Malware Analysis Report

2024-10-19 08:23

Sample ID 240613-xczz2sxgqd
Target 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd
SHA256 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd
Tags
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd

Threat Level: Shows suspicious behavior

The file 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd was found to be: Shows suspicious behavior.

Malicious Activity Summary


Enumerates connected drives

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 18:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 18:43

Reported

2024-06-13 18:45

Platform

win7-20240611-en

Max time kernel

146s

Max time network

125s

Command Line

C:\Windows\Explorer.EXE

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\services_discovery\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Triedit\it-IT\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SAMPLES\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\es-ES\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTO\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File created C:\Program Files (x86)\Windows Media Player\fr-FR\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\js\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\gd\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\PMP\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.es\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\es-ES\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened for modification C:\Program Files\Java\jre7\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\es-ES\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.en\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\ACCWIZ\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File created C:\Program Files\Microsoft Games\Chess\it-IT\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File created C:\Program Files\Microsoft Games\More Games\de-DE\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\nn\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File created C:\Program Files\Windows Journal\it-IT\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\14\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\Space Templates\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\css\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\mr\LC_MESSAGES\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\EQNEDT32.EXE C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\id\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File created C:\Program Files\VideoLAN\VLC\skins\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File created C:\Program Files (x86)\Common Files\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\1033\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Swirl\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\playlist\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\en-US\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Kentucky\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File created C:\Program Files\Microsoft Games\FreeCell\de-DE\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\Stamps\ENU\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A

Runs net.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe

"C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

N/A

Files

memory/2444-0-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1188-5-0x00000000029B0000-0x00000000029B1000-memory.dmp

memory/2444-7-0x0000000000400000-0x0000000000435000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-39690363-730359138-1046745555-1000\_desktop.ini

MD5 4f2460b507685f7d7bfe6393f335f1c9
SHA1 378d42f114b1515872e58de6662373af31ab8c7b
SHA256 47a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42
SHA512 75dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb

memory/2444-14-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2444-20-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2444-66-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2444-72-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Program Files\7-Zip\7zFM.exe

MD5 b5f68b8b5db039fa8259fd642e97b47c
SHA1 b770612744e48448d38eabf3623ea01019f2c834
SHA256 f1e4bf7f4289827a8f78803eb8a2fc56123884ae194f425d9fe9010aea6be037
SHA512 da459b7f6d7151aa47b46ceaf16e6ce0c6d65280667ce0fde3665bd04c78522072603f7f35add45c9db809ed610e4368b7721b215808297c1697b05e4f9aa852

memory/2444-199-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2444-1849-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 e723a1bc7f82cb9ebbb977cdc1fb1be3
SHA1 69f4ed87384d009a9669dfb8f26482e1435bcdb1
SHA256 2cea9cadd842f36c80e051ed4cbd759e6269674d54ef65ec7056b5ac71ee4913
SHA512 2c79d02c7e32c37e46f18996fe87e3b269068449d4df2e0539ef63c01cd4be8a84c8e3954f5985159eb2428fdd5bb62ca2eafa3c3c4bae51a3b4a64facaa0c0c

memory/2444-3309-0x0000000000400000-0x0000000000435000-memory.dmp

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 4100989c8d5ce68961d0c2b60a89a51e
SHA1 8b80ac2c768b4e560136c43fe18216f0297c5a46
SHA256 df07c2ea6c79547869af56432ba7575f1e3bfd4d899869ab16b4c66f3ae09735
SHA512 efbff8c2cbd481560a61c2c0fa375dae37b6ee0fe1a57d1db9cbccbf34e10649541171ff3f1c4888bf680c029186b882afb0fa2919288edee114f59cdcbae50a

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 18:43

Reported

2024-06-13 18:45

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

C:\Windows\Explorer.EXE

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ar-ae\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fr-fr\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\uk-ua\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened for modification C:\Program Files (x86)\Google\CrashReports\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCamera_2018.826.98.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\Pester\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sk-sk\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fi-fi\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-cn\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sk-sk\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ja-jp\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ru-ru\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\tr-tr\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\nb-no\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File created C:\Program Files\ModifiableWindowsApps\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\models\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\Diagnostics\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\en\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\css\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\css\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\he-il\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\zh-cn\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ko-kr\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ko-kr\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\GameBar.exe C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\ja-jp\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\de-de\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\cs-cz\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\en-US\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\SlowMotionEditor\UserControls\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.513.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\root\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-ae\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\identity_proxy\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\images\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sv-se\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\pt-br\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\hr-hr\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\zh-tw\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\en-ae\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\cs-cz\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_neutral_~_8wekyb3d8bbwe\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\sv-se\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\zh-cn\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\Assets\contrast-black\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\hu-hu\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\cs-cz\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ca-es\_desktop.ini C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe

"C:\Users\Admin\AppData\Local\Temp\3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

Files

memory/3552-0-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3552-5-0x0000000000400000-0x0000000000435000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-4124900551-4068476067-3491212533-1000\_desktop.ini

MD5 4f2460b507685f7d7bfe6393f335f1c9
SHA1 378d42f114b1515872e58de6662373af31ab8c7b
SHA256 47a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42
SHA512 75dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb

memory/3552-12-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3552-18-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3552-22-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Program Files\dotnet\dotnet.exe

MD5 731b6158a0a0082c18c16fbfbb3a6764
SHA1 20ec0f4e81aa5ae2ad130398ac0c4e3bc6090b7a
SHA256 e53de6167e05ee183ca963d8e452efa2f8f01689144b787ce3d117120abb8635
SHA512 4a88ef57edae6e213dd4975abb19f6289a3c7b232c1e6a8edb7ed1a95eaa8c248122867d07c5b9d6f62960fde89b66de4b9b7a268825be1d18db808650f70b32

memory/3552-1216-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 e723a1bc7f82cb9ebbb977cdc1fb1be3
SHA1 69f4ed87384d009a9669dfb8f26482e1435bcdb1
SHA256 2cea9cadd842f36c80e051ed4cbd759e6269674d54ef65ec7056b5ac71ee4913
SHA512 2c79d02c7e32c37e46f18996fe87e3b269068449d4df2e0539ef63c01cd4be8a84c8e3954f5985159eb2428fdd5bb62ca2eafa3c3c4bae51a3b4a64facaa0c0c

memory/3552-4782-0x0000000000400000-0x0000000000435000-memory.dmp

C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

MD5 9cba1e86016b20490fff38fb45ff4963
SHA1 378720d36869d50d06e9ffeef87488fbc2a8c8f7
SHA256 a22e6d0f5c7d44fefc2204e0f7c7b048e1684f6cf249ba98c006bbf791c22d19
SHA512 2f3737d29ea3925d10ea5c717786425f6434be732974586328f03691a35cd1539828e3301685749e5c4135b8094f15b87fb9659915de63678a25749e2f8f5765

memory/3552-5221-0x0000000000400000-0x0000000000435000-memory.dmp