6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639

Analysis

max time kernel
189s
max time network
206s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
29/11/2022, 03:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
Size

29KB
MD5

0701fbc99dad965d1ab22853b0d8f9b6
SHA1

e45c77895880af26f88edc1fcd4563c495616a40
SHA256

6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639
SHA512

85eee0fac51f84e2a3fcdf2d8a735c16d1bdc8f591cbe695ec0ae3beb8f5bf1d524df2725115d9cf657e0c58d6e32968e15f35776db94296b459551d7140817b
SSDEEP

384:sbbPuKaS80Nat1Gt5M0zhIV/DZ3KZp7JcTO4yf9Knuf2MqlUV2V9wVfUnfRqOzG4:40Hht16GVRu1yK9fMnJG2V9dHS8

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Z:	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File opened (read-only)	\??\V:	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File opened (read-only)	\??\P:	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File opened (read-only)	\??\O:	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File opened (read-only)	\??\M:	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File opened (read-only)	\??\K:	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File opened (read-only)	\??\H:	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File opened (read-only)	\??\E:	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File opened (read-only)	\??\T:	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File opened (read-only)	\??\J:	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File opened (read-only)	\??\X:	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File opened (read-only)	\??\W:	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File opened (read-only)	\??\U:	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File opened (read-only)	\??\R:	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File opened (read-only)	\??\Q:	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File opened (read-only)	\??\Y:	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File opened (read-only)	\??\S:	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File opened (read-only)	\??\N:	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File opened (read-only)	\??\L:	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File opened (read-only)	\??\I:	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File opened (read-only)	\??\G:	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File opened (read-only)	\??\F:	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\_desktop.ini	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\_desktop.ini	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\kinit.exe	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\_desktop.ini	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\lib\locale\_desktop.ini	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\jjs.exe	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\_desktop.ini	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\_desktop.ini	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\_desktop.ini	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\java.exe	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\fonts\_desktop.ini	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\MEIPreload\_desktop.ini	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\klist.exe	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\images\cursors\_desktop.ini	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\_desktop.ini	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\_desktop.ini	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\cmm\_desktop.ini	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\management\_desktop.ini	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\db\_desktop.ini	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\jfr\_desktop.ini	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\_desktop.ini	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\_desktop.ini	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\modules\locale\_desktop.ini	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\_desktop.ini	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File created	C:\Program Files\7-Zip\_desktop.ini	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ssvagent.exe	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\lib\cmm\_desktop.ini	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\_desktop.ini	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\_desktop.ini	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File opened for modification	C:\Program Files\_desktop.ini	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\_desktop.ini	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\deploy\_desktop.ini	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\_desktop.ini	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\_desktop.ini	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\security\_desktop.ini	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\_desktop.ini	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\_desktop.ini	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\images\cursors\_desktop.ini	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File opened for modification	C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File created	C:\Program Files\Java\jdk1.8.0_66\jre\bin\dtplugin\_desktop.ini	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\platform\config\Modules\_desktop.ini	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\lib\deployed\jdk16\_desktop.ini	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File created	C:\Program Files\Google\Chrome\Application\_desktop.ini	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\idlj.exe	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File created	C:\Program Files\Java\jdk1.8.0_66\db\bin\_desktop.ini	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\security\_desktop.ini	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File created	C:\Program Files\Google\Chrome\Application\89.0.4389.114\default_apps\_desktop.ini	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\deploy\_desktop.ini	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File opened for modification	C:\Program Files\Mozilla Firefox\plugin-hang-ui.exe	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\_desktop.ini	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\modules\_desktop.ini	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javadoc.exe	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\ktab.exe	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File created	C:\Program Files\Java\jre1.8.0_66\lib\_desktop.ini	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File opened for modification	C:\Program Files\Mozilla Firefox\crashreporter.exe	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\servertool.exe	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\lib\fonts\_desktop.ini	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\_desktop.ini	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\_desktop.ini	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\swiftshader\_desktop.ini	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\_desktop.ini	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\_desktop.ini	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\lib\management\_desktop.ini	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
3604	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
3604	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
3604	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
3604	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
3604	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
3604	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
3604	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
3604	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
3604	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
3604	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
3604	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
3604	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
3604	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
3604	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
3604	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
3604	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
3604	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
3604	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
3604	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
3604	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3604 wrote to memory of 2580	3604	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe	83
PID 3604 wrote to memory of 2580	3604	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe	83
PID 3604 wrote to memory of 2580	3604	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe	83
PID 2580 wrote to memory of 5076	2580	net.exe	85
PID 2580 wrote to memory of 5076	2580	net.exe	85
PID 2580 wrote to memory of 5076	2580	net.exe	85
PID 3604 wrote to memory of 2080	3604	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe	35
PID 3604 wrote to memory of 2080	3604	6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe	35

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2080
- C:\Users\Admin\AppData\Local\Temp\6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe
  "C:\Users\Admin\AppData\Local\Temp\6fdf0d28d1e4bfbfa499deb22ae05f532ac22b0a6cdf3e929dc7dc8da089e639.exe"
  2⤵
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3604
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2580
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:5076

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3604-132-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/3604-135-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download