c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79

Analysis

max time kernel
150s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
15/04/2024, 22:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
Size

26KB
MD5

d4c1c1e7a7bb540a3ccc24994940320e
SHA1

e5212546a62657b13530aee8d8608ba68e630e08
SHA256

c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79
SHA512

5b5bfeb351d4d8250f81db1f720fa1fea7b17ef06074f870a86948107b37eca5e8111126c37d1efafcb21d40ac0beaeda25b43b21af869659a5914b55a675328
SSDEEP

768:Yo1ODKAaDMG8H92RwZNQSwcfymNBg+g61GoZw:vfgLdQAQfcfymN

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\S:	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File opened (read-only)	\??\O:	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File opened (read-only)	\??\V:	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File opened (read-only)	\??\Q:	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File opened (read-only)	\??\P:	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File opened (read-only)	\??\H:	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File opened (read-only)	\??\E:	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File opened (read-only)	\??\W:	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File opened (read-only)	\??\N:	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File opened (read-only)	\??\L:	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File opened (read-only)	\??\I:	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File opened (read-only)	\??\M:	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File opened (read-only)	\??\K:	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File opened (read-only)	\??\Z:	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File opened (read-only)	\??\Y:	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File opened (read-only)	\??\X:	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File opened (read-only)	\??\U:	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File opened (read-only)	\??\T:	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File opened (read-only)	\??\R:	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File opened (read-only)	\??\J:	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File opened (read-only)	\??\G:	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-ae\_desktop.ini	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\_desktop.ini	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\110.0.5481.104\WidevineCdm\_desktop.ini	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\_desktop.ini	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\de-de\_desktop.ini	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ar-ae\_desktop.ini	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fi-fi\_desktop.ini	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\cs-cz\_desktop.ini	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\it-it\_desktop.ini	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\_desktop.ini	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\uk-ua\_desktop.ini	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-black\_desktop.ini	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\PlaceCard\contrast-white\_desktop.ini	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\_desktop.ini	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\eu-es\_desktop.ini	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\sl-sl\_desktop.ini	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\_desktop.ini	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File created	C:\Program Files\VideoLAN\VLC\locale\th\_desktop.ini	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_neutral_~_8wekyb3d8bbwe\_desktop.ini	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\_desktop.ini	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Sigma\_desktop.ini	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File created	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\_desktop.ini	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\fr-fr\_desktop.ini	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ru-ru\_desktop.ini	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\VisualElements\_desktop.ini	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\fr-FR\_desktop.ini	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\_desktop.ini	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lt\_desktop.ini	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\sv-se\_desktop.ini	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File created	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\fr\_desktop.ini	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-sl\_desktop.ini	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\de-de\_desktop.ini	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\css\_desktop.ini	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\he-il\_desktop.ini	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\_desktop.ini	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File created	C:\Program Files\Java\jre-1.8\lib\images\cursors\_desktop.ini	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\VisualElements\_desktop.ini	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\_desktop.ini	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\_desktop.ini	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ieinstal.exe	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File created	C:\Program Files\WindowsApps\Mutable\_desktop.ini	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\es-ES\_desktop.ini	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\hr-hr\_desktop.ini	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\nb-no\_desktop.ini	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\da-dk\_desktop.ini	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\it-it\_desktop.ini	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\pt-br\_desktop.ini	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File created	C:\Program Files\Google\Chrome\Application\110.0.5481.104\default_apps\_desktop.ini	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\_desktop.ini	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\pages\_desktop.ini	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\hu-hu\_desktop.ini	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\_desktop.ini	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\cs-cz\_desktop.ini	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\dummy\_desktop.ini	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\fr-fr\_desktop.ini	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\Diagnostics\Simple\_desktop.ini	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\eu-es\_desktop.ini	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\images\themes\_desktop.ini	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sl-sl\_desktop.ini	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\he-il\_desktop.ini	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ca-es\_desktop.ini	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\_desktop.ini	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tt\LC_MESSAGES\_desktop.ini	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
5060	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
5060	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
5060	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
5060	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
5060	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
5060	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
5060	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
5060	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
5060	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
5060	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
5060	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
5060	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
5060	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
5060	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
5060	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
5060	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
5060	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
5060	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
5060	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
5060	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 5060 wrote to memory of 3604	5060	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe	84
PID 5060 wrote to memory of 3604	5060	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe	84
PID 5060 wrote to memory of 3604	5060	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe	84
PID 3604 wrote to memory of 3468	3604	net.exe	86
PID 3604 wrote to memory of 3468	3604	net.exe	86
PID 3604 wrote to memory of 3468	3604	net.exe	86
PID 5060 wrote to memory of 3496	5060	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe	56
PID 5060 wrote to memory of 3496	5060	c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3496
- C:\Users\Admin\AppData\Local\Temp\c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe
  "C:\Users\Admin\AppData\Local\Temp\c00cca3e2742d435099826a21adc3944e5de7701a068bba9339f3acc61ac0c79.exe"
  2⤵
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5060
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3604
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:3468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
9a0157099f583c025f870abcf927d8b9

SHA1
b81a4fce849acc1d5a410ab5a6d18b9360aa3b08

SHA256
0e8876d8c7bde1ad018d4e4cd0792ef1dc6748497a31bc7ca1c3b90eb86e02d8

SHA512
d18fbc97929575eebac14374dc5c886745cdb2de66d5d62a3145bf848aeb67f07a59fe80487945b376158cce2d53670e33c3dc61c17d8e475b148a975ef3343f

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
170KB

MD5
9b843d6a99de0c91f9eb43558e4fb226

SHA1
809032a8851fcfcee61e4390d3b626b4872f5e32

SHA256
e978440f6670cf03ae7d8b38993a1f391bd3703e1cd0135c54364c1ba6fc052b

SHA512
036b8a98b11c2f31a7ad33bfdf2ea682138bb19a5321e033e7db5503355d7490ad68b1861cd1cf94ca77259e4d4165d9e4128fca9b24953af9f4ac263195ae72

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
636KB

MD5
53ee62011469b286a2a1b5658c86b9bf

SHA1
9bdac0b23b0a965947c780c6a6b48fc7122f9ade

SHA256
7125735e4e8595f1c17ff3235bc65dacabc2ec874b29ac7ba8eddd80ad10b3c0

SHA512
c9c24e578da0a38048e71548fac66465bcb624e971f745bba559e8c49fd621752e718d4c983a90a97277407bb23348ca109436e1eeebef030c3b599c712ff236

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-355664440-2199602304-1223909400-1000\_desktop.ini

Filesize
9B

MD5
137c71ab33d39f41d1d0f506748620c6

SHA1
615708c800cedc2541589174e6e677e1563367b5

SHA256
f1a3a71540f6e454bf800af51e8e8085c233f7281852519bd8b0ae36071f13e0

SHA512
cb8e0ffac4c5606dec5cc9ccdb6ac981ed120efc64a4f4750ac59149280da5fb379c2af737bde3d9e23ca21c3ee3fa9e6c252dee9ef22102886e2390c9d504fc

Download Submit
memory/5060-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5060-5-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5060-12-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5060-18-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5060-22-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5060-1212-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5060-4778-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5060-5217-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download