7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d

Analysis

max time kernel
149s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
22/07/2024, 14:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
Size

26KB
MD5

65577849edc88956c4870affd7ef9ac9
SHA1

58e5c77e39f7398a912861a27d9a69d137f98edf
SHA256

7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d
SHA512

6e531e72308daa6fe6da4018451b36fc4289e24417ba6cb7d597dac029341b3e5297ef960933ca774db9fe99b8007c607ef7a44b6ac6b290015f85f81bce7a19
SSDEEP

768:QBN1ODKAaDMG8H92RwZNQSw+IlJIJJREIOAEeF1:cfgLdQAQfhJIJ0IO61

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File opened (read-only)	\??\Z:	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File opened (read-only)	\??\R:	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File opened (read-only)	\??\Q:	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File opened (read-only)	\??\M:	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File opened (read-only)	\??\V:	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File opened (read-only)	\??\T:	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File opened (read-only)	\??\L:	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File opened (read-only)	\??\J:	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File opened (read-only)	\??\K:	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File opened (read-only)	\??\I:	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File opened (read-only)	\??\H:	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File opened (read-only)	\??\G:	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File opened (read-only)	\??\Y:	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File opened (read-only)	\??\W:	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File opened (read-only)	\??\P:	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File opened (read-only)	\??\N:	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File opened (read-only)	\??\X:	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File opened (read-only)	\??\U:	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File opened (read-only)	\??\S:	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File opened (read-only)	\??\O:	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\_desktop.ini	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Toolkit\_desktop.ini	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\dark\_desktop.ini	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\_desktop.ini	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\hu-hu\_desktop.ini	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\fr-fr\_desktop.ini	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\_desktop.ini	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\spu\_desktop.ini	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\_desktop.ini	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\dark\_desktop.ini	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\_desktop.ini	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\da-DK\_desktop.ini	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\contrast-white\_desktop.ini	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\it-IT\_desktop.ini	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File created	C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\_desktop.ini	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\_desktop.ini	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\_desktop.ini	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File created	C:\Program Files\VideoLAN\VLC\locale\el\_desktop.ini	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File opened for modification	C:\Program Files\Windows Multimedia Platform\_desktop.ini	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\it-it\_desktop.ini	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ro-ro\_desktop.ini	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\_desktop.ini	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\_desktop.ini	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\root\_desktop.ini	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\dark\_desktop.ini	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\es-es\_desktop.ini	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\fi-fi\_desktop.ini	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\da-dk\_desktop.ini	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File created	C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\Diagnostics\Simple\_desktop.ini	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.106\VisualElements\_desktop.ini	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lo\LC_MESSAGES\_desktop.ini	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File opened for modification	C:\Program Files\Windows Defender\en-US\_desktop.ini	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ro-ro\_desktop.ini	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ar-ae\_desktop.ini	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\_desktop.ini	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\wmpshare.exe	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lt\_desktop.ini	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-black\_desktop.ini	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fi-fi\_desktop.ini	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ja-jp\_desktop.ini	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ro-ro\_desktop.ini	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\brx\_desktop.ini	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\_desktop.ini	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File created	C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\_desktop.ini	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fi-fi\_desktop.ini	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ca-es\_desktop.ini	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\_desktop.ini	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File created	C:\Program Files\VideoLAN\VLC\locale\gl\_desktop.ini	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\uz-Latn-UZ\_desktop.ini	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\pt-br\_desktop.ini	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\_desktop.ini	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ru-ru\_desktop.ini	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\_desktop.ini	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\legal\jdk\_desktop.ini	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\_desktop.ini	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File created	C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\_desktop.ini	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sk-sk\_desktop.ini	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\cs-cz\_desktop.ini	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\_desktop.ini	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nl-nl\_desktop.ini	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\pt-br\_desktop.ini	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\da-dk\_desktop.ini	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
File opened for modification	C:\Program Files (x86)\Windows Defender\fr-FR\_desktop.ini	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
4968	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
4968	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
4968	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
4968	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
4968	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
4968	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
4968	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
4968	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
4968	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
4968	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
4968	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
4968	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
4968	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
4968	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
4968	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
4968	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
4968	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
4968	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
4968	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
4968	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4968 wrote to memory of 2016	4968	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe	84
PID 4968 wrote to memory of 2016	4968	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe	84
PID 4968 wrote to memory of 2016	4968	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe	84
PID 2016 wrote to memory of 932	2016	net.exe	86
PID 2016 wrote to memory of 932	2016	net.exe	86
PID 2016 wrote to memory of 932	2016	net.exe	86
PID 4968 wrote to memory of 3532	4968	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe	56
PID 4968 wrote to memory of 3532	4968	7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe	56

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3532
- C:\Users\Admin\AppData\Local\Temp\7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe
  "C:\Users\Admin\AppData\Local\Temp\7facb56e0b9a9a121d573578a578e925eb4fee63ef345b77dc3816cec9baa58d.exe"
  2⤵
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4968
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2016
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe

Filesize
244KB

MD5
a1e9ca65759b88d4628351399b259383

SHA1
92ae11cb054be8ddbc5cd4ac7b47c0bcc304ee1e

SHA256
f0b414d1076a585a4523f78596362262e844349cc00e07f321ce2ca6e26925b9

SHA512
3a4cab4b48d6686b75d5089f52e71084e1944a150315a3cd0f56802c065e8b08a1be329ec22569a77c906ee1ed2272305529d02e458b2e3ccf253fef28c4cbec

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
170KB

MD5
996122ccd0c5a431dec679102eed0687

SHA1
52c5fcaafaa70c459955d63bbc56a445800f2cc2

SHA256
6678c01aa58220863b64f7f568d3ed2d3eb874a7e2d1eb437d0d0300f3a33b44

SHA512
f425441d7981e75ed22b078d9e53367add80498ca06608c04e4006ef9a1f5ad356bc6aecb983e37fcc3ff4a6b65646d66291ea59e65a57319edd87b4aba00d59

Download Submit
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

Filesize
636KB

MD5
d82ffc872aed7c85cf936dcdcc2e6372

SHA1
50ca56cb4a429ce1532afaa2732f61833fc2b54f

SHA256
a487733710d946abff1a93a23ae6bbafd6c0800bc78e4d5e3cac36e2a14ddace

SHA512
0b0031418275c6be01f7757111058cd5bd3e5f4862e0631e2e28c5e7ffbb271446abdc2a88a7953ae55112799bc4a051becc2b14491e0d1760e336498665cc8b

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-384068567-2943195810-3631207890-1000\_desktop.ini

Filesize
9B

MD5
5e286801abdc6ca5d3091665a72ecd7c

SHA1
87e0b4601ab0b05784a1059a45d72d807b0e2cbb

SHA256
131ccc46b756e5373dc2f2d37625bfb980a48f2f2287585da364166cf2e709b5

SHA512
51506d6adb68cca9e21fcddfe9672b91352cdb4f3c5b8c2da40219c73d2e7724776cd8701ff68449720c0aa398fe4f7665dabae2bd5147d42c5b6882c99f0bf1

Download Submit
memory/4968-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4968-5-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4968-12-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4968-19-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4968-22-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4968-1219-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4968-4770-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4968-5215-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download