Malware Analysis Report

2024-11-30 06:38

Sample ID 240612-v8svhatcnf
Target b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536
SHA256 b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536

Threat Level: Shows suspicious behavior

The file b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536 was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Deletes itself

Executes dropped EXE

Reads user/profile data of web browsers

Drops startup file

Loads dropped DLL

Enumerates connected drives

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 17:39

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 17:39

Reported

2024-06-12 17:42

Platform

win7-20240611-en

Max time kernel

150s

Max time network

127s

Command Line

C:\Windows\Explorer.EXE

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ka\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Google\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\Mahjong\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Triedit\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\wmpenc.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Africa\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\Hearts\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\hi\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\pl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\More Games\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\lt\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows NT\Accessories\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\DVD Maker\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\jabswitch.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\or_IN\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\ink\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\on_desktop\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\7-Zip\Lang\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ku_IQ\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\pt_PT\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\keytool.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre7\bin\dtplugin\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ca@valencia\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Mail\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\Contracts\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Journal\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\extcheck.exe C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\Dll.dll C:\Windows\Logo1_.exe N/A
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1808 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe C:\Windows\SysWOW64\net.exe
PID 1808 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe C:\Windows\SysWOW64\net.exe
PID 1808 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe C:\Windows\SysWOW64\net.exe
PID 1808 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe C:\Windows\SysWOW64\net.exe
PID 2232 wrote to memory of 2452 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2232 wrote to memory of 2452 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2232 wrote to memory of 2452 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2232 wrote to memory of 2452 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1808 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe C:\Windows\SysWOW64\cmd.exe
PID 1808 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe C:\Windows\Logo1_.exe
PID 1808 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe C:\Windows\Logo1_.exe
PID 1808 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe C:\Windows\Logo1_.exe
PID 1808 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe C:\Windows\Logo1_.exe
PID 2688 wrote to memory of 2316 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2688 wrote to memory of 2316 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2688 wrote to memory of 2316 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2688 wrote to memory of 2316 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2316 wrote to memory of 1420 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2316 wrote to memory of 1420 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2316 wrote to memory of 1420 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2316 wrote to memory of 1420 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2624 wrote to memory of 2932 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe
PID 2624 wrote to memory of 2932 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe
PID 2624 wrote to memory of 2932 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe
PID 2624 wrote to memory of 2932 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe
PID 2688 wrote to memory of 2820 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2688 wrote to memory of 2820 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2688 wrote to memory of 2820 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2688 wrote to memory of 2820 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2820 wrote to memory of 2644 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2820 wrote to memory of 2644 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2820 wrote to memory of 2644 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2820 wrote to memory of 2644 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2688 wrote to memory of 1240 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 2688 wrote to memory of 1240 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe

"C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a70AD.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe

"C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

N/A

Files

memory/1808-0-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a70AD.bat

MD5 c34ee9235a059208b2fd501bb278d244
SHA1 e3bba43edfd721780b26197fc3298c1989366bc0
SHA256 c5695f21a11ba39c3096ba8e7a36ac54ea180b72f26370448d40cd6c3b71e2ad
SHA512 c90e45d7507a01d6d2ec8176eaca7cd2a6951dfaa9044b7b3b361f648ecf6bc869b4e3cb2306e45abb3581521b40194bb8b67baf0d00e82cf2a2b4e4ea21a80e

memory/1808-17-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\Logo1_.exe

MD5 d217c3697316d2c81d2aebb8e2a6b109
SHA1 654810e06ac475be905043e1a10f2a844b8b5d27
SHA256 4bb2c2bcce8b368dab7d3e9d243feb6d471d3b727db1780be31693da78bb085f
SHA512 5c6a080b5ff12f86f07ab5d7a2d3b0f18bd30cedd8e095c16568780d0b9d120b5b6e0dd5eb7863aa4db9a83cee77cbb5b5526ac98fbc8abcf771d49440df1f58

memory/2688-18-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe.exe

MD5 07dd9dcd1cc2840751a1f8772f3c0195
SHA1 c6203a3990cfbf396ae87110e341f773cd6be4c1
SHA256 9b39147e1ba781ea8e463c22700f6ce354ac5e775e36657fd87bf41074835602
SHA512 5e547dc18a2b44a6dd67f6b43ee5b5b1bbd4ec1e8b5507b0d990837a7adb72b66808e7487f97062d54e4d3c2c7b791e3b580c9ed316e9d003849f7a6f6a3d56b

memory/2932-27-0x0000000000300000-0x0000000000301000-memory.dmp

memory/1240-30-0x0000000002940000-0x0000000002941000-memory.dmp

memory/2688-33-0x0000000000400000-0x0000000000440000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-39690363-730359138-1046745555-1000\_desktop.ini

MD5 1f206a052c160fd77308863abd810887
SHA1 3b27ec1dc4b51fb7f1793a9ca9bb0d2e53e60eb1
SHA256 45129bd309ca763a88c6bf438896e82b939d6491036658c4512c57f8353938c1
SHA512 bd7857c146b01a49d34d4eb84053353eeb586bee6916426179305d5e2360559adea4040fe2184a3a803943ff4e6526cc38c665f9a808355619628868d53fbed5

memory/2688-1263-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2688-3003-0x0000000000400000-0x0000000000440000-memory.dmp

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 50cb47f0239e9a2044dfa0b0e6d92c14
SHA1 2b20d81a810449f5b994c3d785b6a8f7700a023f
SHA256 fa436f5c793efd8b5908c7bb003a95e126a350f3c5e51edd18ccdaf28aaba7e3
SHA512 27cdb9f9248870b1595fa8ff7f975fe225e80f43f47a6aac2867eadbad0dfea347c4ffa3bd6d52ba95d72d81cc12314b9ab9833d118b7a7bb0be707479371049

memory/2688-4113-0x0000000000400000-0x0000000000440000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 17:39

Reported

2024-06-12 17:42

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

104s

Command Line

C:\Windows\Explorer.EXE

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\uk-ua\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\eu-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\de-de\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\he-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Google\Chrome\Application\110.0.5481.104\Extensions\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Defender\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\eo\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\eu-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\en-gb\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\wmpconfig.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\DESIGNER\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\packetizer\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-fr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\pt-br\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\sv-se\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\root\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\sk-sk\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ru-ru\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\Stamps\ENU\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\tr-tr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Fonts\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\require\2.1.15\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\he-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\logger\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\en-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\plugins\rhp\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fr-ma\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\themes\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\host\fxr\6.0.27\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft.NET\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-ma\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\en-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\hu-hu\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\eu-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\bin\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\eu-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Google\CrashReports\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Media Player\uk-UA\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sk-sk\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\am\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Multimedia\MPP\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hu-hu\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\pl-pl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ru-ru\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\root\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\Dll.dll C:\Windows\Logo1_.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4852 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe C:\Windows\SysWOW64\net.exe
PID 4852 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe C:\Windows\SysWOW64\net.exe
PID 4852 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe C:\Windows\SysWOW64\net.exe
PID 2668 wrote to memory of 3176 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2668 wrote to memory of 3176 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2668 wrote to memory of 3176 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4852 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe C:\Windows\SysWOW64\cmd.exe
PID 4852 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe C:\Windows\SysWOW64\cmd.exe
PID 4852 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe C:\Windows\SysWOW64\cmd.exe
PID 4852 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe C:\Windows\Logo1_.exe
PID 4852 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe C:\Windows\Logo1_.exe
PID 4852 wrote to memory of 1536 N/A C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe C:\Windows\Logo1_.exe
PID 1536 wrote to memory of 2252 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1536 wrote to memory of 2252 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1536 wrote to memory of 2252 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1900 wrote to memory of 1144 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe
PID 1900 wrote to memory of 1144 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe
PID 2252 wrote to memory of 1164 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2252 wrote to memory of 1164 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2252 wrote to memory of 1164 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1536 wrote to memory of 1880 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1536 wrote to memory of 1880 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1536 wrote to memory of 1880 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1880 wrote to memory of 840 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1880 wrote to memory of 840 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1880 wrote to memory of 840 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1536 wrote to memory of 3488 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 1536 wrote to memory of 3488 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe

"C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a47D6.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe

"C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

Country Destination Domain Proto
US 52.111.227.14:443 tcp

Files

memory/4852-0-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\Logo1_.exe

MD5 d217c3697316d2c81d2aebb8e2a6b109
SHA1 654810e06ac475be905043e1a10f2a844b8b5d27
SHA256 4bb2c2bcce8b368dab7d3e9d243feb6d471d3b727db1780be31693da78bb085f
SHA512 5c6a080b5ff12f86f07ab5d7a2d3b0f18bd30cedd8e095c16568780d0b9d120b5b6e0dd5eb7863aa4db9a83cee77cbb5b5526ac98fbc8abcf771d49440df1f58

memory/4852-9-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1536-11-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a47D6.bat

MD5 4dc935ca5cd8d99b241993601380a393
SHA1 a078f109986bca446520545aa05a19960f8ce9b5
SHA256 5d523b98fe2a75852eacccd904557b5330102a6f530cba11d2a26774f176c022
SHA512 8d46b6e9d5b04732b77ea74914f002fbf1c1e2dd920652f84f672f614e51baff00d297503e59cb2fccd5792f3621c697ffbbb344edac4d5c1a350cd4033d6dd7

C:\Users\Admin\AppData\Local\Temp\b9f0df7f76805b62a172b48cef77491cc2e57ffe36b3fd77fbffa2b3c1ec8536.exe.exe

MD5 07dd9dcd1cc2840751a1f8772f3c0195
SHA1 c6203a3990cfbf396ae87110e341f773cd6be4c1
SHA256 9b39147e1ba781ea8e463c22700f6ce354ac5e775e36657fd87bf41074835602
SHA512 5e547dc18a2b44a6dd67f6b43ee5b5b1bbd4ec1e8b5507b0d990837a7adb72b66808e7487f97062d54e4d3c2c7b791e3b580c9ed316e9d003849f7a6f6a3d56b

memory/1536-18-0x0000000000400000-0x0000000000440000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-4124900551-4068476067-3491212533-1000\_desktop.ini

MD5 1f206a052c160fd77308863abd810887
SHA1 3b27ec1dc4b51fb7f1793a9ca9bb0d2e53e60eb1
SHA256 45129bd309ca763a88c6bf438896e82b939d6491036658c4512c57f8353938c1
SHA512 bd7857c146b01a49d34d4eb84053353eeb586bee6916426179305d5e2360559adea4040fe2184a3a803943ff4e6526cc38c665f9a808355619628868d53fbed5

C:\Program Files\7-Zip\7z.exe

MD5 190a4a49a4c5f58e46ee9062792449c1
SHA1 be8975816f178daeca66ac4d04defb560f2ca788
SHA256 7c5a0fc9587825f19abcd964b6250627991e1ea863aa34a247c19825799dcd07
SHA512 5706298d63282f3ac4f170f74b6e243032e46fcd369becc3e1b63bc1dfb7135e4bf7b953216351fa0bf8996a70ddfccc1c9cb8cf28b2d2019c2d43a257a081ed

memory/1536-2892-0x0000000000400000-0x0000000000440000-memory.dmp

C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

MD5 e9d357d936630a4282349f034fb51052
SHA1 3905031236dfb21491e9ad23e35b0ae261e0739f
SHA256 c74cc9b57276c722bb9774cb84b7e4afd4ea5c9ba1f0fdd77dc21c81b8aaa8c4
SHA512 bf3439117541d47daee8cc6ca363c66dd3d46cbdc5009173572e383dce3b5b83c7575af3317bb2bd50dee757a9a16b82bf386b31d1ba805f23a4d57e484ba2a6

memory/1536-8692-0x0000000000400000-0x0000000000440000-memory.dmp