Malware Analysis Report

2024-11-30 02:48

Sample ID 240407-wka58aad5v
Target 4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb
SHA256 4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb
Tags
spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb

Threat Level: Likely malicious

The file 4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb was found to be: Likely malicious.

Malicious Activity Summary

spyware stealer

Drops file in Drivers directory

Reads user/profile data of web browsers

Loads dropped DLL

Deletes itself

Drops startup file

Executes dropped EXE

Enumerates connected drives

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Runs net.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 17:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 17:58

Reported

2024-04-07 18:00

Platform

win7-20240319-en

Max time kernel

150s

Max time network

125s

Command Line

C:\Windows\Explorer.EXE

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\Logo1_.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ku_IQ\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SATIN\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\an\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA6\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\pt_BR\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ru\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Defender\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\nn\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VGX\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\playlist\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENFR\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Triedit\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Media Player\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\More Games\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\bn_IN\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\fy\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\te\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\services_discovery\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Journal\Journal.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Journal\Templates\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Mail\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\Dll.dll C:\Windows\Logo1_.exe N/A
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2128 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe C:\Windows\SysWOW64\net.exe
PID 2128 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe C:\Windows\SysWOW64\net.exe
PID 2128 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe C:\Windows\SysWOW64\net.exe
PID 2128 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe C:\Windows\SysWOW64\net.exe
PID 2340 wrote to memory of 2924 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2340 wrote to memory of 2924 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2340 wrote to memory of 2924 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2340 wrote to memory of 2924 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2128 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe C:\Windows\SysWOW64\cmd.exe
PID 2128 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe C:\Windows\SysWOW64\cmd.exe
PID 2128 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe C:\Windows\SysWOW64\cmd.exe
PID 2128 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe C:\Windows\SysWOW64\cmd.exe
PID 2128 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe C:\Windows\Logo1_.exe
PID 2128 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe C:\Windows\Logo1_.exe
PID 2128 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe C:\Windows\Logo1_.exe
PID 2128 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe C:\Windows\Logo1_.exe
PID 3028 wrote to memory of 1940 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3028 wrote to memory of 1940 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3028 wrote to memory of 1940 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3028 wrote to memory of 1940 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1940 wrote to memory of 2564 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1940 wrote to memory of 2564 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1940 wrote to memory of 2564 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1940 wrote to memory of 2564 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2512 wrote to memory of 2552 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe
PID 2512 wrote to memory of 2552 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe
PID 2512 wrote to memory of 2552 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe
PID 2512 wrote to memory of 2552 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe
PID 2512 wrote to memory of 2552 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe
PID 2512 wrote to memory of 2552 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe
PID 2512 wrote to memory of 2552 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe
PID 3028 wrote to memory of 2724 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3028 wrote to memory of 2724 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3028 wrote to memory of 2724 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3028 wrote to memory of 2724 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2724 wrote to memory of 2244 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2724 wrote to memory of 2244 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2724 wrote to memory of 2244 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2724 wrote to memory of 2244 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3028 wrote to memory of 1196 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 3028 wrote to memory of 1196 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe

"C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a341B.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe

"C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

N/A

Files

memory/2128-0-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a341B.bat

MD5 5b53970a172e8b0dfca64d865c642f06
SHA1 ec8ac5e2ab71a7b8d5bb9ad0c372088521fabd5e
SHA256 3a58effd829aee2daf144198b43e474b728c04bc2e560acfecba543d46469e6f
SHA512 a1cea7ff4c0d7e5623ce12eb9c72cd804d33b36c86f6ba8e632736265e7998e8e51ed176ecd968a881f8f0bc35b6e67fc80c91f64c559c4f49c58962d9d315bd

C:\Windows\Logo1_.exe

MD5 d07529ec6edb6926de81d6a28ea952e7
SHA1 10756c03d36ec17034a3a75a70e9d9a387a753c3
SHA256 855aa3ac46c73b5d4542a848fd7833ab27e5b42d7b32039acba108c4bb19d71b
SHA512 f1e60db774ab70fc2c62e987254b88993ab6ad9bfbf4f0c09f2a49290a87c9921c793d8818c96d98e78089caf80699ed6aaf6147e482840a156914852b83d91d

C:\Windows\system32\drivers\etc\hosts

MD5 7e3a0edd0c6cd8316f4b6c159d5167a1
SHA1 753428b4736ffb2c9e3eb50f89255b212768c55a
SHA256 1965854dfa54c72529c88c7d9f41fa31b4140cad04cf03d3f0f2e7601fcbdc6c
SHA512 9c68f7f72dfa109fcfba6472a1cced85bc6c2a5481232c6d1d039c88b2f65fb86070aeb26ac23e420c6255daca02ea6e698892f7670298d2c4f741b9e9415c7f

memory/3028-21-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2128-17-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe.exe

MD5 6f581a41167d2d484fcba20e6fc3c39a
SHA1 d48de48d24101b9baaa24f674066577e38e6b75c
SHA256 3eb8d53778eab9fb13b4c97aeab56e4bad2a6ea3748d342f22eaf4d7aa3185a7
SHA512 e1177b6cea89445d58307b3327c78909adff225497f9abb8de571cdd114b547a8f515ec3ab038b583bf752a085b231f6329d6ca82fbe6be8a58cd97a1dbaf0f6

memory/2128-16-0x0000000001C90000-0x0000000001CCE000-memory.dmp

memory/1196-29-0x0000000002A00000-0x0000000002A01000-memory.dmp

memory/3028-33-0x0000000000400000-0x000000000043E000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-2610426812-2871295383-373749122-1000\_desktop.ini

MD5 331b730a7f1adbf1f0bc05e0c610f0f1
SHA1 2f2283f84f040fbd4ecf99055026b70bb3b732ec
SHA256 2d3dbb80989e5cc7ef9ef800cc986bb8dccf4ca1f78437040bccd59312a55593
SHA512 16790117c382e66c8af2932ed0c37229ae5ee6b8bbaa8bd4e3f9afed6e07cd89c5807c81145f19f561ab714d844826cf6099a6dc97d84fa3f9da5e763bcc78c4

memory/3028-1730-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 84325e9c8a739d68679ebcfc4f66304d
SHA1 436fe16c566c7ab2a9acfc769800d67c1ca9ec13
SHA256 392d3ea2de89e3559fa249a3dba2932d7c5cd847279b1ce444df3cc00a543f99
SHA512 1565a3cc8e3d8bcc95319ac608fe483642b2d84fdb11f02ad679d706f03236ab35367a84c34e97ec5e017f3b48553dc7bc8f3196fb25a95b88367cd587098a2e

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 e93193856beaecee9905e2a6f36be17f
SHA1 d4c267ea34f28f048e29461656984aad70912eda
SHA256 1d345f4e09acdbc12e63ce90d0bd373b56d50a378f4603d8425f6df815e44a7b
SHA512 1fbe9c0e86ad98d6a2a7924badec0fffc69a7d0a4839e8af45d0aedf1e4e24a4a798df0ec5b8d0aa6e0e566c0c83a4030549bd32b9ac27406fc772d4a2ff5fc3

memory/3028-3298-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3028-4061-0x0000000000400000-0x000000000043E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 17:58

Reported

2024-04-07 18:01

Platform

win10v2004-20240226-en

Max time kernel

164s

Max time network

172s

Command Line

C:\Windows\Explorer.EXE

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\Logo1_.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\tr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sk-sk\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\de-de\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\hr-hr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\de-de\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\nl-nl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\Stationery\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\notification_helper.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\zh-tw\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\cs-cz\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\hr-hr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fr-fr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\pl-pl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\legal\jdk\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ja-jp\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\it-it\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\zh-cn\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\fr-ma\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\fi-fi\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\uk-UA\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\sl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\nb-no\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\plugins\rhp\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\ODBC\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ar-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\collect_feedback\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ko-kr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\sv-se\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ja-jp\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ru-ru\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\sl-sl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\hr-hr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\zh-Hans\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ug\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\skins\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ru-ru\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\dark\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ja-jp\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses16\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\es-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ro-ro\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Internet Explorer\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Photo Viewer\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ga\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\tr-tr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ro-ro\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\Dll.dll C:\Windows\Logo1_.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3316 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe C:\Windows\SysWOW64\net.exe
PID 3316 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe C:\Windows\SysWOW64\net.exe
PID 3316 wrote to memory of 3216 N/A C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe C:\Windows\SysWOW64\net.exe
PID 3316 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe C:\Windows\SysWOW64\cmd.exe
PID 3316 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe C:\Windows\SysWOW64\cmd.exe
PID 3316 wrote to memory of 3288 N/A C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe C:\Windows\SysWOW64\cmd.exe
PID 3316 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe C:\Windows\Logo1_.exe
PID 3316 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe C:\Windows\Logo1_.exe
PID 3316 wrote to memory of 1020 N/A C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe C:\Windows\Logo1_.exe
PID 3216 wrote to memory of 1968 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3216 wrote to memory of 1968 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3216 wrote to memory of 1968 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1020 wrote to memory of 4228 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1020 wrote to memory of 4228 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1020 wrote to memory of 4228 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3288 wrote to memory of 3252 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe
PID 3288 wrote to memory of 3252 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe
PID 3288 wrote to memory of 3252 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe
PID 4228 wrote to memory of 2652 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4228 wrote to memory of 2652 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4228 wrote to memory of 2652 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1020 wrote to memory of 3188 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1020 wrote to memory of 3188 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1020 wrote to memory of 3188 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3188 wrote to memory of 1148 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3188 wrote to memory of 1148 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3188 wrote to memory of 1148 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1020 wrote to memory of 3552 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 1020 wrote to memory of 3552 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe

"C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC091.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe

"C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1332 --field-trial-handle=2268,i,8796662530135712346,11409037572378858775,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 edge.msiserver.lan udp
US 8.8.8.8:53 edge.msiserver.lan udp
US 8.8.8.8:53 edge.msiserver.lan udp
US 8.8.8.8:53 edge.msiserver.lan udp
US 8.8.8.8:53 edge.msiserver.lan udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
DE 142.250.185.138:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 138.185.250.142.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 edge.msiserver.lan udp
US 8.8.8.8:53 edge.msiserver.lan udp
US 8.8.8.8:53 edge.msiserver.lan udp
US 8.8.8.8:53 edge.msiserver.lan udp
US 8.8.8.8:53 edge.msiserver.lan udp

Files

memory/3316-0-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3316-7-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\Logo1_.exe

MD5 d07529ec6edb6926de81d6a28ea952e7
SHA1 10756c03d36ec17034a3a75a70e9d9a387a753c3
SHA256 855aa3ac46c73b5d4542a848fd7833ab27e5b42d7b32039acba108c4bb19d71b
SHA512 f1e60db774ab70fc2c62e987254b88993ab6ad9bfbf4f0c09f2a49290a87c9921c793d8818c96d98e78089caf80699ed6aaf6147e482840a156914852b83d91d

memory/1020-10-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\system32\drivers\etc\hosts

MD5 6f4adf207ef402d9ef40c6aa52ffd245
SHA1 4b05b495619c643f02e278dede8f5b1392555a57
SHA256 d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e
SHA512 a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47

C:\Users\Admin\AppData\Local\Temp\$$aC091.bat

MD5 5b046e8998df10ae554b77bff970992a
SHA1 581a9238a379159688426a2eb2edf8dbe9e68948
SHA256 e1d6d5bbab14c774157343249227d5cb759faa530fd773ea0fec43b69f267032
SHA512 20fe9547c425029dda2078376258f547aaba251470bc051315b7612c7721c276b8f956e46cac217ccab45ddafc4f424b1ace8bb9b4ce42e067040d131fe71b9c

C:\Users\Admin\AppData\Local\Temp\4f3c2ad4e49227be920c2b3bdd7c39e4a0aca3356561be544cd210e7d1fbabdb.exe.exe

MD5 6f581a41167d2d484fcba20e6fc3c39a
SHA1 d48de48d24101b9baaa24f674066577e38e6b75c
SHA256 3eb8d53778eab9fb13b4c97aeab56e4bad2a6ea3748d342f22eaf4d7aa3185a7
SHA512 e1177b6cea89445d58307b3327c78909adff225497f9abb8de571cdd114b547a8f515ec3ab038b583bf752a085b231f6329d6ca82fbe6be8a58cd97a1dbaf0f6

memory/1020-20-0x0000000000400000-0x000000000043E000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-1904519900-954640453-4250331663-1000\_desktop.ini

MD5 331b730a7f1adbf1f0bc05e0c610f0f1
SHA1 2f2283f84f040fbd4ecf99055026b70bb3b732ec
SHA256 2d3dbb80989e5cc7ef9ef800cc986bb8dccf4ca1f78437040bccd59312a55593
SHA512 16790117c382e66c8af2932ed0c37229ae5ee6b8bbaa8bd4e3f9afed6e07cd89c5807c81145f19f561ab714d844826cf6099a6dc97d84fa3f9da5e763bcc78c4

C:\Program Files\7-Zip\7z.exe

MD5 bb5877b049416dd5255bccf1f396312a
SHA1 c091eb3c5ed830cec383d77ac44f546d613a29d9
SHA256 fa84f19f96090d4c6e9c3a09bc59cf56787075c4bce8790cc2900bed92c8aa23
SHA512 a89c68e2cc64fd88e5a80fa6f6a0e78503f4078823697e2b7bdecb5bdf833b47bef781949c2a0511e667a5791345cdda00140571c343076078ad43a9350da9bb

memory/1020-426-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1020-851-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1020-1495-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1020-3352-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 84325e9c8a739d68679ebcfc4f66304d
SHA1 436fe16c566c7ab2a9acfc769800d67c1ca9ec13
SHA256 392d3ea2de89e3559fa249a3dba2932d7c5cd847279b1ce444df3cc00a543f99
SHA512 1565a3cc8e3d8bcc95319ac608fe483642b2d84fdb11f02ad679d706f03236ab35367a84c34e97ec5e017f3b48553dc7bc8f3196fb25a95b88367cd587098a2e

C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

MD5 15137620fba9c2013dfa9107be4321d5
SHA1 31c790632ae19274fc2ed7e1615458324bc199bd
SHA256 37cf90de70064c0ecf765ae35e8b0cf412c90cca2aaa2513cfba95b408b4e604
SHA512 e2cbb59ec77cb009bf1b0d8d398c0898e65380858d33afb58e6ffc762842526f097d112369200cda95f015f5aa75e5af88810e2f2e174e0d1600cb6ec22a77e3

memory/1020-6977-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1020-8705-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1020-8824-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1020-8908-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1020-8976-0x0000000000400000-0x000000000043E000-memory.dmp