e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f

Analysis

max time kernel
153s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2023 19:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
Size

29KB
MD5

d6d78ef231d3a36987504f2bccc0bc73
SHA1

a88cb4c3795f31cb927985b37729bc729f0eaa54
SHA256

e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f
SHA512

d5f837b4528f7a1a871956d69f7c9e063adf83bad76f79ae90a95962add1753fbde49094531e6f84e3d7f3c73304d62f105be1bb9ea11109162411f94606d33d
SSDEEP

384:z7nbbkHc7HAR1Gt5M0zhIV/DZ3KZp7JcTO4yf9Knuf2MqlUV2V9wVfUnfR9C5fy+:/bmc7+16GVRu1yK9fMnJG2V9dDClcx

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\M:	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File opened (read-only)	\??\K:	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File opened (read-only)	\??\W:	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File opened (read-only)	\??\V:	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File opened (read-only)	\??\S:	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File opened (read-only)	\??\O:	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File opened (read-only)	\??\Q:	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File opened (read-only)	\??\P:	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File opened (read-only)	\??\L:	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File opened (read-only)	\??\G:	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File opened (read-only)	\??\Z:	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File opened (read-only)	\??\X:	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File opened (read-only)	\??\U:	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File opened (read-only)	\??\R:	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File opened (read-only)	\??\E:	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File opened (read-only)	\??\N:	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File opened (read-only)	\??\H:	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File opened (read-only)	\??\Y:	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File opened (read-only)	\??\T:	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File opened (read-only)	\??\J:	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File opened (read-only)	\??\I:	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-ma\_desktop.ini	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-fr\_desktop.ini	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\wsgen.exe	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\_desktop.ini	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File created	C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\_desktop.ini	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\_desktop.ini	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\_desktop.ini	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File created	C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x86__8wekyb3d8bbwe\AppxMetadata\_desktop.ini	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\VideoEditor.Common\_desktop.ini	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\jar.exe	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\_desktop.ini	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File created	C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\_desktop.ini	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tet\_desktop.ini	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\hi-IN\View3d\_desktop.ini	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\_desktop.ini	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\co\_desktop.ini	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\microsoft.system.package.metadata\_desktop.ini	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File created	C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File created	C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\ImmersiveVideoPlayback\_desktop.ini	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\_desktop.ini	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File opened for modification	C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\MixedRealityPortal.exe	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File created	C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00_14.0.27323.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\_desktop.ini	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\_desktop.ini	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\_desktop.ini	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\_desktop.ini	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\_desktop.ini	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gd\_desktop.ini	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sw-KE\View3d\_desktop.ini	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File created	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\_desktop.ini	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pt-br\_desktop.ini	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\_desktop.ini	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\_desktop.ini	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File created	C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\_desktop.ini	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File created	C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\_desktop.ini	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fr-FR\_desktop.ini	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File created	C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\Square71x71\_desktop.ini	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\javapackager.exe	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\_desktop.ini	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File created	C:\Program Files\VideoLAN\VLC\locale\hi\_desktop.ini	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\RTL\contrast-black\_desktop.ini	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File created	C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\_desktop.ini	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\_desktop.ini	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\it-it\_desktop.ini	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File created	C:\Program Files\7-Zip\Lang\_desktop.ini	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\tnameserv.exe	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\jre\bin\server\_desktop.ini	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\_desktop.ini	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File created	C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\accessibilitychecker\_desktop.ini	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File opened for modification	C:\Program Files\Java\jdk1.8.0_66\bin\kinit.exe	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File opened for modification	C:\Program Files\Java\jre1.8.0_66\bin\rmid.exe	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File created	C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sr-Latn-RS\View3d\_desktop.ini	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File created	C:\Program Files\WindowsApps\Microsoft.WindowsMaps_2019.716.2316.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\_desktop.ini	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File created	C:\Program Files\VideoLAN\VLC\locale\it\_desktop.ini	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\_desktop.ini	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pt-br\_desktop.ini	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File created	C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_desktop.ini	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File created	C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_~_8wekyb3d8bbwe\_desktop.ini	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File opened for modification	C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\_desktop.ini	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File created	C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\_desktop.ini	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\_desktop.ini	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
4784	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
4784	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
4784	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
4784	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
4784	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
4784	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
4784	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
4784	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
4784	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
4784	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
4784	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
4784	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
4784	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
4784	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
4784	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
4784	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
4784	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
4784	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
4784	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
4784	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4784 wrote to memory of 1244	4784	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe	83
PID 4784 wrote to memory of 1244	4784	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe	83
PID 4784 wrote to memory of 1244	4784	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe	83
PID 1244 wrote to memory of 1352	1244	net.exe	85
PID 1244 wrote to memory of 1352	1244	net.exe	85
PID 1244 wrote to memory of 1352	1244	net.exe	85
PID 4784 wrote to memory of 3216	4784	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe	57
PID 4784 wrote to memory of 3216	4784	e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe	57

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3216
- C:\Users\Admin\AppData\Local\Temp\e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe
  "C:\Users\Admin\AppData\Local\Temp\e143abcba28b63bf1536a71bfe371a60bd684bf02403d416ca66ab1ec5c5446f.exe"
  2⤵
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4784
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1244
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:1352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Google\Chrome\Application\chrome.exe

Filesize
2.8MB

MD5
6eb53be252bc198b65174039f4759e93

SHA1
c07898ac7163591463550f33314aa81f24d9b37e

SHA256
0f3db7b9da2e888ff93236d8c91157b9fe4577600e87ed5f8d3659a97ec9c72e

SHA512
4380af6168381a06c3c5bc7356f9ff7183041a5ee345d60df98e1889b328b6af02f74f99587ee18b5ceebb6527cb39151134588105c0e1420eba2886f72d1046

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-919254492-3979293997-764407192-1000\_desktop.ini

Filesize
10B

MD5
743754b59d55d26c081d8f839a3662c8

SHA1
8e88e3bda53f58b9122f6f9c9a5f23f80e7be6c7

SHA256
bbb0f1aae4572c821fac1d6b7890df67d9f4a7576af30e70925192dded063e8b

SHA512
1e8d9e5e1651bd2aaef969713d949cc4ddab58c53d0be31392d660aedeb621a0f968196e4938d2ba75e40ebdb7557cee23bf5587877268cb087fdd09a8abba1b

Download Submit
memory/4784-0-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4784-5-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4784-6-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4784-10-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4784-15-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4784-21-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4784-26-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4784-30-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4784-36-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/4784-1267-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download