Malware Analysis Report

2024-11-30 02:49

Sample ID 240407-wl6craad9v
Target e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778
SHA256 e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778
Tags
spyware stealer
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778

Threat Level: Likely malicious

The file e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778 was found to be: Likely malicious.

Malicious Activity Summary

spyware stealer

Drops file in Drivers directory

Reads user/profile data of web browsers

Executes dropped EXE

Drops startup file

Loads dropped DLL

Deletes itself

Enumerates connected drives

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 18:01

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 18:01

Reported

2024-04-07 18:04

Platform

win7-20231129-en

Max time kernel

149s

Max time network

123s

Command Line

C:\Windows\Explorer.EXE

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\Logo1_.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\lib\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Defender\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Mail\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Mail\wabmig.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre7\bin\plugin2\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\Purble Place\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Uninstall Information\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\bn_IN\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\en_GB\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\.settings\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\sd\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Internet Explorer\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\WinMail.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RADIAL\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\fy\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\nb\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\si\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\WMPDMC.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\Solitaire\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\my\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\Dll.dll C:\Windows\Logo1_.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1848 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe C:\Windows\SysWOW64\net.exe
PID 1848 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe C:\Windows\SysWOW64\net.exe
PID 1848 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe C:\Windows\SysWOW64\net.exe
PID 1848 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe C:\Windows\SysWOW64\net.exe
PID 2040 wrote to memory of 2128 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2040 wrote to memory of 2128 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2040 wrote to memory of 2128 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2040 wrote to memory of 2128 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1848 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe C:\Windows\SysWOW64\cmd.exe
PID 1848 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe C:\Windows\SysWOW64\cmd.exe
PID 1848 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe C:\Windows\SysWOW64\cmd.exe
PID 1848 wrote to memory of 2920 N/A C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe C:\Windows\SysWOW64\cmd.exe
PID 1848 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe C:\Windows\Logo1_.exe
PID 1848 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe C:\Windows\Logo1_.exe
PID 1848 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe C:\Windows\Logo1_.exe
PID 1848 wrote to memory of 2252 N/A C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe C:\Windows\Logo1_.exe
PID 2252 wrote to memory of 2560 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2252 wrote to memory of 2560 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2252 wrote to memory of 2560 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2252 wrote to memory of 2560 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2560 wrote to memory of 2680 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2560 wrote to memory of 2680 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2560 wrote to memory of 2680 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2560 wrote to memory of 2680 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2920 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe
PID 2920 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe
PID 2920 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe
PID 2920 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe
PID 2920 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe
PID 2920 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe
PID 2920 wrote to memory of 2792 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe
PID 2252 wrote to memory of 2660 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2252 wrote to memory of 2660 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2252 wrote to memory of 2660 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2252 wrote to memory of 2660 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2660 wrote to memory of 2152 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2660 wrote to memory of 2152 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2660 wrote to memory of 2152 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2660 wrote to memory of 2152 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2252 wrote to memory of 1368 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 2252 wrote to memory of 1368 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe

"C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a1D9E.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe

"C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

N/A

Files

memory/1848-0-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a1D9E.bat

MD5 815988b4aaa893f9678393f06ab3a22d
SHA1 a5055a0bf15330d72e37ceed29dd750e820e3e1c
SHA256 5cbc876f1b69e0a3c4c0ec4b50a04dcb3cc99dad5e51b9829af7156dae1365e8
SHA512 0885c8190c68697d3440fa6b03c9fb97a06002993e1b06bb13c75eaf7b2b91f4a1a7e688c7098d8fcbe993f60a18298b35fd01a2de064e9978026f9d5e6fa10f

C:\Windows\Logo1_.exe

MD5 384d0952602056fafd371dbd11b3d286
SHA1 3e684421646dac610a76bb629c9f784ef4ac2e0b
SHA256 aafe24ff05a99329134aada19587fc549faf4645b24c0be2842f1fabe7baf57b
SHA512 fae0557f28a030aa94ac5f5f32a8e5b88e9e320ccc1d1aae2bf4ce1ea3d24ac5eb8b85ce6ce7a4f1eb309138e65fbe3fc03591c74de4108b13f5004977f148b0

memory/1848-17-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2252-20-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\system32\drivers\etc\hosts

MD5 7e3a0edd0c6cd8316f4b6c159d5167a1
SHA1 753428b4736ffb2c9e3eb50f89255b212768c55a
SHA256 1965854dfa54c72529c88c7d9f41fa31b4140cad04cf03d3f0f2e7601fcbdc6c
SHA512 9c68f7f72dfa109fcfba6472a1cced85bc6c2a5481232c6d1d039c88b2f65fb86070aeb26ac23e420c6255daca02ea6e698892f7670298d2c4f741b9e9415c7f

C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe.exe

MD5 ad782ffac62e14e2269bf1379bccbaae
SHA1 9539773b550e902a35764574a2be2d05bc0d8afc
SHA256 1c8a77db924ebeb952052334dc95add388700c02b073b07973cd8fe0a0a360b8
SHA512 a1e9d6316ffc55f4751090961733e98c93b2a391666ff50b50e9dea39783746e501d14127e7ee9343926976d7e3cd224f13736530354d8466ea995dab35c8dc2

memory/1368-28-0x0000000002ED0000-0x0000000002ED1000-memory.dmp

memory/2252-32-0x0000000000400000-0x000000000043E000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-3627615824-4061627003-3019543961-1000\_desktop.ini

MD5 331b730a7f1adbf1f0bc05e0c610f0f1
SHA1 2f2283f84f040fbd4ecf99055026b70bb3b732ec
SHA256 2d3dbb80989e5cc7ef9ef800cc986bb8dccf4ca1f78437040bccd59312a55593
SHA512 16790117c382e66c8af2932ed0c37229ae5ee6b8bbaa8bd4e3f9afed6e07cd89c5807c81145f19f561ab714d844826cf6099a6dc97d84fa3f9da5e763bcc78c4

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 1ad964deadb00f47c609cedd2821a776
SHA1 2c514efec9860611031bc4c2967dab20b9eded45
SHA256 ba585fffc2968ea09b2901df8cbc1e75572bc539c914487dc3c46406096e7f07
SHA512 4b40ac0516f3244b23b294b5afdf771567fb6c275289b15e70cb9060be8ae4801910cb1ae710f033bdfa955ad36aa51971e2401d67a622093e94c70e35defb67

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 e93193856beaecee9905e2a6f36be17f
SHA1 d4c267ea34f28f048e29461656984aad70912eda
SHA256 1d345f4e09acdbc12e63ce90d0bd373b56d50a378f4603d8425f6df815e44a7b
SHA512 1fbe9c0e86ad98d6a2a7924badec0fffc69a7d0a4839e8af45d0aedf1e4e24a4a798df0ec5b8d0aa6e0e566c0c83a4030549bd32b9ac27406fc772d4a2ff5fc3

memory/2252-3280-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2252-4084-0x0000000000400000-0x000000000043E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 18:01

Reported

2024-04-07 18:04

Platform

win10v2004-20240226-en

Max time kernel

149s

Max time network

156s

Command Line

C:\Windows\Explorer.EXE

Signatures

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe N/A
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\Logo1_.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\uk-ua\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sl-si\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\da-dk\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\tr-tr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sk-sk\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\eu-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\da-dk\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\he-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\zh-tw\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Portal\1033\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\hu-hu\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\pl-pl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\fr-ma\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\VisualElements\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Licenses\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\fr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\he-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Trust Protection Lists\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-ma\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\en-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\pl-pl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\tr-tr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\uk-ua\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\fur\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\hy\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\sk-sk\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\sk-sk\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PROFILE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ff\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ja-jp\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\QUAD\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\he-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\cs-cz\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\nl-nl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Multimedia Platform\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sv-se\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\root\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ro-ro\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\JOURNAL\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\1033\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ia\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\de-de\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\nl-nl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\hr-hr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\tr-tr\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Dll.dll C:\Windows\Logo1_.exe N/A
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3228 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe C:\Windows\SysWOW64\net.exe
PID 3228 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe C:\Windows\SysWOW64\net.exe
PID 3228 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe C:\Windows\SysWOW64\net.exe
PID 2136 wrote to memory of 1604 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2136 wrote to memory of 1604 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2136 wrote to memory of 1604 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3228 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe C:\Windows\SysWOW64\cmd.exe
PID 3228 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe C:\Windows\SysWOW64\cmd.exe
PID 3228 wrote to memory of 232 N/A C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe C:\Windows\SysWOW64\cmd.exe
PID 3228 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe C:\Windows\Logo1_.exe
PID 3228 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe C:\Windows\Logo1_.exe
PID 3228 wrote to memory of 4236 N/A C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe C:\Windows\Logo1_.exe
PID 4236 wrote to memory of 3028 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4236 wrote to memory of 3028 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4236 wrote to memory of 3028 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3028 wrote to memory of 112 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3028 wrote to memory of 112 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3028 wrote to memory of 112 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 232 wrote to memory of 4088 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe
PID 232 wrote to memory of 4088 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe
PID 232 wrote to memory of 4088 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe
PID 4236 wrote to memory of 2920 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4236 wrote to memory of 2920 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4236 wrote to memory of 2920 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2920 wrote to memory of 4184 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2920 wrote to memory of 4184 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2920 wrote to memory of 4184 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4236 wrote to memory of 3436 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 4236 wrote to memory of 3436 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe

"C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a73A9.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe

"C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 37.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 168.117.168.52.in-addr.arpa udp

Files

memory/3228-0-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Windows\Logo1_.exe

MD5 384d0952602056fafd371dbd11b3d286
SHA1 3e684421646dac610a76bb629c9f784ef4ac2e0b
SHA256 aafe24ff05a99329134aada19587fc549faf4645b24c0be2842f1fabe7baf57b
SHA512 fae0557f28a030aa94ac5f5f32a8e5b88e9e320ccc1d1aae2bf4ce1ea3d24ac5eb8b85ce6ce7a4f1eb309138e65fbe3fc03591c74de4108b13f5004977f148b0

C:\Windows\system32\drivers\etc\hosts

MD5 6f4adf207ef402d9ef40c6aa52ffd245
SHA1 4b05b495619c643f02e278dede8f5b1392555a57
SHA256 d9704dab05e988be3e5e7b7c020bb9814906d11bb9c31ad80d4ed1316f6bc94e
SHA512 a6306bd200a26ea78192ae5b00cc49cfab3fba025fe7233709a4e62db0f9ed60030dce22b34afe57aad86a098c9a8c44e080cedc43227cb87ef4690baec35b47

memory/4236-11-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3228-9-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a73A9.bat

MD5 8c36e0a1aff603fd885765e2aef5e81e
SHA1 100750822293850e08a8559ff2bf3b83e8174b0d
SHA256 27882359dcd22de86acb778d39368c68933f70deaf361f9a50c3ed1091219cfd
SHA512 1b3585f95dce9758773238473e40c74795d7b72181f5c131298fa496b1c7c78a04f0cf297b0d3a8c653ce3923efe0a17fdddb67ace28aeb5284ddd7a1394eaba

C:\Users\Admin\AppData\Local\Temp\e43ef8dd6ebdef0f887a0a29838fa87b2176a2b04321e59a0a907b3de3e4d778.exe.exe

MD5 ad782ffac62e14e2269bf1379bccbaae
SHA1 9539773b550e902a35764574a2be2d05bc0d8afc
SHA256 1c8a77db924ebeb952052334dc95add388700c02b073b07973cd8fe0a0a360b8
SHA512 a1e9d6316ffc55f4751090961733e98c93b2a391666ff50b50e9dea39783746e501d14127e7ee9343926976d7e3cd224f13736530354d8466ea995dab35c8dc2

memory/4236-19-0x0000000000400000-0x000000000043E000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-513485977-2495024337-1260977654-1000\_desktop.ini

MD5 331b730a7f1adbf1f0bc05e0c610f0f1
SHA1 2f2283f84f040fbd4ecf99055026b70bb3b732ec
SHA256 2d3dbb80989e5cc7ef9ef800cc986bb8dccf4ca1f78437040bccd59312a55593
SHA512 16790117c382e66c8af2932ed0c37229ae5ee6b8bbaa8bd4e3f9afed6e07cd89c5807c81145f19f561ab714d844826cf6099a6dc97d84fa3f9da5e763bcc78c4

C:\Program Files\7-Zip\7z.exe

MD5 719524fa3146469104662c971df71539
SHA1 0d0bb6eb8381bacd99f8286c03c2e890be90bde3
SHA256 b33069dfb1fa16d84c99805217e494dc6f8f9046ea201a77a43b786bd969ef2d
SHA512 bc927c53f6a666ade0002d87736ccbe0424c01acc4237120a84b9bdd21e9a0b5cec42e4245faaf15c3a0aec84e98317254c9d27859ea602d6af44c8ee1f39c0d

memory/4236-1126-0x0000000000400000-0x000000000043E000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 1ad964deadb00f47c609cedd2821a776
SHA1 2c514efec9860611031bc4c2967dab20b9eded45
SHA256 ba585fffc2968ea09b2901df8cbc1e75572bc539c914487dc3c46406096e7f07
SHA512 4b40ac0516f3244b23b294b5afdf771567fb6c275289b15e70cb9060be8ae4801910cb1ae710f033bdfa955ad36aa51971e2401d67a622093e94c70e35defb67

C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

MD5 15137620fba9c2013dfa9107be4321d5
SHA1 31c790632ae19274fc2ed7e1615458324bc199bd
SHA256 37cf90de70064c0ecf765ae35e8b0cf412c90cca2aaa2513cfba95b408b4e604
SHA512 e2cbb59ec77cb009bf1b0d8d398c0898e65380858d33afb58e6ffc762842526f097d112369200cda95f015f5aa75e5af88810e2f2e174e0d1600cb6ec22a77e3

memory/4236-5548-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4236-8598-0x0000000000400000-0x000000000043E000-memory.dmp