fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102

Analysis

max time kernel
190s
max time network
198s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2023, 07:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
Size

26KB
MD5

bfbdfc7eb7233d2a5ca073ad8e5cd371
SHA1

e6ada9aeebe98324457077c2c361c1379d6b8c3b
SHA256

fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102
SHA512

df3c51954f03f3d6b94acc96e3289fab1a22449d08e1bfff7b665bdbbb8eab2da9bacc61a57d82cce75496dfb1069cbae454df5b1109cb7d061c267ffd507d86
SSDEEP

768:L1ODKAaDMG8H92RwZNQSwcfymNBg+g61GoL:hfgLdQAQfcfymN

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File opened (read-only)	\??\V:	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File opened (read-only)	\??\R:	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File opened (read-only)	\??\Q:	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File opened (read-only)	\??\P:	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File opened (read-only)	\??\J:	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File opened (read-only)	\??\Z:	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File opened (read-only)	\??\U:	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File opened (read-only)	\??\N:	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File opened (read-only)	\??\K:	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File opened (read-only)	\??\I:	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File opened (read-only)	\??\G:	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File opened (read-only)	\??\X:	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File opened (read-only)	\??\O:	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File opened (read-only)	\??\M:	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File opened (read-only)	\??\L:	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File opened (read-only)	\??\W:	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File opened (read-only)	\??\S:	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File opened (read-only)	\??\H:	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File opened (read-only)	\??\E:	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File opened (read-only)	\??\T:	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\_desktop.ini	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\_desktop.ini	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tet\LC_MESSAGES\_desktop.ini	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\_desktop.ini	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_desktop.ini	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\fonts\_desktop.ini	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File created	C:\Program Files\Mozilla Firefox\defaults\_desktop.ini	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\th\_desktop.ini	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File created	C:\Program Files\dotnet\host\fxr\_desktop.ini	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mr\_desktop.ini	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File created	C:\Program Files\VideoLAN\VLC\skins\fonts\_desktop.ini	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File created	C:\Program Files\7-Zip\_desktop.ini	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_desktop.ini	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jhat.exe	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\_desktop.ini	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\mr\_desktop.ini	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\_desktop.ini	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-white\_desktop.ini	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File opened for modification	C:\Program Files\dotnet\host\fxr\6.0.25\_desktop.ini	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\lib\cmm\_desktop.ini	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File opened for modification	C:\Program Files\Mozilla Firefox\gmp-clearkey\_desktop.ini	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ach\_desktop.ini	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ast\_desktop.ini	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File created	C:\Program Files\VideoLAN\VLC\locale\nb\_desktop.ini	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\_desktop.ini	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\_desktop.ini	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\_desktop.ini	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File created	C:\Program Files\Windows Photo Viewer\fr-FR\_desktop.ini	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\_desktop.ini	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Images\contrast-standard\_desktop.ini	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File created	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\_desktop.ini	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\_desktop.ini	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\_desktop.ini	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\cgg\_desktop.ini	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\unpack200.exe	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File opened for modification	C:\Program Files\Microsoft Office 15\_desktop.ini	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\_desktop.ini	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\km\_desktop.ini	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\_desktop.ini	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File created	C:\Program Files\Windows Sidebar\_desktop.ini	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\_desktop.ini	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\_desktop.ini	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File created	C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\server\_desktop.ini	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_split.scale-125_8wekyb3d8bbwe\_desktop.ini	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File created	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Assets\_desktop.ini	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File opened for modification	C:\Program Files\dotnet\host\_desktop.ini	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\zh-Hant\_desktop.ini	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ia\_desktop.ini	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File created	C:\Program Files\VideoLAN\VLC\locale\tr\_desktop.ini	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File created	C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\_desktop.ini	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File created	C:\Program Files\Java\jre-1.8\lib\security\_desktop.ini	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\_desktop.ini	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File created	C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\_desktop.ini	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File created	C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\_desktop.ini	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\plugins\stream_filter\_desktop.ini	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\_desktop.ini	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File created	C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\_desktop.ini	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File created	C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\CortanaApp.ViewElements\Assets\_desktop.ini	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\legal\_desktop.ini	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\rundl132.exe	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
3076	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
3076	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
3076	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
3076	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
3076	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
3076	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
3076	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
3076	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
3076	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
3076	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
3076	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
3076	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
3076	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
3076	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
3076	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
3076	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
3076	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
3076	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
3076	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
3076	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 3076 wrote to memory of 3268	3076	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe	89
PID 3076 wrote to memory of 3268	3076	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe	89
PID 3076 wrote to memory of 3268	3076	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe	89
PID 3268 wrote to memory of 2288	3268	net.exe	92
PID 3268 wrote to memory of 2288	3268	net.exe	92
PID 3268 wrote to memory of 2288	3268	net.exe	92
PID 3076 wrote to memory of 3376	3076	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe	48
PID 3076 wrote to memory of 3376	3076	fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe	48

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3376
- C:\Users\Admin\AppData\Local\Temp\fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe
  "C:\Users\Admin\AppData\Local\Temp\fe1f55ff02bf2a55f30f28f7461a32e977d5a800df7b2b03d1edd9eab72bd102.exe"
  2⤵
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3076
- - C:\Windows\SysWOW64\net.exe
    net stop "Kingsoft AntiVirus Service"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3268
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
      4⤵
      PID:2288

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\dotnet\dotnet.exe

Filesize
165KB

MD5
bf7879f1efde2456a29b1c28da9ac675

SHA1
1efb07a2ced73dbbc6ecba5d150e5e6815b96e3f

SHA256
f799043923d5b12e6d2f8d225dbc7a27ebe1f3cf8b0111ef5622c94fefe3638f

SHA512
682bfb159b06c7ef3f088e1e038fba66bbb6c7a8a45836a9fdc635f9b8883803ad52fca17d68aabe0d20ffb772c0ac935327dd60c806df96e4cfef3216035d16

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-635608581-3370340891-292606865-1000\_desktop.ini

Filesize
10B

MD5
34c7bf8c1e8aa0e76a1cb36da6f3c07f

SHA1
93bff4db65fd067f94ca08ce2654a2675925b27d

SHA256
89ee7da24a1550d124e7ac206a8d49733f819c098eebf27b8c7f28e931a09f53

SHA512
ba8fa54ac2e6eafb524f14c7d286d9910afd808ec561c933af8b72a9cdb813e0e7777dc04a9dfdb6c985f27f123ac34a19782d6c0e734f8ab4e9860c9033139b

Download Submit
memory/3076-6-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3076-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3076-13-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3076-19-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3076-23-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3076-25-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3076-29-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3076-5-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3076-118-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3076-310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3076-992-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download