Analysis Overview
SHA256
4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc
Threat Level: Shows suspicious behavior
The file 4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc was found to be: Shows suspicious behavior.
Malicious Activity Summary
Enumerates connected drives
Drops file in Program Files directory
Drops file in Windows directory
Unsigned PE
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 18:49
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 18:49
Reported
2024-06-13 18:52
Platform
win7-20240611-en
Max time kernel
150s
Max time network
124s
Command Line
Signatures
Enumerates connected drives
Drops file in Program Files directory
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rundl132.exe | C:\Users\Admin\AppData\Local\Temp\4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe
"C:\Users\Admin\AppData\Local\Temp\4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe"
C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
Network
Files
memory/2344-0-0x0000000000400000-0x0000000000436000-memory.dmp
memory/1264-5-0x0000000002530000-0x0000000002531000-memory.dmp
memory/2344-7-0x0000000000400000-0x0000000000436000-memory.dmp
F:\$RECYCLE.BIN\S-1-5-21-2812790648-3157963462-487717889-1000\_desktop.ini
| MD5 | 4f2460b507685f7d7bfe6393f335f1c9 |
| SHA1 | 378d42f114b1515872e58de6662373af31ab8c7b |
| SHA256 | 47a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42 |
| SHA512 | 75dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb |
memory/2344-14-0x0000000000400000-0x0000000000436000-memory.dmp
memory/2344-20-0x0000000000400000-0x0000000000436000-memory.dmp
memory/2344-66-0x0000000000400000-0x0000000000436000-memory.dmp
memory/2344-72-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Program Files\7-Zip\7zFM.exe
| MD5 | f0572dc5e55a0134164be82897b865f0 |
| SHA1 | 3185a9c1f2d8f02386c3e0ae754d517393952731 |
| SHA256 | bc5bf78b30919044d13ae23ef35a4aa19a8fe498464db155a9c81ec3875f4c5f |
| SHA512 | 7e29723e8ba4b268cfd783f4b33b4905479dd7ff23efdc2668857f379d4815b44a59a451dd65ffc32e59c52f5a583d4ef763d8b7970aa85757f3873638e9e95f |
memory/2344-564-0x0000000000400000-0x0000000000436000-memory.dmp
memory/2344-1849-0x0000000000400000-0x0000000000436000-memory.dmp
memory/2344-2207-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
| MD5 | 1cc007ad1cf7a7166c5948204c910c52 |
| SHA1 | 378f62d6d34f7ce4ca389bd378ff9bce27222731 |
| SHA256 | 302563b3bc71e1ec5178f58aceed32cf6c91664372d00f61038880b31b6bbecb |
| SHA512 | 9f6de25ba108d143d391b876658997c7f31989ca57f0d2783d45a23c721996c7c76cbd1f89c98feed38d55b5d11c1098898549872671164a688bef4e934fd463 |
memory/2344-3309-0x0000000000400000-0x0000000000436000-memory.dmp
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
| MD5 | c14a5111b798cff20d7d66b0e035d409 |
| SHA1 | 29f0894552b30815fed6ad231b5721e876869552 |
| SHA256 | fd6f57dc1b82f6301cbecbf9db5728a9a69b10e3edbf4f8a1dfef571c77a6cb6 |
| SHA512 | a4d8b74216c76fa3d48ab7300452725602bc6d5bcc0e6c23d458d65362cd24751f23755180ae69633090b172e95f18f225c0cb4a71dd1e050d8b3dff466e7f1b |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 18:49
Reported
2024-06-13 18:52
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
151s
Command Line
Signatures
Enumerates connected drives
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\StoreLogo\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.2.2_2.2.27405.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-black\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\da-dk\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-il\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fr-ma\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\unpack200.exe | C:\Users\Admin\AppData\Local\Temp\4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBridge\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\cs-cz\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\nb-no\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sl-sl\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-sl\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\pt-br\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\tr-tr\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\de-DE\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\eo\LC_MESSAGES\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-black\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-ae\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\cs-cz\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\zh-cn\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\it-it\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\SkypeBackgroundHost.exe | C:\Users\Admin\AppData\Local\Temp\4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\browser\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Resources\RetailDemo\strings\en-us\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_~_8wekyb3d8bbwe\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\cs-cz\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ko-kr\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fr-fr\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\cs-cz\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\it\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\ne\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Lighting\Light\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hr-hr\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\{F3C4FE00-EFD5-403B-9569-398A20F1BA4A}\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe | C:\Users\Admin\AppData\Local\Temp\4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\da-dk\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\es-es\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\pl-pl\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\AppInfoDocument\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe | N/A |
| File created | C:\Program Files\Java\jre-1.8\lib\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ru-ru\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\zh-cn\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\ink\es-ES\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\dtplugin\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.MicrosoftEdge.Stable_92.0.902.67_neutral__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x86__8wekyb3d8bbwe\AppxMetadata\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\css\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ca-es\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\de-de\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\es_MX\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\Images\Ratings\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\uk-ua\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\pt-br\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\lib\applet\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sw-KE\View3d\_desktop.ini | C:\Users\Admin\AppData\Local\Temp\4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rundl132.exe | C:\Users\Admin\AppData\Local\Temp\4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe
"C:\Users\Admin\AppData\Local\Temp\4928dedaf44a46abd5e014e2ad3ddf7e281a4ecd2cf6a00cb762679da9901afc.exe"
C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
Network
| Country | Destination | Domain | Proto |
| NL | 52.142.223.178:80 | tcp |
Files
memory/3496-0-0x0000000000400000-0x0000000000436000-memory.dmp
memory/3496-5-0x0000000000400000-0x0000000000436000-memory.dmp
F:\$RECYCLE.BIN\S-1-5-21-1337824034-2731376981-3755436523-1000\_desktop.ini
| MD5 | 4f2460b507685f7d7bfe6393f335f1c9 |
| SHA1 | 378d42f114b1515872e58de6662373af31ab8c7b |
| SHA256 | 47a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42 |
| SHA512 | 75dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb |
memory/3496-12-0x0000000000400000-0x0000000000436000-memory.dmp
memory/3496-19-0x0000000000400000-0x0000000000436000-memory.dmp
memory/3496-22-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Program Files\dotnet\dotnet.exe
| MD5 | 789727db484b9ccef228b4540c976c77 |
| SHA1 | 3f425d7dec5abc50878707f219dfe8f752a2eeb0 |
| SHA256 | 7e78362685f2259541422899c96484544bbfd14f2b9f75a5ecb77c0a7758a4f9 |
| SHA512 | 2184a0c02506b10eb77311448247104163106e6da8dadc55eeff0cb77d57f2bfd90eb01fcb907527a204347cea406781483ecb5eaaa4a070f5af23ba88c2e6e3 |
memory/3496-82-0x0000000000400000-0x0000000000436000-memory.dmp
memory/3496-1217-0x0000000000400000-0x0000000000436000-memory.dmp
C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
| MD5 | 1cc007ad1cf7a7166c5948204c910c52 |
| SHA1 | 378f62d6d34f7ce4ca389bd378ff9bce27222731 |
| SHA256 | 302563b3bc71e1ec5178f58aceed32cf6c91664372d00f61038880b31b6bbecb |
| SHA512 | 9f6de25ba108d143d391b876658997c7f31989ca57f0d2783d45a23c721996c7c76cbd1f89c98feed38d55b5d11c1098898549872671164a688bef4e934fd463 |
memory/3496-4782-0x0000000000400000-0x0000000000436000-memory.dmp
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
| MD5 | ad5a7e5eb1a1cdd791957e07c93748ae |
| SHA1 | 6e4f8c5f4d791327e11d0d68ca6f514554af8481 |
| SHA256 | cfee92d916fbbb95d8282c3264d3708ad1ddfdd9db4daaf00e0c96a22854c4dc |
| SHA512 | a8acd191aec48dac8d5808a93ee973ea52793140e318b4d870fb10e4e8ba0756fe95654134dd1c175168375a0f7caebfd8a7d46a9b3dc71006f830b53dd9fefe |
memory/3496-5221-0x0000000000400000-0x0000000000436000-memory.dmp