c8e3c4237d03cd0854556d1180b6

SHA1
f1ac2770008f04d308eb0314494df8373f392ea7

SHA256
4098373720a77875b125b33b4b0f98c3d0ceced6fada7cc27977b236624b9a19

SHA512
6d6c7616b004c9ddf880245f3885339dc79152bcd0ab27f744cba7ad3100484820266c10ad3fe3571ebf16e6a7d60eebeb68e503ef49030fa899e4aa5a84cff6

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
168KB

MD5
0434859e601e34a970e0c8a42e6a17d0

SHA1
259005eb9b98d4c428dc24f3c119aa41bd7c5cec

SHA256
9f408d524453f87a964648d3c3446bc86c8547f221f00ec8127caaa3606c7f56

SHA512
cb172f8eb025dc0e55fc311b4e7ea004d2ae2816a7f812c41775a04e541d17b65a87ad0b18cf1b63e4f2f9db91937521a415baf6e40fd509a5ea2e67d9ccac83

Download Submit
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

Filesize
484KB

MD5
75915a03288eae4c2377f71af5ef4387

SHA1
e1ff856b3d343af476c80b6d4a17331ea043f571

SHA256
feb198ecc9a49ce38c6000a94f54319b81532b9c6bd0644031373d009a1dbb20

SHA512
f37e5e75164e4a110b2a186b67e8ec4c5b33a98c7dcdb663e53b5a96bb249fdb534b47ca6b276eb17eeb0fa4ab5e1de2875b007f899ea01eddab48d2478a05dd

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-3270530367-132075249-2153716227-1000\_desktop.ini

Filesize
9B

MD5
9d515d16952bdb1cf51672ad091046bc

SHA1
5fe954c6d41499122182eb48cf6f9d203b9eae7c

SHA256
12ddf5d72be26a3f4fb46d905661e24bf30948454c9701f20e50436a238a25db

SHA512
d0f7522406355a837e55f5a99b6969ed4b0ccbc2e427b83a917eedffc37899b139c2b33ea73a90469a6045b3b71848bf97641528644a4a3f55d666223fa31d4b

Download Submit
memory/468-27-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/468-23-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/468-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/468-18-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/468-930-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/468-1161-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/468-1307-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/468-12-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/468-4726-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/468-5-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download