Malware Analysis Report

2024-11-15 06:41

Sample ID 240603-lh4dwaab8t
Target 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d
SHA256 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d

Threat Level: Shows suspicious behavior

The file 335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Reads user/profile data of web browsers

Drops startup file

Enumerates connected drives

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Runs net.exe

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 09:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 09:32

Reported

2024-06-03 09:35

Platform

win7-20240220-en

Max time kernel

150s

Max time network

119s

Command Line

C:\Windows\Explorer.EXE

Signatures

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Defender\fr-FR\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Stationery\1033\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\pa\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\bn\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File created C:\Program Files (x86)\Internet Explorer\en-US\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\en_GB\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\th\LC_MESSAGES\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened for modification C:\Program Files\Windows Journal\fr-FR\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\it-IT\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access_output\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\css\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\Visualizations\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\DEEPBLUE\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Minesweeper\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\fr-FR\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\css\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened for modification C:\Program Files\7-Zip\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\1033\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\js\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File created C:\Program Files (x86)\Internet Explorer\fr-FR\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\de-DE\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Atlantic\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\FreeCell.exe C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ca\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\js\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Eula.exe C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File created C:\Windows\Dll.dll C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2924 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe C:\Windows\SysWOW64\net.exe
PID 2924 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe C:\Windows\SysWOW64\net.exe
PID 2924 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe C:\Windows\SysWOW64\net.exe
PID 2924 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe C:\Windows\SysWOW64\net.exe
PID 2992 wrote to memory of 2852 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2992 wrote to memory of 2852 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2992 wrote to memory of 2852 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2992 wrote to memory of 2852 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2924 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe C:\Windows\SysWOW64\net.exe
PID 2924 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe C:\Windows\SysWOW64\net.exe
PID 2924 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe C:\Windows\SysWOW64\net.exe
PID 2924 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe C:\Windows\SysWOW64\net.exe
PID 2848 wrote to memory of 2844 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2848 wrote to memory of 2844 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2848 wrote to memory of 2844 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2848 wrote to memory of 2844 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2924 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe C:\Windows\Explorer.EXE
PID 2924 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe

"C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

N/A

Files

memory/2924-0-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1064-3-0x0000000002AD0000-0x0000000002AD1000-memory.dmp

memory/2924-7-0x0000000000400000-0x000000000043D000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-2721934792-624042501-2768869379-1000\_desktop.ini

MD5 a6f28952c332969f9e6d9f7d1a449737
SHA1 31c0826adb63cc03162fb9e88781f4b50da8f11b
SHA256 d9d875805581110dafdfb2ceb34c5e60f50fe720963f9813c287e4845248d208
SHA512 8187572ee8fbb9a42af34a3444be3a4309c5a798e7b1f27fce5b28b7168b72d015b1c10e611ccd3a9361af2aaeab831d2734017f77adff341c3fdb876c296eac

C:\Program Files\7-Zip\7zG.exe

MD5 2ed78a6c3ceb05a797136801832362d1
SHA1 92b80be47703bcc757ebd271989a06746bd3136b
SHA256 879d0c9b666fdaa2d6d8c75778ff85c5922942dd99eb21ee1e4cef4ada3f9b5a
SHA512 547f99bbabca1991c4623a3593e22491a277f53be488abe737152268f1478a5937d6fa3904e2d3b24d964f8422e18e863e49b6c3b766b9f2db7f99b14662bcdb

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 faaa09cb2d9197da4a00a0df01ac2e5c
SHA1 ce497e70212da947764b054c161a468be867cf1b
SHA256 51d9d9203fddf941f10518b44fa657ea3a68c2156ba573b36cbec3c8959992c6
SHA512 98feb4b1927fe22b02fa5169dd77b774b8d467ff71ca6b5d6f5244723e6d4ce118d647821db2e1cbc8441316fdbec463bd1d06ce3a398b3ed43c7834ecbf43c6

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 5e54b5419052a6321d15fe6088be5258
SHA1 420003c0ad68fa2b977bee9e2ca2d1a53f8f1ec2
SHA256 142a70f95c82ea8acba8d3550273a20411a5b82f6d1b1c9657db51c3f83d5d97
SHA512 6d2d2025ed17d6f730d3fbb3a5549e60cfe951c7d9e0063f4ecca045ee28a375eac11fb9aa9cc484b181369165a0f7abae967807bad16aac0e4b60b7a8092f71

memory/2924-3254-0x0000000000400000-0x000000000043D000-memory.dmp

memory/2924-4076-0x0000000000400000-0x000000000043D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 09:32

Reported

2024-06-03 09:35

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

95s

Command Line

C:\Windows\Explorer.EXE

Signatures

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\cs-cz\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File created C:\Program Files (x86)\Windows Media Player\Skins\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nl-nl\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-tw\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\fr-fr\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\is\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\zh-cn\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\nb-no\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\cs-cz\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\zh-cn\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\de-de\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\css\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\en-US\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\nb\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\tr-tr\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\it-IT\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\da-dk\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\eu-es\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\fr-ma\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ru-ru\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sl-si\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File created C:\Program Files (x86)\Google\Update\Install\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\zh_TW\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\it-IT\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File created C:\Program Files (x86)\Windows Media Player\es-ES\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\nl-nl\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ko-kr\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\sl\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-fr\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sk-sk\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\he-il\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-il\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\themes\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_GB\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fr-ma\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\hu-hu\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\pl-pl\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ca-es\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-cn\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\pt-br\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ca-es\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLENDS\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\root\_desktop.ini C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
File created C:\Windows\Dll.dll C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4708 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe C:\Windows\SysWOW64\net.exe
PID 4708 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe C:\Windows\SysWOW64\net.exe
PID 4708 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe C:\Windows\SysWOW64\net.exe
PID 2272 wrote to memory of 5064 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2272 wrote to memory of 5064 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2272 wrote to memory of 5064 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4708 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe C:\Windows\SysWOW64\net.exe
PID 4708 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe C:\Windows\SysWOW64\net.exe
PID 4708 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe C:\Windows\SysWOW64\net.exe
PID 532 wrote to memory of 548 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 532 wrote to memory of 548 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 532 wrote to memory of 548 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4708 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe C:\Windows\Explorer.EXE
PID 4708 wrote to memory of 3552 N/A C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe

"C:\Users\Admin\AppData\Local\Temp\335e1655106eb4e07013c87fae6ae18f87132e28ab6b78f0a80889684d10316d.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 3.181.190.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/4708-0-0x0000000000400000-0x000000000043D000-memory.dmp

memory/4708-3-0x0000000000400000-0x000000000043D000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-4018855536-2201274732-320770143-1000\_desktop.ini

MD5 a6f28952c332969f9e6d9f7d1a449737
SHA1 31c0826adb63cc03162fb9e88781f4b50da8f11b
SHA256 d9d875805581110dafdfb2ceb34c5e60f50fe720963f9813c287e4845248d208
SHA512 8187572ee8fbb9a42af34a3444be3a4309c5a798e7b1f27fce5b28b7168b72d015b1c10e611ccd3a9361af2aaeab831d2734017f77adff341c3fdb876c296eac

C:\Program Files\7-Zip\7zG.exe

MD5 2ed78a6c3ceb05a797136801832362d1
SHA1 92b80be47703bcc757ebd271989a06746bd3136b
SHA256 879d0c9b666fdaa2d6d8c75778ff85c5922942dd99eb21ee1e4cef4ada3f9b5a
SHA512 547f99bbabca1991c4623a3593e22491a277f53be488abe737152268f1478a5937d6fa3904e2d3b24d964f8422e18e863e49b6c3b766b9f2db7f99b14662bcdb

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 faaa09cb2d9197da4a00a0df01ac2e5c
SHA1 ce497e70212da947764b054c161a468be867cf1b
SHA256 51d9d9203fddf941f10518b44fa657ea3a68c2156ba573b36cbec3c8959992c6
SHA512 98feb4b1927fe22b02fa5169dd77b774b8d467ff71ca6b5d6f5244723e6d4ce118d647821db2e1cbc8441316fdbec463bd1d06ce3a398b3ed43c7834ecbf43c6

memory/4708-5162-0x0000000000400000-0x000000000043D000-memory.dmp

C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

MD5 9363a720e098b38389b25a7b18cfbcdd
SHA1 7b5e835b22262b47e6042e7aadecc67dac05f7db
SHA256 10579b661dade8697f252204f241952eb2029ea6978165f9336fd60a72b3205e
SHA512 564b873358ebe4d4d194b924e9934cb5c1666df901db2556e8cbab8276f8c4380a5bee157cc8eb2063fe0f48a1d0dc1cf339d3d3040d764c974e1c46b0870f88

memory/4708-8641-0x0000000000400000-0x000000000043D000-memory.dmp