Malware Analysis Report

2024-11-30 02:49

Sample ID 240407-wka58aad5s
Target a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220
SHA256 a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220
Tags
spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220

Threat Level: Likely malicious

The file a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220 was found to be: Likely malicious.

Malicious Activity Summary

spyware stealer

Drops file in Drivers directory

Deletes itself

Reads user/profile data of web browsers

Executes dropped EXE

Drops startup file

Loads dropped DLL

Enumerates connected drives

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Runs net.exe

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 17:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 17:58

Reported

2024-04-07 18:00

Platform

win7-20240220-en

Max time kernel

150s

Max time network

121s

Command Line

C:\Windows\Explorer.EXE

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\Logo1_.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\zh_TW\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Defender\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ca\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\INDUST\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\DVD Maker\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\br\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\cy\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Uninstall Information\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\Accessories\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\DVD Maker\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre7\bin\dtplugin\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\plugin-container.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ky\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ug\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\az\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows NT\TableTextService\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\extensions\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\pipanel.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\br\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\Dll.dll C:\Windows\Logo1_.exe N/A
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2276 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe C:\Windows\SysWOW64\net.exe
PID 2276 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe C:\Windows\SysWOW64\net.exe
PID 2276 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe C:\Windows\SysWOW64\net.exe
PID 2276 wrote to memory of 1632 N/A C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe C:\Windows\SysWOW64\net.exe
PID 1632 wrote to memory of 2540 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1632 wrote to memory of 2540 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1632 wrote to memory of 2540 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1632 wrote to memory of 2540 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2276 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe C:\Windows\SysWOW64\cmd.exe
PID 2276 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe C:\Windows\SysWOW64\cmd.exe
PID 2276 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe C:\Windows\SysWOW64\cmd.exe
PID 2276 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe C:\Windows\SysWOW64\cmd.exe
PID 2276 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe C:\Windows\Logo1_.exe
PID 2276 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe C:\Windows\Logo1_.exe
PID 2276 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe C:\Windows\Logo1_.exe
PID 2276 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe C:\Windows\Logo1_.exe
PID 2608 wrote to memory of 2616 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2608 wrote to memory of 2616 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2608 wrote to memory of 2616 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2608 wrote to memory of 2616 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2616 wrote to memory of 2576 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2616 wrote to memory of 2576 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2616 wrote to memory of 2576 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2616 wrote to memory of 2576 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2588 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe
PID 2588 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe
PID 2588 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe
PID 2588 wrote to memory of 2716 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe
PID 2608 wrote to memory of 2948 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2608 wrote to memory of 2948 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2608 wrote to memory of 2948 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2608 wrote to memory of 2948 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2948 wrote to memory of 1968 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2948 wrote to memory of 1968 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2948 wrote to memory of 1968 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2948 wrote to memory of 1968 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2608 wrote to memory of 1208 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 2608 wrote to memory of 1208 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe

"C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$aE82.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe

"C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

N/A

Files

memory/2276-0-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$aE82.bat

MD5 60dda539bef1283a5fda805576febed8
SHA1 c71d4359d89d3c9c947cac72e65477e66357d457
SHA256 802f7b15591bf8ff59e251c89dbe05eff6b59d41a62f90a975bf9c1c633ffccb
SHA512 53236000470c05168db78349a4dda5f0d63b3541ac6454c0ce833dfa0e4147d1e97c713dc394ce0915084f8d77f1ae415fb88cab1b3091d3bf5b390f478be2bf

C:\Windows\Logo1_.exe

MD5 0e8792b58f9237e03516447b7048d63c
SHA1 6f28494f0766ee470bbced1fe79fb10e5fee8252
SHA256 7e4e7447ce04580a3af3a9bf90810712d6daebc0ced6c6856eae22771ac50956
SHA512 6b935debde1916d7b1f2239ac3534c1f1585406c0d5f1060fdb356253cfab2fe9c716fd7ad05f20b9b3bb222307f15ae1b88e9062c7282d570b523150364e8a5

memory/2276-20-0x00000000002E0000-0x000000000031E000-memory.dmp

memory/2608-22-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe.exe

MD5 7b112b1fb864c90ec5b65eab21cb40b8
SHA1 e7b73361f722fc7cbb93ef98a8d26e34f4d49767
SHA256 751941b4e09898c31791efeb5f90fc7367c89831d4a98637ed505e40763e287b
SHA512 bf9cdeff39cc4fa48457c55ad02e3856b5b27998535aed801a469252f01e7676462332fa3f93877753e963d037472f615c1fc5fc2e996316621b4e0a180cb5f5

memory/2276-21-0x00000000002E0000-0x000000000031E000-memory.dmp

C:\Windows\system32\drivers\etc\hosts

MD5 7e3a0edd0c6cd8316f4b6c159d5167a1
SHA1 753428b4736ffb2c9e3eb50f89255b212768c55a
SHA256 1965854dfa54c72529c88c7d9f41fa31b4140cad04cf03d3f0f2e7601fcbdc6c
SHA512 9c68f7f72dfa109fcfba6472a1cced85bc6c2a5481232c6d1d039c88b2f65fb86070aeb26ac23e420c6255daca02ea6e698892f7670298d2c4f741b9e9415c7f

memory/2276-17-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1208-31-0x0000000002D80000-0x0000000002D81000-memory.dmp

memory/2608-35-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2276-37-0x00000000002E0000-0x000000000031E000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-2721934792-624042501-2768869379-1000\_desktop.ini

MD5 331b730a7f1adbf1f0bc05e0c610f0f1
SHA1 2f2283f84f040fbd4ecf99055026b70bb3b732ec
SHA256 2d3dbb80989e5cc7ef9ef800cc986bb8dccf4ca1f78437040bccd59312a55593
SHA512 16790117c382e66c8af2932ed0c37229ae5ee6b8bbaa8bd4e3f9afed6e07cd89c5807c81145f19f561ab714d844826cf6099a6dc97d84fa3f9da5e763bcc78c4

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 196e80c6461b51a75560df3e57cfbd9a
SHA1 3dd1bb9835e97f093efe4ffd8c078d8fa3d4ef7f
SHA256 dee2cf210ee5f75549462b7cb03674155eb011190c77e332d53edcf655bcc237
SHA512 00a3d357b589b85a644c78558fd8eff80832cec119f8d4976f7248ce2521dbe331078129ec35af26ec18d182daad55812e3d57f2f9b73615762a37ac2fc15798

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 e93193856beaecee9905e2a6f36be17f
SHA1 d4c267ea34f28f048e29461656984aad70912eda
SHA256 1d345f4e09acdbc12e63ce90d0bd373b56d50a378f4603d8425f6df815e44a7b
SHA512 1fbe9c0e86ad98d6a2a7924badec0fffc69a7d0a4839e8af45d0aedf1e4e24a4a798df0ec5b8d0aa6e0e566c0c83a4030549bd32b9ac27406fc772d4a2ff5fc3

memory/2608-3287-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2608-4106-0x0000000000400000-0x000000000043E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 17:58

Reported

2024-04-07 18:00

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

151s

Command Line

C:\Windows\Explorer.EXE

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\Logo1_.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\fr-ma\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Updates\Download\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\plugins\rhp\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sk-sk\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RICEPAPR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\uk-ua\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ko-kr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\Accessories\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\sq\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\pt-br\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\de-de\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Validator\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\he-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ja-jp\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MEIPreload\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hr-hr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\pl-pl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ru-ru\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\de\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\it-it\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\it-it\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\fi-fi\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\nb\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\it-it\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\pt-br\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\Contracts\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\de\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\zh-tw\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\themes\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\eu-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sl-sl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\MSBuild\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\plugins\rhp\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\sk-sk\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ro-ro\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\fr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-fr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-gb\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ko-kr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\it-it\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\pl-pl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\hu-hu\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\da-dk\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sl-si\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ro-ro\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\da-dk\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\en-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\uk-ua\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Install\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\Dll.dll C:\Windows\Logo1_.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4916 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe C:\Windows\SysWOW64\net.exe
PID 4916 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe C:\Windows\SysWOW64\net.exe
PID 4916 wrote to memory of 3368 N/A C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe C:\Windows\SysWOW64\net.exe
PID 3368 wrote to memory of 512 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3368 wrote to memory of 512 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3368 wrote to memory of 512 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4916 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe C:\Windows\SysWOW64\cmd.exe
PID 4916 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe C:\Windows\SysWOW64\cmd.exe
PID 4916 wrote to memory of 3916 N/A C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe C:\Windows\SysWOW64\cmd.exe
PID 4916 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe C:\Windows\Logo1_.exe
PID 4916 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe C:\Windows\Logo1_.exe
PID 4916 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe C:\Windows\Logo1_.exe
PID 1692 wrote to memory of 4264 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1692 wrote to memory of 4264 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1692 wrote to memory of 4264 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4264 wrote to memory of 556 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4264 wrote to memory of 556 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4264 wrote to memory of 556 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3916 wrote to memory of 3644 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe
PID 3916 wrote to memory of 3644 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe
PID 3916 wrote to memory of 3644 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe
PID 1692 wrote to memory of 1388 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1692 wrote to memory of 1388 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1692 wrote to memory of 1388 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1388 wrote to memory of 4212 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1388 wrote to memory of 4212 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1388 wrote to memory of 4212 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1692 wrote to memory of 3372 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 1692 wrote to memory of 3372 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe

"C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a36A0.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe

"C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 241.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 30.73.42.20.in-addr.arpa udp

Files

memory/4916-0-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\Logo1_.exe

MD5 0e8792b58f9237e03516447b7048d63c
SHA1 6f28494f0766ee470bbced1fe79fb10e5fee8252
SHA256 7e4e7447ce04580a3af3a9bf90810712d6daebc0ced6c6856eae22771ac50956
SHA512 6b935debde1916d7b1f2239ac3534c1f1585406c0d5f1060fdb356253cfab2fe9c716fd7ad05f20b9b3bb222307f15ae1b88e9062c7282d570b523150364e8a5

C:\Windows\system32\drivers\etc\hosts

MD5 6f4adf207ef402d9ef40c6aa52ffd245
SHA1 4b05b495619c643f02e278dede8f5b1392555a57
SHA256 d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e
SHA512 a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47

memory/1692-12-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4916-9-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a3fa29b61df3e86bdf4f442579cf5dd49de4f4f0c06bdd4faecbe2d971293220.exe

MD5 7b112b1fb864c90ec5b65eab21cb40b8
SHA1 e7b73361f722fc7cbb93ef98a8d26e34f4d49767
SHA256 751941b4e09898c31791efeb5f90fc7367c89831d4a98637ed505e40763e287b
SHA512 bf9cdeff39cc4fa48457c55ad02e3856b5b27998535aed801a469252f01e7676462332fa3f93877753e963d037472f615c1fc5fc2e996316621b4e0a180cb5f5

C:\Users\Admin\AppData\Local\Temp\$$a36A0.bat

MD5 7d75115f146a41579fda669925d9c6af
SHA1 915410f1a7d11a0b2ed80eaac9b2177ecd0b2987
SHA256 38af0b3a44bd95b25d5e5ba807abd14c38b938f0b1e40ec2ca26c767ecde7734
SHA512 4cde859778b74d559cbf0e34202deb3566e768d7621d25a85c341589ca6744d527007e8501fbbf9b1094736b412a4fde4a4ab04ec91f21997b3cacaf7ae3adfc

memory/1692-19-0x0000000000400000-0x000000000043E000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-3270530367-132075249-2153716227-1000\_desktop.ini

MD5 331b730a7f1adbf1f0bc05e0c610f0f1
SHA1 2f2283f84f040fbd4ecf99055026b70bb3b732ec
SHA256 2d3dbb80989e5cc7ef9ef800cc986bb8dccf4ca1f78437040bccd59312a55593
SHA512 16790117c382e66c8af2932ed0c37229ae5ee6b8bbaa8bd4e3f9afed6e07cd89c5807c81145f19f561ab714d844826cf6099a6dc97d84fa3f9da5e763bcc78c4

C:\Program Files\CopyRedo.exe

MD5 3fc854f5234617e54eec356be4a05afc
SHA1 21feae9fd6ea76e22c744cac7dabda8187c40816
SHA256 6423b1b736edf1b71c06828c811da1f3d62880f067fd1ea5cc9ae79a8aac29aa
SHA512 128993c93618f71a05feed5844ab810cd898d84c80822ed246106b79e7efef1e06462fa770d779245aefb94d5ff9d6678bb334bfe9d8c16d51da7defd5682869

memory/1692-2308-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 196e80c6461b51a75560df3e57cfbd9a
SHA1 3dd1bb9835e97f093efe4ffd8c078d8fa3d4ef7f
SHA256 dee2cf210ee5f75549462b7cb03674155eb011190c77e332d53edcf655bcc237
SHA512 00a3d357b589b85a644c78558fd8eff80832cec119f8d4976f7248ce2521dbe331078129ec35af26ec18d182daad55812e3d57f2f9b73615762a37ac2fc15798

C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

MD5 15137620fba9c2013dfa9107be4321d5
SHA1 31c790632ae19274fc2ed7e1615458324bc199bd
SHA256 37cf90de70064c0ecf765ae35e8b0cf412c90cca2aaa2513cfba95b408b4e604
SHA512 e2cbb59ec77cb009bf1b0d8d398c0898e65380858d33afb58e6ffc762842526f097d112369200cda95f015f5aa75e5af88810e2f2e174e0d1600cb6ec22a77e3

memory/1692-8617-0x0000000000400000-0x000000000043E000-memory.dmp