Malware Analysis Report

2025-08-10 12:31

Sample ID 240527-satysshc47
Target 5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d
SHA256 5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d

Threat Level: Shows suspicious behavior

The file 5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Loads dropped DLL

Reads user/profile data of web browsers

Drops startup file

Executes dropped EXE

Deletes itself

Enumerates connected drives

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Runs net.exe

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-27 14:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-27 14:55

Reported

2024-05-27 14:58

Platform

win7-20240221-en

Max time kernel

149s

Max time network

124s

Command Line

C:\Windows\Explorer.EXE

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FREN\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\th\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\More Games\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\SystemV\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\sl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\wa\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Mail\wabmig.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\Mahjong\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\More Games\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\nn\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\fi\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\lg\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Journal\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\hrtfs\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\stream_out\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\include\win32\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\oc\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\oc\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\Dll.dll C:\Windows\Logo1_.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2744 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe C:\Windows\SysWOW64\net.exe
PID 2744 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe C:\Windows\SysWOW64\net.exe
PID 2744 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe C:\Windows\SysWOW64\net.exe
PID 2744 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe C:\Windows\SysWOW64\net.exe
PID 2488 wrote to memory of 2844 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2488 wrote to memory of 2844 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2488 wrote to memory of 2844 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2488 wrote to memory of 2844 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2744 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe C:\Windows\SysWOW64\cmd.exe
PID 2744 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe C:\Windows\Logo1_.exe
PID 2744 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe C:\Windows\Logo1_.exe
PID 2744 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe C:\Windows\Logo1_.exe
PID 2744 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe C:\Windows\Logo1_.exe
PID 2688 wrote to memory of 2616 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2688 wrote to memory of 2616 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2688 wrote to memory of 2616 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2688 wrote to memory of 2616 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2616 wrote to memory of 2524 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2616 wrote to memory of 2524 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2616 wrote to memory of 2524 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2616 wrote to memory of 2524 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2636 wrote to memory of 2576 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe
PID 2636 wrote to memory of 2576 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe
PID 2636 wrote to memory of 2576 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe
PID 2636 wrote to memory of 2576 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe
PID 2636 wrote to memory of 2576 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe
PID 2636 wrote to memory of 2576 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe
PID 2636 wrote to memory of 2576 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe
PID 2688 wrote to memory of 2704 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2688 wrote to memory of 2704 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2688 wrote to memory of 2704 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2688 wrote to memory of 2704 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2704 wrote to memory of 2196 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2704 wrote to memory of 2196 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2704 wrote to memory of 2196 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2704 wrote to memory of 2196 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2688 wrote to memory of 1192 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 2688 wrote to memory of 1192 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe

"C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a7B29.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe

"C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

N/A

Files

memory/2744-0-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a7B29.bat

MD5 20208c019eb5693aa0626fece8da52bc
SHA1 ca6235b8bf045bff955eae3a98196c81a734f420
SHA256 4d48427db29538fc5abdce6b2b4571a6332437de284e690b21b1075865623f92
SHA512 867d4e2327e10d542252884afc7f5441c70749cb58afe1a9c573180844a3c0403679f84fef468fd9eda3db0366d83aead2c6ba592dba528ff745943ddb7f7964

memory/2744-12-0x00000000001C0000-0x00000000001FD000-memory.dmp

memory/2744-18-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Windows\Logo1_.exe

MD5 021a2a0555836de111f013f5eeaaa5f7
SHA1 2d6048f2500d31afe6028b89936901de4f59e0c3
SHA256 9e9e8520278bfdad09f0e7caee657288c69006bf8d40cda2ff811a14fc6db2e5
SHA512 d2b9f264971ddafab44bff6584d74ce983635a0a727646068bf0c7d2db26ca524b6a4d343726f1dae93548230a9e2686691e22ddcc0e018df1bdd0bd18af9032

C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe.exe

MD5 ad782ffac62e14e2269bf1379bccbaae
SHA1 9539773b550e902a35764574a2be2d05bc0d8afc
SHA256 1c8a77db924ebeb952052334dc95add388700c02b073b07973cd8fe0a0a360b8
SHA512 a1e9d6316ffc55f4751090961733e98c93b2a391666ff50b50e9dea39783746e501d14127e7ee9343926976d7e3cd224f13736530354d8466ea995dab35c8dc2

memory/1192-27-0x0000000002700000-0x0000000002701000-memory.dmp

memory/2688-30-0x0000000000400000-0x000000000043D000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-330940541-141609230-1670313778-1000\_desktop.ini

MD5 fa1e1ef0fdda97877a13339b28fa95e5
SHA1 7e2cffca41118e7b2d62963bd940630b15b85653
SHA256 968b715c081472526487d60da8968e9b3bde2dac103f69beb3f6abe6ef7bc191
SHA512 3d55913a97aa89a7201342705640c1d031d19ad8aca4939219067f84e3fe118f47b4e388f490f69f605683d3854425c3de188f731886405474ae8e3d42c86f4f

memory/2688-1802-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 0b13bc356da9ab8c8c3b34a9cc4b1b77
SHA1 eae4523bb908335e1c253cf339f20c80746b7735
SHA256 35269339dfac2f4ff18e696d97215de68692d671da2224aa8327ceadcafc09dd
SHA512 6a7ee3e68114f51c4898c66ea0d9cb1c885fa38188947c700773190885ec543a2eaa83b851b14697fbcb5bdf28b2741ab36dd61c994884c46e504bdf57e62bf8

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 5700ba4e3909c1880d8210357d85dc81
SHA1 f24e2100cc3cee398eb116957faa839e69e73d0a
SHA256 853f0d42da7e7db96eda3ffc261acbf0ae35585311d8919f8cd87c2984c1e1bd
SHA512 e54dd8ba25b56287ef4c4f6d427df62f5dca49c5bf6095146c86cbfc35238506aa1015d0e470663392f5470e2cd7eed838e60c105183dbe51a496f75098e8c8c

memory/2688-4037-0x0000000000400000-0x000000000043D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-27 14:55

Reported

2024-05-27 14:58

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

156s

Command Line

C:\Windows\Explorer.EXE

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\JOURNAL\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\pt-br\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\bg\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-sl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ca-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\spu\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-fr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\pl-pl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\Diagnostics\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\hr-hr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\pl-pl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\deploy\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\eu-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ar-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\root\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\defaults\pref\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ru-ru\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Trust Protection Lists\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\1033\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CANYON\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\am\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ko-kr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\pt-br\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nb-no\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\cs-cz\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\uk-ua\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\FREN\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\pt-br\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sl-sl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\root\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\he-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ja-jp\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\zh-tw\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\Trust Protection Lists\Mu\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\en-gb\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\hu-hu\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\gui\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_filter\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\zh-tw\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ro-ro\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\cgg\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\pt-br\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\cs-cz\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\de\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\pt-br\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\sv-se\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\sk-sk\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\Extensions\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\Dll.dll C:\Windows\Logo1_.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4848 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe C:\Windows\SysWOW64\net.exe
PID 4848 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe C:\Windows\SysWOW64\net.exe
PID 4848 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe C:\Windows\SysWOW64\net.exe
PID 3800 wrote to memory of 3912 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3800 wrote to memory of 3912 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3800 wrote to memory of 3912 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4848 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe C:\Windows\SysWOW64\cmd.exe
PID 4848 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe C:\Windows\SysWOW64\cmd.exe
PID 4848 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe C:\Windows\SysWOW64\cmd.exe
PID 4848 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe C:\Windows\Logo1_.exe
PID 4848 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe C:\Windows\Logo1_.exe
PID 4848 wrote to memory of 4768 N/A C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe C:\Windows\Logo1_.exe
PID 4768 wrote to memory of 2184 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4768 wrote to memory of 2184 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4768 wrote to memory of 2184 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2184 wrote to memory of 1184 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2184 wrote to memory of 1184 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2184 wrote to memory of 1184 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1860 wrote to memory of 4508 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe
PID 1860 wrote to memory of 4508 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe
PID 1860 wrote to memory of 4508 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe
PID 4768 wrote to memory of 3156 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4768 wrote to memory of 3156 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4768 wrote to memory of 3156 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3156 wrote to memory of 2936 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3156 wrote to memory of 2936 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3156 wrote to memory of 2936 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4768 wrote to memory of 3188 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 4768 wrote to memory of 3188 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe

"C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF2DC.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe

"C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4164 --field-trial-handle=2280,i,11703952675008463361,17436195144517971517,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
GB 23.44.234.16:80 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 91.16.208.104.in-addr.arpa udp

Files

memory/4848-0-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Windows\Logo1_.exe

MD5 021a2a0555836de111f013f5eeaaa5f7
SHA1 2d6048f2500d31afe6028b89936901de4f59e0c3
SHA256 9e9e8520278bfdad09f0e7caee657288c69006bf8d40cda2ff811a14fc6db2e5
SHA512 d2b9f264971ddafab44bff6584d74ce983635a0a727646068bf0c7d2db26ca524b6a4d343726f1dae93548230a9e2686691e22ddcc0e018df1bdd0bd18af9032

memory/4768-9-0x0000000000400000-0x000000000043D000-memory.dmp

memory/4848-11-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$aF2DC.bat

MD5 8043366aa39495cd6bdd031e523b41df
SHA1 e975d39a02d56c2bc61636e025fbb46ec9040c41
SHA256 5cf9d2600ef0b193e43727d9f636fc4569817e8f9532b0a10d30c0812fa4f2ca
SHA512 502a912d507bb75c341aaf5d6268c73c978e7504781b3ccfbf4b0f11320f083b004fd42aed9cb903b1926a62ed1454fbf68acdc5ff940093ef0da5f708571a7e

C:\Users\Admin\AppData\Local\Temp\5dfb788fc1aea79a4773aa079cf9285373ec125822aec1c09ccb8338f247de7d.exe.exe

MD5 ad782ffac62e14e2269bf1379bccbaae
SHA1 9539773b550e902a35764574a2be2d05bc0d8afc
SHA256 1c8a77db924ebeb952052334dc95add388700c02b073b07973cd8fe0a0a360b8
SHA512 a1e9d6316ffc55f4751090961733e98c93b2a391666ff50b50e9dea39783746e501d14127e7ee9343926976d7e3cd224f13736530354d8466ea995dab35c8dc2

memory/4768-18-0x0000000000400000-0x000000000043D000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\_desktop.ini

MD5 fa1e1ef0fdda97877a13339b28fa95e5
SHA1 7e2cffca41118e7b2d62963bd940630b15b85653
SHA256 968b715c081472526487d60da8968e9b3bde2dac103f69beb3f6abe6ef7bc191
SHA512 3d55913a97aa89a7201342705640c1d031d19ad8aca4939219067f84e3fe118f47b4e388f490f69f605683d3854425c3de188f731886405474ae8e3d42c86f4f

C:\Program Files\7-Zip\7z.exe

MD5 10cb9686fd14b5753e3f1f5cd69f7bae
SHA1 dce890e909e8c9343b403ea4827b81ad122505b4
SHA256 36fcc82d1e6a3782e5aee3f775429557630b9e9ff0bd6dd5eabbf2041a35f5eb
SHA512 cf55a34e0bdbf30935a53839242d01733692ec6c7af55a651f07ad6df38a41bea317a988ffc5de179b2867fe5f66779572da130514802098d6b87eed19c93ac9

memory/4768-321-0x0000000000400000-0x000000000043D000-memory.dmp

memory/4768-2334-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 0b13bc356da9ab8c8c3b34a9cc4b1b77
SHA1 eae4523bb908335e1c253cf339f20c80746b7735
SHA256 35269339dfac2f4ff18e696d97215de68692d671da2224aa8327ceadcafc09dd
SHA512 6a7ee3e68114f51c4898c66ea0d9cb1c885fa38188947c700773190885ec543a2eaa83b851b14697fbcb5bdf28b2741ab36dd61c994884c46e504bdf57e62bf8

memory/4768-5289-0x0000000000400000-0x000000000043D000-memory.dmp

C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

MD5 aecf142251e06e96eaedc5e1bc04568f
SHA1 ab26d8592d875b0cb0718cd50749031d2ad5674d
SHA256 c818541311237aee2228d5c92a777196ffa06b936c6a7b2f1ddf3b5b30270cc0
SHA512 f6082135cec17dec3291a86a4d023589c3def12f788e169ecc7c8d4d7a80c6f0ba1f8db09ccbbd390d320a108376e65a01862b093f02ab617bc6addfde9b7d5a

memory/4768-6892-0x0000000000400000-0x000000000043D000-memory.dmp

memory/4768-8779-0x0000000000400000-0x000000000043D000-memory.dmp