Analysis Overview
SHA256
1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35
Threat Level: Shows suspicious behavior
The file 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Reads user/profile data of web browsers
Drops startup file
Enumerates connected drives
Drops file in Program Files directory
Drops file in Windows directory
Unsigned PE
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-07 19:58
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-07 19:58
Reported
2024-04-07 20:00
Platform
win7-20240221-en
Max time kernel
150s
Max time network
125s
Command Line
Signatures
Reads user/profile data of web browsers
Enumerates connected drives
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rundl132.exe | C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe | N/A |
| File created | C:\Windows\Dll.dll | C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe
"C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe"
C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
Network
Files
memory/1044-0-0x0000000000400000-0x000000000043F000-memory.dmp
memory/1204-3-0x00000000029F0000-0x00000000029F1000-memory.dmp
memory/1044-7-0x0000000000400000-0x000000000043F000-memory.dmp
F:\$RECYCLE.BIN\S-1-5-21-406356229-2805545415-1236085040-1000\_desktop.ini
| MD5 | 331b730a7f1adbf1f0bc05e0c610f0f1 |
| SHA1 | 2f2283f84f040fbd4ecf99055026b70bb3b732ec |
| SHA256 | 2d3dbb80989e5cc7ef9ef800cc986bb8dccf4ca1f78437040bccd59312a55593 |
| SHA512 | 16790117c382e66c8af2932ed0c37229ae5ee6b8bbaa8bd4e3f9afed6e07cd89c5807c81145f19f561ab714d844826cf6099a6dc97d84fa3f9da5e763bcc78c4 |
C:\Program Files\7-Zip\7zG.exe
| MD5 | a54a6af3da296876302cc37eb781bad5 |
| SHA1 | 5176268af0a0acf3108cf41ada70051115ab073d |
| SHA256 | dae65a4be9e5c6e874a11208bf59de285f314beb0d1e5097192fa768ddeb085b |
| SHA512 | f8edceab7769f98d540466ab6beaa136ae15f976960eb5166c4c18da568128761b9de915f978ad31b935b12fb9434222102a013ccaa0851b11262cefa1a95f5a |
memory/1044-1743-0x0000000000400000-0x000000000043F000-memory.dmp
C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
| MD5 | 283f68a6ebd27193167b0d393e0854c1 |
| SHA1 | 69e7e2be3615cda7f36ea083f8a0ab7bee51bdbf |
| SHA256 | 1ea60a85ed4901ceb24b582d53251a8a4565fe7baa5fa3b61bdbdd8152bd93bf |
| SHA512 | 2ab41536a69db38af5ec16f82bf633eec88797733654bdee5c3ec098839806106934e67f9390c1c4b5702094ae7ba6adf32896a4c7d4d095c3b2d2c8559d6350 |
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
| MD5 | 1e8cb3f8c1780c774b7d6fc122826f12 |
| SHA1 | 475708a1f29a9529d3d471a2cea5c64513ab4128 |
| SHA256 | 65f0e48a590681fd14bf38dbbf806d91d1c8db9c6a90399e7082c4073472d206 |
| SHA512 | fe2689bbf2605cc654553e8ea014cb415bed633958011742c326edfb9bf8aaeb8d72ed0ccc28f27ed470307e11ed2c2149f662dbc54d415657a2a2dd179cb139 |
memory/1044-3966-0x0000000000400000-0x000000000043F000-memory.dmp
memory/1044-4063-0x0000000000400000-0x000000000043F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-07 19:58
Reported
2024-04-07 20:00
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe | N/A |
Reads user/profile data of web browsers
Enumerates connected drives
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\wa\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ar-ae\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sv-se\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\zh-cn\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\da-dk\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\eu-es\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\uk-ua\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ar-ae\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\he-il\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sl-si\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\es\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sk-sk\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ca-es\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\nb-no\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe | C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\cs\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\nb\LC_MESSAGES\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\pt_BR\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ro-ro\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\hr-hr\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\ast\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\id\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\it-it\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe | N/A |
| File opened for modification | C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe | N/A |
| File opened for modification | C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\it-IT\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sl-si\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\de-de\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\tr\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\skins\fonts\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\fr-ma\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\fi-fi\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-gb\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\en-ae\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\eu-es\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\eu\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\pl-pl\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-tw\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\plugins\rhp\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\da-dk\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe | C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\nb-no\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ro-ro\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\images\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\private_browsing.exe | C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ko-kr\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ru-ru\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ca-es\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\services_discovery\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe | N/A |
| File created | C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\fi-fi\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\ca\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\fr-ma\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\uk-ua\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rundl132.exe | C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe | N/A |
| File created | C:\Windows\Dll.dll | C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe
"C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe"
C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.118.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.173.189.20.in-addr.arpa | udp |
Files
memory/2748-0-0x0000000000400000-0x000000000043F000-memory.dmp
memory/2748-3-0x0000000000400000-0x000000000043F000-memory.dmp
F:\$RECYCLE.BIN\S-1-5-21-983155329-280873152-1838004294-1000\_desktop.ini
| MD5 | 331b730a7f1adbf1f0bc05e0c610f0f1 |
| SHA1 | 2f2283f84f040fbd4ecf99055026b70bb3b732ec |
| SHA256 | 2d3dbb80989e5cc7ef9ef800cc986bb8dccf4ca1f78437040bccd59312a55593 |
| SHA512 | 16790117c382e66c8af2932ed0c37229ae5ee6b8bbaa8bd4e3f9afed6e07cd89c5807c81145f19f561ab714d844826cf6099a6dc97d84fa3f9da5e763bcc78c4 |
C:\Program Files\dotnet\dotnet.exe
| MD5 | 38a1e97d7187fdc11589e5e15a8fc4fc |
| SHA1 | c517b9ee6f5e30759c0b6ce4daf4a15e0463a9cf |
| SHA256 | 0aa10f34fd6e443727817f49157b78f01860247c8b9e02c29e09b80e8272b61b |
| SHA512 | 02bae4826fda6d6fc9bbd69c34372705707513a2409ff8d7b61afffd6787952ab81c39cad257b26d60758de6a9275c8d17711763ec4225315fb875b7c899283c |
memory/2748-3029-0x0000000000400000-0x000000000043F000-memory.dmp
C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
| MD5 | 283f68a6ebd27193167b0d393e0854c1 |
| SHA1 | 69e7e2be3615cda7f36ea083f8a0ab7bee51bdbf |
| SHA256 | 1ea60a85ed4901ceb24b582d53251a8a4565fe7baa5fa3b61bdbdd8152bd93bf |
| SHA512 | 2ab41536a69db38af5ec16f82bf633eec88797733654bdee5c3ec098839806106934e67f9390c1c4b5702094ae7ba6adf32896a4c7d4d095c3b2d2c8559d6350 |
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe
| MD5 | c990d863ba6bead31194a4d94ea65a1a |
| SHA1 | 9425bf1710eb26690cd8151ba6a3e292fd7f3814 |
| SHA256 | 56912c50f21ad52af2fd4e0062ea113de7971e8123ec86e761791c06b76a5a9c |
| SHA512 | b912641772efd0fd89fbacdd162350b5c933b541a64e9287ec729b777e668f0dd4d8ec6747eb095f5e4dc8d7c2b1e59ad542add5db21864181af221fa0d18196 |
memory/2748-8639-0x0000000000400000-0x000000000043F000-memory.dmp