Malware Analysis Report

2024-12-01 01:30

Sample ID 241110-bsjgcawgma
Target 90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c
SHA256 90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c
Tags
discovery
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c

Threat Level: Shows suspicious behavior

The file 90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery

Enumerates connected drives

Drops file in Program Files directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:24

Reported

2024-11-10 01:26

Platform

win7-20240708-en

Max time kernel

150s

Max time network

122s

Command Line

C:\Windows\Explorer.EXE

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\css\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Minesweeper\MineSweeper.exe C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\control\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BOLDSTRI\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp_5.5.0.165303\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File created C:\Program Files\Mozilla Firefox\uninstall\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\si\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\js\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\cmm\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File created C:\Program Files (x86)\Windows Media Player\Network Sharing\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Setup.exe C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File created C:\Program Files (x86)\Common Files\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File created C:\Program Files (x86)\Windows Defender\ja-JP\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\es_MX\LC_MESSAGES\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\js\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Updater6\Adobe_Updater.exe C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\css\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File created C:\Program Files\Microsoft Games\More Games\es-ES\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ESEN\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\kn\LC_MESSAGES\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File created C:\Program Files\Windows Sidebar\es-ES\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BabyBlue\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\es-ES\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\css\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File created C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\on_desktop\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\ja-JP\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\eo\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A

Runs net.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe

"C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

N/A

Files

memory/1864-0-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1168-5-0x00000000029E0000-0x00000000029E1000-memory.dmp

memory/1864-7-0x0000000000400000-0x0000000000436000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-3551809350-4263495960-1443967649-1000\_desktop.ini

MD5 2a3fd5c71388ca70bcd12900f65d5a77
SHA1 7619579d21480b9a4800bc830dbf20354e50b979
SHA256 a48a9bee0ea1d148d80a848e506f13606a80f84e7f4fa4a3ceeb0f47eab1bf40
SHA512 0e803903a477f9761178c6892c45f3522f9af5b6ef550f446c0dea329dcbe2753760a17086397ff4f9c66ec93a3dbbd1e7b6aaaa71f77c70c9c8de81429c3aa0

memory/1864-14-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1864-20-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1864-66-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1864-73-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Program Files\7-Zip\7zFM.exe

MD5 b3f3c89e360dac8e69d9e26e0b1f891a
SHA1 d09666d406966a535e22f72da4108f0f036d9ae5
SHA256 7ae074c0a34b1461d8683b6d8b641164a510494de9382a110f7e411cda438534
SHA512 946774c3eeb36b821454438cf99655587c0e42b6a7b75d120d4e47105bebe47522f3b9817dbaad7e1aa5254bc69d417644050ccedc4b98245e4daf0a9e1f5c58

memory/1864-315-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1864-1849-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 44b1d976ac1b619eb8f20332e9307cd1
SHA1 2644ec5390e5bd5c7e45f9b0316378881ae36a7e
SHA256 98b56337fed63960a955fde77cf678b5d3df5aa620e0834d0d1be24cabdba0fd
SHA512 745410aacc11176be2efab183f0bd8e8d71ec26d9931051d4248963f62f962e66b5e4554923dff01b5ad562ab93b8010dcce855278f09e8cca781a83c4eb2340

memory/1864-3309-0x0000000000400000-0x0000000000436000-memory.dmp

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 40429fbe4769cde892d72cde845b3df8
SHA1 f5c804acf1e4659b85010ca8926f2eee4ee4ae62
SHA256 00c3830d8357fbd8e92cd7e440a848424bf94a68784664dcf469707b448b42d6
SHA512 e774273101c90343328379a114ba7349fe532145b0beff7c62f0702ad762502b9823da3d2397c55a7040c80e42c2b5562a8021d3663c7621de05dba03cb2ef51

memory/1864-3653-0x0000000000400000-0x0000000000436000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 01:24

Reported

2024-11-10 01:26

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

154s

Command Line

C:\Windows\Explorer.EXE

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\zh-cn\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ru-ru\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-tw\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\hu-hu\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.Telemetry\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\nl-nl\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ca-es\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sk-sk\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\misc\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\en-us\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\pt-br\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\pl-pl\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\root\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File created C:\Program Files (x86)\Windows NT\TableTextService\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\css\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\tr-tr\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_~_8wekyb3d8bbwe\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-tw\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fi-fi\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\ext\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File created C:\Program Files\Windows Photo Viewer\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fi-fi\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\eu-es\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\fr-fr\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\en-GB\en-GB_female_TTS\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\security\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ku_IQ\LC_MESSAGES\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sk-sk\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fr-ma\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\kn\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\da-dk\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ca-es\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\tr-tr\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\de-de\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugins\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.ZuneMusic_10.19071.19011.0_neutral_split.scale-125_8wekyb3d8bbwe\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\fr-fr\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sk-sk\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\or_IN\LC_MESSAGES\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\pt_BR\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\AppTiles\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\en-US\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\misc\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\nl-nl\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\Diagnostics\Simple\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\de\LC_MESSAGES\_desktop.ini C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe

"C:\Users\Admin\AppData\Local\Temp\90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 71.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 101.209.201.84.in-addr.arpa udp

Files

memory/1256-0-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1256-5-0x0000000000400000-0x0000000000436000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-3227495264-2217614367-4027411560-1000\_desktop.ini

MD5 2a3fd5c71388ca70bcd12900f65d5a77
SHA1 7619579d21480b9a4800bc830dbf20354e50b979
SHA256 a48a9bee0ea1d148d80a848e506f13606a80f84e7f4fa4a3ceeb0f47eab1bf40
SHA512 0e803903a477f9761178c6892c45f3522f9af5b6ef550f446c0dea329dcbe2753760a17086397ff4f9c66ec93a3dbbd1e7b6aaaa71f77c70c9c8de81429c3aa0

memory/1256-12-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1256-18-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1256-22-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Program Files\dotnet\dotnet.exe

MD5 d241fc0812a05fa28580444d63e24f99
SHA1 f7bdce38f7720591b5765fd8dd12c75e7fe16ad9
SHA256 8807eeaa5d35b7be4b284f3baf9a1d6893d56d7064e0949034ddb885a4f4ed56
SHA512 5aaadee837644916679585891bf780836cdedd4987dba552226c095d2091f0b3b8ec644c74ded81425377774610cbbea026702a8176bbb25d2ae7bcc979636f3

memory/1256-397-0x0000000000400000-0x0000000000436000-memory.dmp

memory/1256-1219-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe

MD5 fdc95026717686b36d356c9053eb1019
SHA1 3d301424838bbc55d88ba9dbcb6a65612ff54b9b
SHA256 e2813a7fb0a036eb9b0861b1687ba73d8380ecb2b9cbe0eededd4edfd8ad7f49
SHA512 9890073e956436de9dd5c09c7b36a718f7a746655ed4fb7eceb7390b500888475f4b64c29d26eeda62240be5c8efc6a1735c4322d6d9cde9bb60315d64bf4fff

memory/1256-4770-0x0000000000400000-0x0000000000436000-memory.dmp

C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

MD5 c6d6354b442f8417dc66b1723a800f2f
SHA1 94525ba06431ca98c5b8b58c60b24ac8811b1748
SHA256 848e14757895f1da1da61c8bb06127caaeb36eb3361768b3baf1a7974ad16716
SHA512 49b347afad74e96aeedddaaf3bbf7cb261c5590b4991af35f3fcd5fe2a22954266e5dc84b100590731da608ba49aa04fd5f22c7997d20ca5999cc63103180a5f

memory/1256-5239-0x0000000000400000-0x0000000000436000-memory.dmp