Analysis Overview
SHA256
fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90
Threat Level: Shows suspicious behavior
The file fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Enumerates connected drives
Drops file in Program Files directory
Drops file in Windows directory
Unsigned PE
Suspicious use of WriteProcessMemory
Runs net.exe
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-09 07:34
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-09 07:34
Reported
2024-06-09 07:37
Platform
win7-20240221-en
Max time kernel
146s
Max time network
126s
Command Line
Signatures
Enumerates connected drives
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rundl132.exe | C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe
"C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe"
C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
Network
Files
memory/2764-0-0x0000000000400000-0x0000000000434000-memory.dmp
memory/1208-5-0x0000000001C80000-0x0000000001C81000-memory.dmp
memory/2764-7-0x0000000000400000-0x0000000000434000-memory.dmp
F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\_desktop.ini
| MD5 | 9bf5ad0e8bbf0ba1630c244358e5c6dd |
| SHA1 | 25918532222a7063195beeb76980b6ec9e59e19a |
| SHA256 | 551cc5b618f0fa78108dd2388d9136893adb10499e4836e9728f4e96530bf02f |
| SHA512 | 7fdce76bb191d4988d92e3d97ce8db4cae1b5c1f93198bffc4e863d324d814246353200d32ea730f83345fcb7ad82213c2bcd31351e905e473d9596bc7b43ad3 |
memory/2764-14-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2764-20-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2764-66-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2764-72-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Program Files\7-Zip\7z.exe
| MD5 | fa2dba38d9ef2621c476499e2d6c2059 |
| SHA1 | 44f8276acbe2bd08af17506877a48e062f15a3e0 |
| SHA256 | 62ff963fc1385639976f600a4b511b390d98fac0e3c80059f17bad8740f8208c |
| SHA512 | e451a00d976d3e7b9dc88ce77baea59a4263fe124d61caa8acedaa470c69b4a5f63414f0f2f0e35d0cb77023bd513fb7a706a278bc57e9e9f9b7f8489e2286b9 |
memory/2764-155-0x0000000000400000-0x0000000000434000-memory.dmp
memory/2764-1826-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
| MD5 | 1739f92ac794136b7b005e3a65d03e22 |
| SHA1 | 3aff88b7c7601941cba191ce2817c3bea01b834a |
| SHA256 | e263b8c0eab9cbdf8a0fa5360727bdf6ed892097a0990e688de929195f63508f |
| SHA512 | 35d8a8b579241000bd7cca8c3ec80e3a02d4ae569c08b7fcd2b9d9c028e60954678825c2b26c0efe7fe17f2f46cc00fc839b0d542100296f71201b261a69bb85 |
memory/2764-3286-0x0000000000400000-0x0000000000434000-memory.dmp
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
| MD5 | 4cfdb20b04aa239d6f9e83084d5d0a77 |
| SHA1 | f22863e04cc1fd4435f785993ede165bd8245ac6 |
| SHA256 | 30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9 |
| SHA512 | 35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-09 07:34
Reported
2024-06-09 07:37
Platform
win10v2004-20240226-en
Max time kernel
150s
Max time network
152s
Command Line
Signatures
Enumerates connected drives
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\cs-cz\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\da-dk\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fr-fr\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\fi-fi\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\brx\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\cs-CZ\View3d\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Resources\Fonts\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\root\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\ktab.exe | C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-black\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe | N/A |
| File created | C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\Diagnostics\Simple\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\plugins\gui\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\bn-BD\View3d\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\de-de\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\en-ae\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe | N/A |
| File opened for modification | C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-us\jscripts\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-gb\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ro-ro\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sv-se\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\Assets\MixerBranding\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\es-es\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\plugins\services_discovery\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.MSPaint_2019.729.2301.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\hu-hu\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-il\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\nl-nl\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\he-il\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Installer\setup.exe | C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\unlimited\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_neutral_~_8wekyb3d8bbwe\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\da-dk\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ar-ae\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\themes\dark\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\java.exe | C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\gl-ES\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\uz-Latn-UZ\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe | N/A |
| File opened for modification | C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\it-IT\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\legal\javafx\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe | N/A |
| File created | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-fr\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-gb\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe | N/A |
| File created | C:\Program Files (x86)\WindowsPowerShell\Modules\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe | N/A |
| File created | C:\Program Files\Windows Photo Viewer\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\TCUI-App.exe | C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\collect_feedback\css\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ca-es\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-il\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Internet Explorer\it-IT\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.17\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe | N/A |
| File created | C:\Program Files\dotnet\host\fxr\6.0.25\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rundl132.exe | C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe
"C:\Users\Admin\AppData\Local\Temp\fda0d2a43e6cee9b4d650d7fed0a284473af5e7aa994907600889a92caf2da90.exe"
C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4256 --field-trial-handle=2252,i,16022092570067181109,3235558581947505669,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.107.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.173.189.20.in-addr.arpa | udp |
Files
memory/4888-0-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4888-5-0x0000000000400000-0x0000000000434000-memory.dmp
F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\_desktop.ini
| MD5 | 9bf5ad0e8bbf0ba1630c244358e5c6dd |
| SHA1 | 25918532222a7063195beeb76980b6ec9e59e19a |
| SHA256 | 551cc5b618f0fa78108dd2388d9136893adb10499e4836e9728f4e96530bf02f |
| SHA512 | 7fdce76bb191d4988d92e3d97ce8db4cae1b5c1f93198bffc4e863d324d814246353200d32ea730f83345fcb7ad82213c2bcd31351e905e473d9596bc7b43ad3 |
memory/4888-13-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4888-19-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4888-24-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4888-28-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Program Files\dotnet\dotnet.exe
| MD5 | dbe4e1e5bdd0b3e9eb76d56e4b6e7fb6 |
| SHA1 | 9295f140456e6f877267194c0c8669d847847c53 |
| SHA256 | 29a2b4e8aa964811ed07d719203e3791a35fc006f6ca9545ca0aeed7df4758d2 |
| SHA512 | 7aadc949c70fd64f030ed2e930c33a9b60df3d22b04e06a1c37b02e0c4a32c3ac8af52abad0d3142da344b7648d9bb0f79cf2ece346fd8ebe22664bfd3478142 |
memory/4888-1001-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4888-1168-0x0000000000400000-0x0000000000434000-memory.dmp
memory/4888-1963-0x0000000000400000-0x0000000000434000-memory.dmp
C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
| MD5 | 1739f92ac794136b7b005e3a65d03e22 |
| SHA1 | 3aff88b7c7601941cba191ce2817c3bea01b834a |
| SHA256 | e263b8c0eab9cbdf8a0fa5360727bdf6ed892097a0990e688de929195f63508f |
| SHA512 | 35d8a8b579241000bd7cca8c3ec80e3a02d4ae569c08b7fcd2b9d9c028e60954678825c2b26c0efe7fe17f2f46cc00fc839b0d542100296f71201b261a69bb85 |