Malware Analysis Report

2025-08-05 16:00

Sample ID 240610-g9atesdh72
Target 0a27c0d3eecafc5bdd1690a669ac6fa22398b72143309605b7a6e964a75cfb2a
SHA256 0a27c0d3eecafc5bdd1690a669ac6fa22398b72143309605b7a6e964a75cfb2a
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

0a27c0d3eecafc5bdd1690a669ac6fa22398b72143309605b7a6e964a75cfb2a

Threat Level: Shows suspicious behavior

The file 0a27c0d3eecafc5bdd1690a669ac6fa22398b72143309605b7a6e964a75cfb2a was found to be: Shows suspicious behavior.

Malicious Activity Summary


Executes dropped EXE

Deletes itself

Loads dropped DLL

Enumerates connected drives

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-10 06:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 06:29

Reported

2024-06-10 06:38

Platform

win10v2004-20240226-en

Max time kernel

111s

Max time network

158s

Command Line

C:\Windows\Explorer.EXE

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\images\cursors\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\createdump.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pt-BR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\klist.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\javafx\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\javafx\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\kinit.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\management\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\images\cursors\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\it\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Google\Chrome\Application\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\applet\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\pl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\tr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javah.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\amd64\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\serialver.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\pack200.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\cmm\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\cs\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jar.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\include\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\de\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\ja\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\bin\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\jfr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\fr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\jfr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\server\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\host\fxr\6.0.25\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javaw.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\host\fxr\6.0.25\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\server\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\0a27c0d3eecafc5bdd1690a669ac6fa22398b72143309605b7a6e964a75cfb2a.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\0a27c0d3eecafc5bdd1690a669ac6fa22398b72143309605b7a6e964a75cfb2a.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\vDll.dll C:\Windows\Logo1_.exe N/A

Runs net.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4060 wrote to memory of 100 N/A C:\Users\Admin\AppData\Local\Temp\0a27c0d3eecafc5bdd1690a669ac6fa22398b72143309605b7a6e964a75cfb2a.exe C:\Windows\SysWOW64\cmd.exe
PID 4060 wrote to memory of 100 N/A C:\Users\Admin\AppData\Local\Temp\0a27c0d3eecafc5bdd1690a669ac6fa22398b72143309605b7a6e964a75cfb2a.exe C:\Windows\SysWOW64\cmd.exe
PID 4060 wrote to memory of 100 N/A C:\Users\Admin\AppData\Local\Temp\0a27c0d3eecafc5bdd1690a669ac6fa22398b72143309605b7a6e964a75cfb2a.exe C:\Windows\SysWOW64\cmd.exe
PID 4060 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\0a27c0d3eecafc5bdd1690a669ac6fa22398b72143309605b7a6e964a75cfb2a.exe C:\Windows\Logo1_.exe
PID 4060 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\0a27c0d3eecafc5bdd1690a669ac6fa22398b72143309605b7a6e964a75cfb2a.exe C:\Windows\Logo1_.exe
PID 4060 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\0a27c0d3eecafc5bdd1690a669ac6fa22398b72143309605b7a6e964a75cfb2a.exe C:\Windows\Logo1_.exe
PID 3104 wrote to memory of 1956 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3104 wrote to memory of 1956 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3104 wrote to memory of 1956 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 100 wrote to memory of 2780 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\0a27c0d3eecafc5bdd1690a669ac6fa22398b72143309605b7a6e964a75cfb2a.exe
PID 100 wrote to memory of 2780 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\0a27c0d3eecafc5bdd1690a669ac6fa22398b72143309605b7a6e964a75cfb2a.exe
PID 100 wrote to memory of 2780 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\0a27c0d3eecafc5bdd1690a669ac6fa22398b72143309605b7a6e964a75cfb2a.exe
PID 1956 wrote to memory of 3760 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1956 wrote to memory of 3760 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1956 wrote to memory of 3760 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3104 wrote to memory of 3376 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 3104 wrote to memory of 3376 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\0a27c0d3eecafc5bdd1690a669ac6fa22398b72143309605b7a6e964a75cfb2a.exe

"C:\Users\Admin\AppData\Local\Temp\0a27c0d3eecafc5bdd1690a669ac6fa22398b72143309605b7a6e964a75cfb2a.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD532.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\0a27c0d3eecafc5bdd1690a669ac6fa22398b72143309605b7a6e964a75cfb2a.exe

"C:\Users\Admin\AppData\Local\Temp\0a27c0d3eecafc5bdd1690a669ac6fa22398b72143309605b7a6e964a75cfb2a.exe"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4112 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 76.234.34.23.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 25.140.123.92.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
FR 142.250.179.106:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 106.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 28.73.42.20.in-addr.arpa udp

Files

memory/4060-0-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3104-9-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\rundl132.exe

MD5 7c15205a07dd533f95522e5ffdfea7c4
SHA1 69ca1e1a8b842a8795c164376518add592d6b63b
SHA256 dd66c57aa3dab4a1879b1cbf49e4bb77df174a145cd3b7adbe021ab3f02795db
SHA512 d388c426086a683dd50d18cdf3151ee8b62f5b057dd73a4eba56c5866b2b09c10dba2e7501ee2972f69782f08fdca13b7c37eb887f95c6de2f5622b982d74f65

memory/4060-12-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$aD532.bat

MD5 fecbb5904927d913c7b39c5b700072ea
SHA1 0470f24d58de892788f8f438911ade8158d74f26
SHA256 c392991de4e550cdfc97408f8c4daa06e471f0bbd746b4230dde0f5d93c9570d
SHA512 e69e312d7de6edce12c806bf3b5ae4ccb3d3e114738e3d43baecc4570bcda2101d662cb517d03eaf0aaab265b65f4c9c7c97829a4b418232a6c1961256849fbd

C:\Users\Admin\AppData\Local\Temp\0a27c0d3eecafc5bdd1690a669ac6fa22398b72143309605b7a6e964a75cfb2a.exe.exe

MD5 9ae85ec1fa398ef12c39c3e2d466c503
SHA1 5beb85be6228b5dc0f34cf7375bcf4d9f83fa06a
SHA256 6ee75ac40a41d2717762117cd9649ed1780aa67769dbbb84ef508b76d75a19c3
SHA512 2e0b1e79c34209fd9c3e2b65da62d370225b7499c57cb0a7bf5c306e7f99a0ad6493b493eeca99a460ba051b907517c9423cff46ea80b13f1081144849fad7eb

memory/2780-18-0x0000000002140000-0x0000000002141000-memory.dmp

memory/3104-20-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2780-21-0x0000000000400000-0x00000000004EE000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\_desktop.ini

MD5 60b1ffe4d5892b7ae054738eec1fd425
SHA1 80d4e944617f4132b1c6917345b158f3693f35c8
SHA256 5e9944cc48c7ec641cf7b1b0125f47f26102c371a973612f0583f604bc3900d4
SHA512 7f5c200924dbb5531df997e6a35cb94f36b54f5651284b0d6404f0576301125ef72b410a170fca889d46c033063663cfc7791f9e4c3c30695af069053eee66cc

memory/2780-30-0x0000000002140000-0x0000000002141000-memory.dmp

memory/3104-31-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3104-37-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3104-46-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3104-50-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Program Files\7-Zip\7z.exe

MD5 badb9005aff0ac965a63969ff04438f9
SHA1 4ed0a9f6b83e0aca5c3807a83cb17d2fd7e5d165
SHA256 7e9d99e9ba0e2bce9e46c3d7a757c5abcce5491143fc6288a21d4cac6849b67c
SHA512 fe17f00e6e35dd81862a82afd2a396c159d2b090b6fee235b268f9feacf9aec58113a355a04f5f368230bea77548890ae38a287bf626e03d029f293158c59687

memory/3104-1193-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 099be1f135daaba3e2a8198ee3502b2a
SHA1 a792724c7592d07434bfc6ed5151f23966e73924
SHA256 773c644013e8b8fe0321403099693f0ab941283b381a178716049afc92cb63a1
SHA512 371f1d56f64091b3c0b08353797e353f22b2e73423243ea2ef5a9d91853331e90d2512e591163100c68df38549912b87a13abbb2c5520684b44ee2032e935366

memory/3104-4923-0x0000000000400000-0x0000000000434000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 06:29

Reported

2024-06-10 06:38

Platform

win7-20240221-en

Max time kernel

100s

Max time network

127s

Command Line

C:\Windows\Explorer.EXE

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstatd.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.ssl.feature_1.0.0.v20140827-1444\META-INF\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\unpack200.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\DVD Maker\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.zh_CN_5.5.0.165303\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\.data\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\SystemV\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Africa\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\.data\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\0a27c0d3eecafc5bdd1690a669ac6fa22398b72143309605b7a6e964a75cfb2a.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\vDll.dll C:\Windows\Logo1_.exe N/A
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\0a27c0d3eecafc5bdd1690a669ac6fa22398b72143309605b7a6e964a75cfb2a.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1848 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\0a27c0d3eecafc5bdd1690a669ac6fa22398b72143309605b7a6e964a75cfb2a.exe C:\Windows\SysWOW64\cmd.exe
PID 1848 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\0a27c0d3eecafc5bdd1690a669ac6fa22398b72143309605b7a6e964a75cfb2a.exe C:\Windows\SysWOW64\cmd.exe
PID 1848 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\0a27c0d3eecafc5bdd1690a669ac6fa22398b72143309605b7a6e964a75cfb2a.exe C:\Windows\SysWOW64\cmd.exe
PID 1848 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\0a27c0d3eecafc5bdd1690a669ac6fa22398b72143309605b7a6e964a75cfb2a.exe C:\Windows\SysWOW64\cmd.exe
PID 1848 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\0a27c0d3eecafc5bdd1690a669ac6fa22398b72143309605b7a6e964a75cfb2a.exe C:\Windows\Logo1_.exe
PID 1848 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\0a27c0d3eecafc5bdd1690a669ac6fa22398b72143309605b7a6e964a75cfb2a.exe C:\Windows\Logo1_.exe
PID 1848 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\0a27c0d3eecafc5bdd1690a669ac6fa22398b72143309605b7a6e964a75cfb2a.exe C:\Windows\Logo1_.exe
PID 1848 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\0a27c0d3eecafc5bdd1690a669ac6fa22398b72143309605b7a6e964a75cfb2a.exe C:\Windows\Logo1_.exe
PID 2936 wrote to memory of 2576 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2936 wrote to memory of 2576 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2936 wrote to memory of 2576 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2936 wrote to memory of 2576 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2576 wrote to memory of 2368 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2576 wrote to memory of 2368 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2576 wrote to memory of 2368 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2576 wrote to memory of 2368 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2456 wrote to memory of 2900 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\0a27c0d3eecafc5bdd1690a669ac6fa22398b72143309605b7a6e964a75cfb2a.exe
PID 2456 wrote to memory of 2900 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\0a27c0d3eecafc5bdd1690a669ac6fa22398b72143309605b7a6e964a75cfb2a.exe
PID 2456 wrote to memory of 2900 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\0a27c0d3eecafc5bdd1690a669ac6fa22398b72143309605b7a6e964a75cfb2a.exe
PID 2456 wrote to memory of 2900 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\0a27c0d3eecafc5bdd1690a669ac6fa22398b72143309605b7a6e964a75cfb2a.exe
PID 2936 wrote to memory of 1192 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 2936 wrote to memory of 1192 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\0a27c0d3eecafc5bdd1690a669ac6fa22398b72143309605b7a6e964a75cfb2a.exe

"C:\Users\Admin\AppData\Local\Temp\0a27c0d3eecafc5bdd1690a669ac6fa22398b72143309605b7a6e964a75cfb2a.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a2CBB.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\0a27c0d3eecafc5bdd1690a669ac6fa22398b72143309605b7a6e964a75cfb2a.exe

"C:\Users\Admin\AppData\Local\Temp\0a27c0d3eecafc5bdd1690a669ac6fa22398b72143309605b7a6e964a75cfb2a.exe"

Network

N/A

Files

memory/1848-0-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\rundl132.exe

MD5 7c15205a07dd533f95522e5ffdfea7c4
SHA1 69ca1e1a8b842a8795c164376518add592d6b63b
SHA256 dd66c57aa3dab4a1879b1cbf49e4bb77df174a145cd3b7adbe021ab3f02795db
SHA512 d388c426086a683dd50d18cdf3151ee8b62f5b057dd73a4eba56c5866b2b09c10dba2e7501ee2972f69782f08fdca13b7c37eb887f95c6de2f5622b982d74f65

memory/2936-18-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1848-16-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a2CBB.bat

MD5 2305fb03df89a622f48980a530d5f51c
SHA1 dda382aa5aeb7c505569582d271271f60ed5c264
SHA256 cc69281699adf209cd271e9ac6bb4ad5a242c4113598147241bed5545cafe382
SHA512 9a7dbb9fa99d177a63361c4434d333dca6873fdeb0ecd6fd0ac457fc675e52baa96cd7990122db9694c0fa4569bdeb48a9b231c067d3c92a37a01ccd09c58188

C:\Users\Admin\AppData\Local\Temp\0a27c0d3eecafc5bdd1690a669ac6fa22398b72143309605b7a6e964a75cfb2a.exe.exe

MD5 9ae85ec1fa398ef12c39c3e2d466c503
SHA1 5beb85be6228b5dc0f34cf7375bcf4d9f83fa06a
SHA256 6ee75ac40a41d2717762117cd9649ed1780aa67769dbbb84ef508b76d75a19c3
SHA512 2e0b1e79c34209fd9c3e2b65da62d370225b7499c57cb0a7bf5c306e7f99a0ad6493b493eeca99a460ba051b907517c9423cff46ea80b13f1081144849fad7eb

memory/2900-29-0x0000000000220000-0x0000000000221000-memory.dmp

memory/1192-31-0x00000000024E0000-0x00000000024E1000-memory.dmp

memory/2936-33-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2900-34-0x0000000000400000-0x00000000004EE000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-2297530677-1229052932-2803917579-1000\_desktop.ini

MD5 60b1ffe4d5892b7ae054738eec1fd425
SHA1 80d4e944617f4132b1c6917345b158f3693f35c8
SHA256 5e9944cc48c7ec641cf7b1b0125f47f26102c371a973612f0583f604bc3900d4
SHA512 7f5c200924dbb5531df997e6a35cb94f36b54f5651284b0d6404f0576301125ef72b410a170fca889d46c033063663cfc7791f9e4c3c30695af069053eee66cc

memory/2936-41-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2900-43-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2936-52-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2936-98-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2936-106-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2936-1650-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2936-1862-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 099be1f135daaba3e2a8198ee3502b2a
SHA1 a792724c7592d07434bfc6ed5151f23966e73924
SHA256 773c644013e8b8fe0321403099693f0ab941283b381a178716049afc92cb63a1
SHA512 371f1d56f64091b3c0b08353797e353f22b2e73423243ea2ef5a9d91853331e90d2512e591163100c68df38549912b87a13abbb2c5520684b44ee2032e935366

memory/2936-3322-0x0000000000400000-0x0000000000434000-memory.dmp

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 a61475439ef9cea4ea3df58f1fd09af3
SHA1 7742488336811eeb0ad17fa0625b8675ec2bb86d
SHA256 1346407e38e3f0066a05dd728a9d17540095ec1697b2c675e900652372d19a76
SHA512 c416c96ea7a438cea5e7847a3fce84c5b8b960336413ffb39b5152e96bbdbfd410c546c9cd43e0f21054f4852be397d43682ce830128f9faed751be54ba1d811