Malware Analysis Report

2025-08-10 12:31

Sample ID 240527-r94fvagb3s
Target 5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff
SHA256 5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff

Threat Level: Shows suspicious behavior

The file 5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Drops startup file

Executes dropped EXE

Enumerates connected drives

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Runs net.exe

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-27 14:54

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-27 14:54

Reported

2024-05-27 14:57

Platform

win7-20240419-en

Max time kernel

149s

Max time network

119s

Command Line

C:\Windows\Explorer.EXE

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\SpiderSolitaire.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Analysis Services\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ie\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\th\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Mail\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Defender\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre7\lib\fonts\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Mail\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\META-INF\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\tr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\Accessories\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CASCADE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\DESIGNER\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInSideAdapters\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_chroma\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Stationery\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA7\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Australia\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\FreeCell\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows NT\TableTextService\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\he\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\FLTLDR.EXE C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\Chess\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\TextConv\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\Dll.dll C:\Windows\Logo1_.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3020 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe C:\Windows\SysWOW64\net.exe
PID 3020 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe C:\Windows\SysWOW64\net.exe
PID 3020 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe C:\Windows\SysWOW64\net.exe
PID 3020 wrote to memory of 1828 N/A C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe C:\Windows\SysWOW64\net.exe
PID 1828 wrote to memory of 2780 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1828 wrote to memory of 2780 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1828 wrote to memory of 2780 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1828 wrote to memory of 2780 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3020 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe C:\Windows\SysWOW64\cmd.exe
PID 3020 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe C:\Windows\SysWOW64\cmd.exe
PID 3020 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe C:\Windows\SysWOW64\cmd.exe
PID 3020 wrote to memory of 2336 N/A C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe C:\Windows\SysWOW64\cmd.exe
PID 3020 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe C:\Windows\Logo1_.exe
PID 3020 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe C:\Windows\Logo1_.exe
PID 3020 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe C:\Windows\Logo1_.exe
PID 3020 wrote to memory of 2612 N/A C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe C:\Windows\Logo1_.exe
PID 2612 wrote to memory of 2604 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2612 wrote to memory of 2604 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2612 wrote to memory of 2604 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2612 wrote to memory of 2604 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2604 wrote to memory of 2488 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2604 wrote to memory of 2488 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2604 wrote to memory of 2488 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2604 wrote to memory of 2488 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2612 wrote to memory of 2764 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2612 wrote to memory of 2764 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2612 wrote to memory of 2764 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2612 wrote to memory of 2764 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2764 wrote to memory of 2396 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2764 wrote to memory of 2396 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2764 wrote to memory of 2396 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2764 wrote to memory of 2396 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2612 wrote to memory of 1152 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 2612 wrote to memory of 1152 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe

"C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a1861.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe

"C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

N/A

Files

memory/3020-0-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a1861.bat

MD5 e8d0a495a5c28f734de357b1551c6834
SHA1 0ad8fbd3d4f56cb6bc05fb5ac3893d748781089b
SHA256 748ea4a583b88e45d7fd2bcda133a07184b46e7f31bb86223a4788d45806a000
SHA512 9bff037271165f183a7a69a3a08b62ff8e88fae7b03ba76095b805b836b30f6d69ad3475e13e10ed6df726e51174a03f975ecb40dbe62e0c25f2ec283ea7509d

C:\Windows\Logo1_.exe

MD5 5a63f8e9068767deb1ccd980deb047fa
SHA1 9383b1103782394fbbee5705456e4f3600a86b66
SHA256 29de80ac5ca4f60d8fbdc59d956164370d31dd5d4504cf8fa97c29800eb7766c
SHA512 f42e3e5217dd13e7efa8092969e65f1b5eb1273d12685c90c5b3ca31e2a9502e12244111d555245e4f8505c0cdadfb7e73c565e2dcbd8fab568867957652b5bc

memory/2612-19-0x0000000000400000-0x000000000043D000-memory.dmp

memory/3020-17-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe.exe

MD5 ba18e99b3e17adb5b029eaebc457dd89
SHA1 ec0458f3c00d35b323f08d4e1cc2e72899429c38
SHA256 f5ee36de8edf9be2ac2752b219cfdcb7ca1677071b8e116cb876306e9f1b6628
SHA512 1f41929e6f5b555b60c411c7810cbf14e3af26100df5ac4533ec3739a278c1b925687284660efb4868e3741305098e2737836229efc9fe46c97a6057c10e677c

memory/1152-27-0x0000000002AF0000-0x0000000002AF1000-memory.dmp

memory/2612-31-0x0000000000400000-0x000000000043D000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-481678230-3773327859-3495911762-1000\_desktop.ini

MD5 fa1e1ef0fdda97877a13339b28fa95e5
SHA1 7e2cffca41118e7b2d62963bd940630b15b85653
SHA256 968b715c081472526487d60da8968e9b3bde2dac103f69beb3f6abe6ef7bc191
SHA512 3d55913a97aa89a7201342705640c1d031d19ad8aca4939219067f84e3fe118f47b4e388f490f69f605683d3854425c3de188f731886405474ae8e3d42c86f4f

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 25161eb204d86328bf9af51c9f0753b9
SHA1 b68529e2a928f8c5c424474eb69ceae0415d9c0c
SHA256 c600e7f71b7a59ba015142cb4411f8fd86e6888ed41e55298c21289c3a8ac315
SHA512 e7d13a41338fe1787b44feddd74dcccd200ce2f069766cabeb76b7cbe957ef22a41499a11229c94e06fd59462a6b824fa62d7d13cc362c7adf2f1e05c03de926

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 5700ba4e3909c1880d8210357d85dc81
SHA1 f24e2100cc3cee398eb116957faa839e69e73d0a
SHA256 853f0d42da7e7db96eda3ffc261acbf0ae35585311d8919f8cd87c2984c1e1bd
SHA512 e54dd8ba25b56287ef4c4f6d427df62f5dca49c5bf6095146c86cbfc35238506aa1015d0e470663392f5470e2cd7eed838e60c105183dbe51a496f75098e8c8c

memory/2612-3302-0x0000000000400000-0x000000000043D000-memory.dmp

memory/2612-4133-0x0000000000400000-0x000000000043D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-27 14:54

Reported

2024-05-27 14:57

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

C:\Windows\Explorer.EXE

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk-1.8\include\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ca-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\uk-UA\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\zh-tw\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA7.1\1033\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\pt-br\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\zh-cn\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\home-view\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\DW\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ku_IQ\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\root\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\tr-tr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\tr-tr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ro-ro\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\de\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUEPRNT\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\zh_TW\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\fr-ma\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\root\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-tw\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\nb-no\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\es-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\pt-br\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\Media Renderer\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Office Setup Controller\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\root\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\pt-br\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\cs-cz\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sl-sl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA6\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Uninstall Information\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\Simple\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fi-fi\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files-select\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\fi-fi\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\de-de\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-ma\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\da-dk\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\win\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\Dll.dll C:\Windows\Logo1_.exe N/A
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2628 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe C:\Windows\SysWOW64\net.exe
PID 2628 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe C:\Windows\SysWOW64\net.exe
PID 2628 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe C:\Windows\SysWOW64\net.exe
PID 3040 wrote to memory of 3232 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3040 wrote to memory of 3232 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3040 wrote to memory of 3232 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2628 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe C:\Windows\SysWOW64\cmd.exe
PID 2628 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe C:\Windows\SysWOW64\cmd.exe
PID 2628 wrote to memory of 4900 N/A C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe C:\Windows\SysWOW64\cmd.exe
PID 2628 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe C:\Windows\Logo1_.exe
PID 2628 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe C:\Windows\Logo1_.exe
PID 2628 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe C:\Windows\Logo1_.exe
PID 4628 wrote to memory of 3328 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4628 wrote to memory of 3328 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4628 wrote to memory of 3328 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3328 wrote to memory of 4740 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3328 wrote to memory of 4740 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3328 wrote to memory of 4740 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4628 wrote to memory of 3052 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4628 wrote to memory of 3052 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4628 wrote to memory of 3052 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3052 wrote to memory of 2316 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3052 wrote to memory of 2316 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3052 wrote to memory of 2316 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4628 wrote to memory of 3420 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 4628 wrote to memory of 3420 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe

"C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4F49.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe

"C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 8.167.79.40.in-addr.arpa udp

Files

memory/2628-0-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Windows\Logo1_.exe

MD5 5a63f8e9068767deb1ccd980deb047fa
SHA1 9383b1103782394fbbee5705456e4f3600a86b66
SHA256 29de80ac5ca4f60d8fbdc59d956164370d31dd5d4504cf8fa97c29800eb7766c
SHA512 f42e3e5217dd13e7efa8092969e65f1b5eb1273d12685c90c5b3ca31e2a9502e12244111d555245e4f8505c0cdadfb7e73c565e2dcbd8fab568867957652b5bc

memory/2628-10-0x0000000000400000-0x000000000043D000-memory.dmp

memory/4628-11-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a4F49.bat

MD5 402a7698317e116da54c82bea2af1494
SHA1 7a08660ead3241e8f45b3c505331c0ab8b231ef2
SHA256 34626c90aabeb89a5dfe6e040d47771a30c234654306cb8a6b67832c566a6d39
SHA512 91291cfe637e28e418844e7f0e0708410cbe13b46e7aa0674fbc0c4b6ec40f3a11d6dba36e0cd63747089f13119b7a48b1af687a99126f698daaa437660ad5ac

C:\Users\Admin\AppData\Local\Temp\5591a9fa585535638d04783fe1d33206a3c5f2f01fe5008315e5f92096054dff.exe.exe

MD5 ba18e99b3e17adb5b029eaebc457dd89
SHA1 ec0458f3c00d35b323f08d4e1cc2e72899429c38
SHA256 f5ee36de8edf9be2ac2752b219cfdcb7ca1677071b8e116cb876306e9f1b6628
SHA512 1f41929e6f5b555b60c411c7810cbf14e3af26100df5ac4533ec3739a278c1b925687284660efb4868e3741305098e2737836229efc9fe46c97a6057c10e677c

memory/4628-18-0x0000000000400000-0x000000000043D000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-1337824034-2731376981-3755436523-1000\_desktop.ini

MD5 fa1e1ef0fdda97877a13339b28fa95e5
SHA1 7e2cffca41118e7b2d62963bd940630b15b85653
SHA256 968b715c081472526487d60da8968e9b3bde2dac103f69beb3f6abe6ef7bc191
SHA512 3d55913a97aa89a7201342705640c1d031d19ad8aca4939219067f84e3fe118f47b4e388f490f69f605683d3854425c3de188f731886405474ae8e3d42c86f4f

C:\Program Files\7-Zip\7z.exe

MD5 aa34071fa5dbfd401e6f61600fbf2036
SHA1 6ca65290d7594b734ea78b19334246da6225901a
SHA256 d9511e71ab9efb9bdf2d021191d4d12dbe850b29557bef4d39b576a0ac505f45
SHA512 24304c7f52db95eadbab9b82039ddd87ef5a2a6b6a9b65656dc6cb9244da53fff2a6e92e093c1c45933f7c8ca9e88d4ef5b39264ab8da06900796fdf70d43c30

memory/4628-2964-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 25161eb204d86328bf9af51c9f0753b9
SHA1 b68529e2a928f8c5c424474eb69ceae0415d9c0c
SHA256 c600e7f71b7a59ba015142cb4411f8fd86e6888ed41e55298c21289c3a8ac315
SHA512 e7d13a41338fe1787b44feddd74dcccd200ce2f069766cabeb76b7cbe957ef22a41499a11229c94e06fd59462a6b824fa62d7d13cc362c7adf2f1e05c03de926

C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

MD5 b44d88035c8f330ab76a3c8aab5f6876
SHA1 df3e341ffc7bebbe46989ff64a262784661df20d
SHA256 28882f6beb154b76f9f6742689c7056d2fb482eb90f0c5935292cdd9f72f7e49
SHA512 2bca5a60d49de97529deaaab5c59ec572e66a87cbe2eeaf9e701cad8d364eacd03cc6b4fe31374bf3ad9f4a673b0a588347d6ed31a9e89e12081ed757400d8bb

memory/4628-8635-0x0000000000400000-0x000000000043D000-memory.dmp