Malware Analysis Report

2024-11-30 02:36

Sample ID 240407-wk4sjaag36
Target fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7
SHA256 fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7
Tags
spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7

Threat Level: Likely malicious

The file fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7 was found to be: Likely malicious.

Malicious Activity Summary

spyware stealer

Drops file in Drivers directory

Drops startup file

Reads user/profile data of web browsers

Deletes itself

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Runs net.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 17:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 17:59

Reported

2024-04-07 18:03

Platform

win7-20240221-en

Max time kernel

174s

Max time network

140s

Command Line

C:\Windows\Explorer.EXE

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\Logo1_.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Mozilla Firefox\defaults\pref\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\en_GB\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\pa\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\1033\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUECALM\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\Minesweeper\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Mozilla Firefox\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\pa\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Google\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\sq\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\policytool.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\hrtfs\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\az\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\ktab.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Mail\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Triedit\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\Dll.dll C:\Windows\Logo1_.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3028 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe C:\Windows\SysWOW64\net.exe
PID 3028 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe C:\Windows\SysWOW64\net.exe
PID 3028 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe C:\Windows\SysWOW64\net.exe
PID 3028 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe C:\Windows\SysWOW64\net.exe
PID 2148 wrote to memory of 2860 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2148 wrote to memory of 2860 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2148 wrote to memory of 2860 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2148 wrote to memory of 2860 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3028 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe C:\Windows\SysWOW64\cmd.exe
PID 3028 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe C:\Windows\SysWOW64\cmd.exe
PID 3028 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe C:\Windows\SysWOW64\cmd.exe
PID 3028 wrote to memory of 2440 N/A C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe C:\Windows\SysWOW64\cmd.exe
PID 3028 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe C:\Windows\Logo1_.exe
PID 3028 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe C:\Windows\Logo1_.exe
PID 3028 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe C:\Windows\Logo1_.exe
PID 3028 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe C:\Windows\Logo1_.exe
PID 2752 wrote to memory of 2664 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2752 wrote to memory of 2664 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2752 wrote to memory of 2664 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2752 wrote to memory of 2664 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2664 wrote to memory of 2424 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2664 wrote to memory of 2424 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2664 wrote to memory of 2424 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2664 wrote to memory of 2424 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2440 wrote to memory of 1768 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe
PID 2440 wrote to memory of 1768 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe
PID 2440 wrote to memory of 1768 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe
PID 2440 wrote to memory of 1768 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe
PID 2752 wrote to memory of 3008 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2752 wrote to memory of 3008 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2752 wrote to memory of 3008 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2752 wrote to memory of 3008 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3008 wrote to memory of 800 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3008 wrote to memory of 800 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3008 wrote to memory of 800 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3008 wrote to memory of 800 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2752 wrote to memory of 1412 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 2752 wrote to memory of 1412 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe

"C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a464.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe

"C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

N/A

Files

memory/3028-0-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a464.bat

MD5 43819d3ca9c920145ac761ca0a2da8b8
SHA1 5fa32fe94b9075a948658efe4d343bb4d09ed094
SHA256 d4bac7b953d3faad67098ce1cb796fb046899cf6d2aea28f8052dbf35f7e28e5
SHA512 04ce5574ef71d2b79192579182d4dccf7d0f5a2fe46e12bf073fc9f4c3c582bb73050df6fbbdf243a82a3716ae6dab6ecbd9602d24403fcd472e9297f0ea5712

memory/3028-13-0x0000000000230000-0x000000000026E000-memory.dmp

memory/3028-21-0x0000000000230000-0x000000000026E000-memory.dmp

C:\Windows\Logo1_.exe

MD5 0e8792b58f9237e03516447b7048d63c
SHA1 6f28494f0766ee470bbced1fe79fb10e5fee8252
SHA256 7e4e7447ce04580a3af3a9bf90810712d6daebc0ced6c6856eae22771ac50956
SHA512 6b935debde1916d7b1f2239ac3534c1f1585406c0d5f1060fdb356253cfab2fe9c716fd7ad05f20b9b3bb222307f15ae1b88e9062c7282d570b523150364e8a5

C:\Windows\system32\drivers\etc\hosts

MD5 7e3a0edd0c6cd8316f4b6c159d5167a1
SHA1 753428b4736ffb2c9e3eb50f89255b212768c55a
SHA256 1965854dfa54c72529c88c7d9f41fa31b4140cad04cf03d3f0f2e7601fcbdc6c
SHA512 9c68f7f72dfa109fcfba6472a1cced85bc6c2a5481232c6d1d039c88b2f65fb86070aeb26ac23e420c6255daca02ea6e698892f7670298d2c4f741b9e9415c7f

memory/3028-17-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2752-22-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe.exe

MD5 095dabb90bb0953800131fbcc6f6df5e
SHA1 9166e25e1fe27c3f92e642ec2fcc36e7c3b19216
SHA256 72f1979b588357e1b0dc3e6e9f9a368d2742f18bf1daab0ee94f26d6811f8a33
SHA512 041a008d96140a46aa89776fd11e64064b9cda9bd551747f59ae98ccfdff07af010061338655d4d07925f4e2a6c9fc3c79159cec2c9e055445f4b2ab1275152f

memory/1412-31-0x0000000002560000-0x0000000002561000-memory.dmp

memory/2752-34-0x0000000000400000-0x000000000043E000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-2461186416-2307104501-1787948496-1000\_desktop.ini

MD5 331b730a7f1adbf1f0bc05e0c610f0f1
SHA1 2f2283f84f040fbd4ecf99055026b70bb3b732ec
SHA256 2d3dbb80989e5cc7ef9ef800cc986bb8dccf4ca1f78437040bccd59312a55593
SHA512 16790117c382e66c8af2932ed0c37229ae5ee6b8bbaa8bd4e3f9afed6e07cd89c5807c81145f19f561ab714d844826cf6099a6dc97d84fa3f9da5e763bcc78c4

memory/2752-92-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2752-1355-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2752-2236-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 196e80c6461b51a75560df3e57cfbd9a
SHA1 3dd1bb9835e97f093efe4ffd8c078d8fa3d4ef7f
SHA256 dee2cf210ee5f75549462b7cb03674155eb011190c77e332d53edcf655bcc237
SHA512 00a3d357b589b85a644c78558fd8eff80832cec119f8d4976f7248ce2521dbe331078129ec35af26ec18d182daad55812e3d57f2f9b73615762a37ac2fc15798

memory/2752-2942-0x0000000000400000-0x000000000043E000-memory.dmp

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 e93193856beaecee9905e2a6f36be17f
SHA1 d4c267ea34f28f048e29461656984aad70912eda
SHA256 1d345f4e09acdbc12e63ce90d0bd373b56d50a378f4603d8425f6df815e44a7b
SHA512 1fbe9c0e86ad98d6a2a7924badec0fffc69a7d0a4839e8af45d0aedf1e4e24a4a798df0ec5b8d0aa6e0e566c0c83a4030549bd32b9ac27406fc772d4a2ff5fc3

memory/2752-3285-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2752-4045-0x0000000000400000-0x000000000043E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 17:59

Reported

2024-04-07 18:02

Platform

win10v2004-20240319-en

Max time kernel

150s

Max time network

133s

Command Line

C:\Windows\Explorer.EXE

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\Logo1_.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\is\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sl-si\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ko-kr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ro-ro\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.92\pwahelper.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\security\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\pl-pl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\zh-tw\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\nb-no\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\pl-pl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\da-dk\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\en-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\da-dk\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\root\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\include\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SATIN\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sl-sl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\sv-se\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\nb-no\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\pl-pl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\da-dk\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-ma\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\plugins\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\sv-se\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hu-hu\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\es-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\en-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ar\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\Comprehensive\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\da-dk\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-fr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\fi-fi\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\nl-nl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\fr-fr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Google\Update\1.3.36.151\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\xjc.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\hu-hu\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\management\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-si\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\cs-cz\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\tr-tr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.92\Installer\setup.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.92\ResiliencyLinks\VisualElements\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nl-nl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nb-no\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\fi-fi\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\eu-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\host\fxr\6.0.27\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Help\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\Dll.dll C:\Windows\Logo1_.exe N/A
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3296 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe C:\Windows\SysWOW64\net.exe
PID 3296 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe C:\Windows\SysWOW64\net.exe
PID 3296 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe C:\Windows\SysWOW64\net.exe
PID 2832 wrote to memory of 1100 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2832 wrote to memory of 1100 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2832 wrote to memory of 1100 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3296 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe C:\Windows\SysWOW64\cmd.exe
PID 3296 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe C:\Windows\SysWOW64\cmd.exe
PID 3296 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe C:\Windows\SysWOW64\cmd.exe
PID 3296 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe C:\Windows\Logo1_.exe
PID 3296 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe C:\Windows\Logo1_.exe
PID 3296 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe C:\Windows\Logo1_.exe
PID 4864 wrote to memory of 1212 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4864 wrote to memory of 1212 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4864 wrote to memory of 1212 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1212 wrote to memory of 1432 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1212 wrote to memory of 1432 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1212 wrote to memory of 1432 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1400 wrote to memory of 3288 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe
PID 1400 wrote to memory of 3288 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe
PID 1400 wrote to memory of 3288 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe
PID 4864 wrote to memory of 324 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4864 wrote to memory of 324 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4864 wrote to memory of 324 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 324 wrote to memory of 1684 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 324 wrote to memory of 1684 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 324 wrote to memory of 1684 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4864 wrote to memory of 3444 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 4864 wrote to memory of 3444 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe

"C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a7A12.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe

"C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3176 --field-trial-handle=3536,i,10914981530159316853,12381340356750224673,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 21.114.53.23.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 edge.msiserver.lan udp
US 8.8.8.8:53 edge.msiserver.lan udp
US 8.8.8.8:53 edge.msiserver.lan udp
US 8.8.8.8:53 edge.msiserver.lan udp
US 8.8.8.8:53 edge.msiserver.lan udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/3296-0-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\Logo1_.exe

MD5 0e8792b58f9237e03516447b7048d63c
SHA1 6f28494f0766ee470bbced1fe79fb10e5fee8252
SHA256 7e4e7447ce04580a3af3a9bf90810712d6daebc0ced6c6856eae22771ac50956
SHA512 6b935debde1916d7b1f2239ac3534c1f1585406c0d5f1060fdb356253cfab2fe9c716fd7ad05f20b9b3bb222307f15ae1b88e9062c7282d570b523150364e8a5

memory/3296-9-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4864-10-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\system32\drivers\etc\hosts

MD5 6f4adf207ef402d9ef40c6aa52ffd245
SHA1 4b05b495619c643f02e278dede8f5b1392555a57
SHA256 d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e
SHA512 a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47

C:\Users\Admin\AppData\Local\Temp\$$a7A12.bat

MD5 b1030dc3ca5cddb28e45914579ffc87c
SHA1 45ef2a3c8d792b0f956d1b1115c4a9e80068aeb7
SHA256 3a3393e6009c8c0df87b279d5f8121459cc5d681986183b5daaefe33418e9663
SHA512 e15056623fd65a3f6bb0fe56b13b39462b87a47f0749841e2c0eff4a764cedc9e41a58e2cb07d722a694d467b1c5fc19512a100e3e06faac068f1bfb85fc479c

C:\Users\Admin\AppData\Local\Temp\fa8df5979f6d836bbbf92c4dcb28b0d5cae3c930d7d25aaf5cf323cf46fb58f7.exe.exe

MD5 095dabb90bb0953800131fbcc6f6df5e
SHA1 9166e25e1fe27c3f92e642ec2fcc36e7c3b19216
SHA256 72f1979b588357e1b0dc3e6e9f9a368d2742f18bf1daab0ee94f26d6811f8a33
SHA512 041a008d96140a46aa89776fd11e64064b9cda9bd551747f59ae98ccfdff07af010061338655d4d07925f4e2a6c9fc3c79159cec2c9e055445f4b2ab1275152f

memory/4864-19-0x0000000000400000-0x000000000043E000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-817259280-2658881748-983986378-1000\_desktop.ini

MD5 331b730a7f1adbf1f0bc05e0c610f0f1
SHA1 2f2283f84f040fbd4ecf99055026b70bb3b732ec
SHA256 2d3dbb80989e5cc7ef9ef800cc986bb8dccf4ca1f78437040bccd59312a55593
SHA512 16790117c382e66c8af2932ed0c37229ae5ee6b8bbaa8bd4e3f9afed6e07cd89c5807c81145f19f561ab714d844826cf6099a6dc97d84fa3f9da5e763bcc78c4

C:\Program Files\7-Zip\7z.exe

MD5 52b929e3308c6c5cf1e9366799ba774d
SHA1 73367e44a6aeb30f38c053492485ccc88f3f96b9
SHA256 1371f108190c128f882a8babd65e575855c16a158530163f97d4aaec08204a3a
SHA512 074eb6f7224979654bf1f5239a9b46a4a30ce8a17c3e47b3f38902cffdbb4c394facbe948d6b0b7f99077483708f8bc03aa40fb1ddba2c18033d52719ac47baa

memory/4864-1491-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 196e80c6461b51a75560df3e57cfbd9a
SHA1 3dd1bb9835e97f093efe4ffd8c078d8fa3d4ef7f
SHA256 dee2cf210ee5f75549462b7cb03674155eb011190c77e332d53edcf655bcc237
SHA512 00a3d357b589b85a644c78558fd8eff80832cec119f8d4976f7248ce2521dbe331078129ec35af26ec18d182daad55812e3d57f2f9b73615762a37ac2fc15798

memory/4864-5427-0x0000000000400000-0x000000000043E000-memory.dmp

C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

MD5 635e9422a0a86f5c7ac989802b0ac448
SHA1 3ea9cc1462b063639526a8d278b571f38b846d1d
SHA256 a97d8545a6204abf1a179f2098ca8780e92f4448c7a03e62f6c32e8e5e5cb17f
SHA512 857c6d683fe1f7a6757420c84efc4f7f48f58e586e601c969ce27e4ded8cad6ca774ef367a1a1e075081c4e2d41f8cdda558fddf5622e062975cfeff5a929133

memory/4864-8997-0x0000000000400000-0x000000000043E000-memory.dmp