Malware Analysis Report

2024-11-13 13:58

Sample ID 240407-ypys7ada3x
Target 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35
SHA256 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35

Threat Level: Shows suspicious behavior

The file 1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35 was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Reads user/profile data of web browsers

Drops startup file

Enumerates connected drives

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 19:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 19:58

Reported

2024-04-07 20:00

Platform

win7-20240221-en

Max time kernel

150s

Max time network

125s

Command Line

C:\Windows\Explorer.EXE

Signatures

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Windows Mail\wabmig.exe C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\css\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\on_desktop\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files\7-Zip\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ESEN\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\Accessories\es-ES\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\css\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2launcher.exe C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\hy\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ps\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\tr\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ne\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\lib\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Atlantic\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File created C:\Program Files\Microsoft Office\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\sk\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\js\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FRAR\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\de-DE\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\stream_filter\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Triedit\it-IT\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\hu\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\my\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\server\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\am\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\js\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\js\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\mn\LC_MESSAGES\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File created C:\Program Files\VideoLAN\VLC\skins\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\bin\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File created C:\Windows\Dll.dll C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1044 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe C:\Windows\SysWOW64\net.exe
PID 1044 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe C:\Windows\SysWOW64\net.exe
PID 1044 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe C:\Windows\SysWOW64\net.exe
PID 1044 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe C:\Windows\SysWOW64\net.exe
PID 2372 wrote to memory of 2608 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2372 wrote to memory of 2608 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2372 wrote to memory of 2608 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2372 wrote to memory of 2608 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1044 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe C:\Windows\SysWOW64\net.exe
PID 1044 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe C:\Windows\SysWOW64\net.exe
PID 1044 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe C:\Windows\SysWOW64\net.exe
PID 1044 wrote to memory of 1200 N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe C:\Windows\SysWOW64\net.exe
PID 1200 wrote to memory of 2624 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1200 wrote to memory of 2624 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1200 wrote to memory of 2624 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1200 wrote to memory of 2624 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1044 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe C:\Windows\Explorer.EXE
PID 1044 wrote to memory of 1204 N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe

"C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

N/A

Files

memory/1044-0-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1204-3-0x00000000029F0000-0x00000000029F1000-memory.dmp

memory/1044-7-0x0000000000400000-0x000000000043F000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-406356229-2805545415-1236085040-1000\_desktop.ini

MD5 331b730a7f1adbf1f0bc05e0c610f0f1
SHA1 2f2283f84f040fbd4ecf99055026b70bb3b732ec
SHA256 2d3dbb80989e5cc7ef9ef800cc986bb8dccf4ca1f78437040bccd59312a55593
SHA512 16790117c382e66c8af2932ed0c37229ae5ee6b8bbaa8bd4e3f9afed6e07cd89c5807c81145f19f561ab714d844826cf6099a6dc97d84fa3f9da5e763bcc78c4

C:\Program Files\7-Zip\7zG.exe

MD5 a54a6af3da296876302cc37eb781bad5
SHA1 5176268af0a0acf3108cf41ada70051115ab073d
SHA256 dae65a4be9e5c6e874a11208bf59de285f314beb0d1e5097192fa768ddeb085b
SHA512 f8edceab7769f98d540466ab6beaa136ae15f976960eb5166c4c18da568128761b9de915f978ad31b935b12fb9434222102a013ccaa0851b11262cefa1a95f5a

memory/1044-1743-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 283f68a6ebd27193167b0d393e0854c1
SHA1 69e7e2be3615cda7f36ea083f8a0ab7bee51bdbf
SHA256 1ea60a85ed4901ceb24b582d53251a8a4565fe7baa5fa3b61bdbdd8152bd93bf
SHA512 2ab41536a69db38af5ec16f82bf633eec88797733654bdee5c3ec098839806106934e67f9390c1c4b5702094ae7ba6adf32896a4c7d4d095c3b2d2c8559d6350

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 1e8cb3f8c1780c774b7d6fc122826f12
SHA1 475708a1f29a9529d3d471a2cea5c64513ab4128
SHA256 65f0e48a590681fd14bf38dbbf806d91d1c8db9c6a90399e7082c4073472d206
SHA512 fe2689bbf2605cc654553e8ea014cb415bed633958011742c326edfb9bf8aaeb8d72ed0ccc28f27ed470307e11ed2c2149f662dbc54d415657a2a2dd179cb139

memory/1044-3966-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1044-4063-0x0000000000400000-0x000000000043F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 19:58

Reported

2024-04-07 20:00

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

152s

Command Line

C:\Windows\Explorer.EXE

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\wa\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ar-ae\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sv-se\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\zh-cn\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\da-dk\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\eu-es\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\uk-ua\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ar-ae\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\he-il\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sl-si\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\es\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sk-sk\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ca-es\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\nb-no\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\cs\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\nb\LC_MESSAGES\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\pt_BR\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ro-ro\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\hr-hr\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ast\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\id\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\it-it\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\it-IT\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sl-si\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\de-de\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\tr\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File created C:\Program Files\VideoLAN\VLC\skins\fonts\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\fr-ma\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\fi-fi\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-gb\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\en-ae\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\eu-es\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\SaslPrep\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\eu\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\pl-pl\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-tw\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\plugins\rhp\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\da-dk\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\nb-no\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ro-ro\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\images\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ko-kr\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ru-ru\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ca-es\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\services_discovery\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\fi-fi\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ca\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\fr-ma\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\uk-ua\_desktop.ini C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
File created C:\Windows\Dll.dll C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2748 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe C:\Windows\SysWOW64\net.exe
PID 2748 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe C:\Windows\SysWOW64\net.exe
PID 2748 wrote to memory of 4888 N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe C:\Windows\SysWOW64\net.exe
PID 4888 wrote to memory of 3232 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4888 wrote to memory of 3232 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4888 wrote to memory of 3232 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2748 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe C:\Windows\SysWOW64\net.exe
PID 2748 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe C:\Windows\SysWOW64\net.exe
PID 2748 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe C:\Windows\SysWOW64\net.exe
PID 3604 wrote to memory of 1520 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3604 wrote to memory of 1520 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3604 wrote to memory of 1520 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2748 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe C:\Windows\Explorer.EXE
PID 2748 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe

"C:\Users\Admin\AppData\Local\Temp\1999e484b85a43254eb5c7ce1a8e0a8bbaf27502c55613df58f7f48b4f41ab35.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 130.118.77.104.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 5.173.189.20.in-addr.arpa udp

Files

memory/2748-0-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2748-3-0x0000000000400000-0x000000000043F000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-983155329-280873152-1838004294-1000\_desktop.ini

MD5 331b730a7f1adbf1f0bc05e0c610f0f1
SHA1 2f2283f84f040fbd4ecf99055026b70bb3b732ec
SHA256 2d3dbb80989e5cc7ef9ef800cc986bb8dccf4ca1f78437040bccd59312a55593
SHA512 16790117c382e66c8af2932ed0c37229ae5ee6b8bbaa8bd4e3f9afed6e07cd89c5807c81145f19f561ab714d844826cf6099a6dc97d84fa3f9da5e763bcc78c4

C:\Program Files\dotnet\dotnet.exe

MD5 38a1e97d7187fdc11589e5e15a8fc4fc
SHA1 c517b9ee6f5e30759c0b6ce4daf4a15e0463a9cf
SHA256 0aa10f34fd6e443727817f49157b78f01860247c8b9e02c29e09b80e8272b61b
SHA512 02bae4826fda6d6fc9bbd69c34372705707513a2409ff8d7b61afffd6787952ab81c39cad257b26d60758de6a9275c8d17711763ec4225315fb875b7c899283c

memory/2748-3029-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 283f68a6ebd27193167b0d393e0854c1
SHA1 69e7e2be3615cda7f36ea083f8a0ab7bee51bdbf
SHA256 1ea60a85ed4901ceb24b582d53251a8a4565fe7baa5fa3b61bdbdd8152bd93bf
SHA512 2ab41536a69db38af5ec16f82bf633eec88797733654bdee5c3ec098839806106934e67f9390c1c4b5702094ae7ba6adf32896a4c7d4d095c3b2d2c8559d6350

C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

MD5 c990d863ba6bead31194a4d94ea65a1a
SHA1 9425bf1710eb26690cd8151ba6a3e292fd7f3814
SHA256 56912c50f21ad52af2fd4e0062ea113de7971e8123ec86e761791c06b76a5a9c
SHA512 b912641772efd0fd89fbacdd162350b5c933b541a64e9287ec729b777e668f0dd4d8ec6747eb095f5e4dc8d7c2b1e59ad542add5db21864181af221fa0d18196

memory/2748-8639-0x0000000000400000-0x000000000043F000-memory.dmp