Analysis Overview
SHA256
cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf
Threat Level: Likely malicious
The file cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf was found to be: Likely malicious.
Malicious Activity Summary
Drops file in Drivers directory
Drops startup file
Reads user/profile data of web browsers
Enumerates connected drives
Drops file in Windows directory
Drops file in Program Files directory
Unsigned PE
Runs net.exe
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-02 22:29
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-02 22:29
Reported
2024-06-02 22:32
Platform
win7-20240220-en
Max time kernel
149s
Max time network
122s
Command Line
Signatures
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe | N/A |
Reads user/profile data of web browsers
Enumerates connected drives
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rundl132.exe | C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe | N/A |
| File created | C:\Windows\Dll.dll | C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe
"C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe"
C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
Network
Files
memory/1028-0-0x0000000000400000-0x000000000043E000-memory.dmp
memory/1152-5-0x0000000002A20000-0x0000000002A21000-memory.dmp
memory/1028-9-0x0000000000400000-0x000000000043E000-memory.dmp
F:\$RECYCLE.BIN\S-1-5-21-2721934792-624042501-2768869379-1000\_desktop.ini
| MD5 | af485d3db9f82d3e5bdc8c6d87fb742e |
| SHA1 | f879c3dbd3d34e9789ff73896508bfbeabbf7468 |
| SHA256 | 7a7b688ede50bbaf08d4579fbd8c6b6c99d9dd1206d95ab24d8174eb9be98759 |
| SHA512 | d5fe5155948320ef6d3f80c01c9a81f0d4f60bab381d921ab2e06b62475618b973b34346bd41b40af24f2b5aff64bba68710f405f7ff21a58f369acbaaee9360 |
C:\Program Files\7-Zip\7zG.exe
| MD5 | 836b1763e449d1eb16423f901f4dd5ad |
| SHA1 | aefdd1f54cd43da9174a2bdfb538436e0974806e |
| SHA256 | 711e2fe727ad5ac117e9114a12a31c0b98e7acd968d4a3f5999ac28132df9cfe |
| SHA512 | bd1d90d185e9dbe087f185369aa60137015a92148aa4af2a5aff1ea4b7b2fbfb7a099e0f586cba3f4045b9067892f8b870ea0485825840eee5b33189194753e7 |
C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
| MD5 | dabffb38234f007c501cf88551471dfe |
| SHA1 | ea9f4c4f46ffd3cb73b767b729c62cfcca6a065c |
| SHA256 | f4126de53afbb2a68dead67d01bae1d52b38ae711b06d94629f952099e691d32 |
| SHA512 | 02229668f14c8057849b6e0babac2a5369e904178d8ac2ae5ac5dcff2ea659f4765b1590a4fe482165a4b2de7da43cb80c040befdf0410b3837ef7dfc915b6cf |
memory/1028-3204-0x0000000000400000-0x000000000043E000-memory.dmp
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
| MD5 | db30f5e16c744915af12c09f1ccf3e41 |
| SHA1 | d5feb47e0ca1c47b0a4cfc90be501e97f613ce90 |
| SHA256 | cfc87b2273f90e5125ca09d4fed15c56a82dabc54e418301f8ce23476201950e |
| SHA512 | ff466c60abd62f72cbe687d48fcc485855e0df65599da37112d3872324176bf68428c312d8fbfaf20deba2295b2c7fc51129436a73ba8bdc58836289f6a47f6b |
memory/1028-4079-0x0000000000400000-0x000000000043E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-02 22:29
Reported
2024-06-02 22:32
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe | N/A |
Reads user/profile data of web browsers
Enumerates connected drives
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\css\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe | N/A |
| File created | C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\it\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ca-es\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hu-hu\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ru-ru\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\cs-cz\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\sv-se\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaws.exe | C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe | N/A |
| File created | C:\Program Files (x86)\Internet Explorer\it-IT\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\fr\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\loc\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-ma\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\ktab.exe | C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Web Server Extensions\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\VGX\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Mozilla Maintenance Service\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Templates\1033\GettingStarted16\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\hu-hu\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\zh-cn\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe | C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\pl-pl\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ca-es\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\pl-pl\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe | N/A |
| File created | C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Validator\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ar-ae\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Photo Viewer\es-ES\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\he\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe | N/A |
| File created | C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\de\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-tw\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe | N/A |
| File created | C:\Program Files (x86)\Windows Photo Viewer\es-ES\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\legal\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sl-sl\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\css\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\zh-tw\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ca-es\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\ja-jp\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hu-hu\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\css\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\css\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe | N/A |
| File opened for modification | C:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe | C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\Updates\Download\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe | N/A |
| File opened for modification | C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\css\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\zh-tw\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\sk-sk\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\it-it\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe | C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe | C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\1033\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Dll.dll | C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe | N/A |
| File created | C:\Windows\rundl132.exe | C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe
"C:\Users\Admin\AppData\Local\Temp\cf2ba6f24373f440531b5ad69cf882e8ffa80a9c556124b944dad25a0d0e35bf.exe"
C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp |
Files
memory/3664-0-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3664-5-0x0000000000400000-0x000000000043E000-memory.dmp
F:\$RECYCLE.BIN\S-1-5-21-4124900551-4068476067-3491212533-1000\_desktop.ini
| MD5 | af485d3db9f82d3e5bdc8c6d87fb742e |
| SHA1 | f879c3dbd3d34e9789ff73896508bfbeabbf7468 |
| SHA256 | 7a7b688ede50bbaf08d4579fbd8c6b6c99d9dd1206d95ab24d8174eb9be98759 |
| SHA512 | d5fe5155948320ef6d3f80c01c9a81f0d4f60bab381d921ab2e06b62475618b973b34346bd41b40af24f2b5aff64bba68710f405f7ff21a58f369acbaaee9360 |
C:\Program Files\dotnet\dotnet.exe
| MD5 | d6d0a61fcca7f899396c7117c8df1731 |
| SHA1 | 97bb2fe6e910a48a550d8033d39b7f40e03fa00a |
| SHA256 | b5dca266eab324d4f3e9f07a511768335201be7c9ed015f06693e8fe9bd7cfad |
| SHA512 | 583b6f995d9912b576ff433b0948f0f24a5793a49ee0e402c28277f17fd830da73dfa3a6b836289b738e4ba2eb6bf99ee402178d517077c9e611fb470408104a |
C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
| MD5 | dabffb38234f007c501cf88551471dfe |
| SHA1 | ea9f4c4f46ffd3cb73b767b729c62cfcca6a065c |
| SHA256 | f4126de53afbb2a68dead67d01bae1d52b38ae711b06d94629f952099e691d32 |
| SHA512 | 02229668f14c8057849b6e0babac2a5369e904178d8ac2ae5ac5dcff2ea659f4765b1590a4fe482165a4b2de7da43cb80c040befdf0410b3837ef7dfc915b6cf |
memory/3664-4919-0x0000000000400000-0x000000000043E000-memory.dmp
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
| MD5 | c68e034d324260384602839c6e3295de |
| SHA1 | add6ebe18274a2afd7756fcb2b5be590125eff7f |
| SHA256 | 8317babad7376315f76f48454d7f4057d60f2a13f0e469a7c877473b220af74f |
| SHA512 | 7c956a76088bae2a425fc13f8484027ae04bc9995b7ca85a92125801e0676ff660c2a1fcb4640424883455bc10a84d39788032d884e7b64178693b1a2a0885cb |
memory/3664-8636-0x0000000000400000-0x000000000043E000-memory.dmp