Analysis Overview
SHA256
82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238
Threat Level: Shows suspicious behavior
The file 82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238 was found to be: Shows suspicious behavior.
Malicious Activity Summary
Deletes itself
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Drops startup file
Enumerates connected drives
Drops file in Program Files directory
Drops file in Windows directory
Unsigned PE
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 00:43
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 00:43
Reported
2024-06-13 00:45
Platform
win7-20240508-en
Max time kernel
150s
Max time network
122s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Logo1_.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe | N/A |
Reads user/profile data of web browsers
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\K: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\Logo1_.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Media Player\wmlaunch.exe | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\js\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\css\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\DVDMaker.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Purble Place\fr-FR\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\mr\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\wmpenc.exe | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\css\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\css\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\Microsoft Games\Minesweeper\it-IT\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Solitaire\de-DE\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\Triedit\de-DE\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\microsoft shared\VGX\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\7-Zip\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\Java\jre7\lib\zi\Australia\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Windows Media Player\fr-FR\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\browser\features\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\fr-FR\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\it-IT\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\js\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Hearts\fr-FR\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\css\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Analysis Services\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\jre\bin\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\lib\zi\America\Argentina\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\Reference Assemblies\Microsoft\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\bg\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\Microsoft Games\Chess\ja-JP\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Purble Place\en-US\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\plugins\codec\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\Windows Photo Viewer\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rundl132.exe | C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe | N/A |
| File created | C:\Windows\Logo1_.exe | C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe | N/A |
| File opened for modification | C:\Windows\rundl132.exe | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Windows\Dll.dll | C:\Windows\Logo1_.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe
"C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe"
C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\$$a208B.bat
C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe
"C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
Network
Files
memory/1728-0-0x0000000000400000-0x000000000043D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\$$a208B.bat
| MD5 | 51c7b20a322f41b76e53d199040c02cf |
| SHA1 | 86f8c7e528fc35e5794b9496661a1402364780ae |
| SHA256 | 08d84796f2212d46c1a41bc8055ac486fa2a1b8148863e4f5038f9a0455140a7 |
| SHA512 | a014b6b754d679384ec46d770ef6e806e0ade4b214a1348cf6c7095e9a06b687ee04d5e931a37d3d15b014e5fb37ff8c7541d02a7fda46f56d9e2f78900ea18f |
C:\Windows\Logo1_.exe
| MD5 | cd88e1cdb51bb21341a5ebc4614c2993 |
| SHA1 | 24311f2925671aa9e269bf3caafeb9e5457f34c2 |
| SHA256 | bcbc3bac3b06c68e87b00cc8620ff68b28d1dc38c54ad029d2f86117f38995e7 |
| SHA512 | 59cceba548a123e446e49b9b34ef8b13fe100ba1c4329f8b16c963248f9b1eda4fa5015cf82cf2cac64f2b471761029808c26b134cd29ba757b232dcd5b76eb7 |
memory/1728-18-0x0000000000400000-0x000000000043D000-memory.dmp
memory/2628-20-0x0000000000400000-0x000000000043D000-memory.dmp
memory/1728-16-0x0000000000230000-0x000000000026D000-memory.dmp
\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe
| MD5 | c8e284efba3b50c9216dbe552d24f5b0 |
| SHA1 | c76b65dd211e03a2a53f57d87cc90df61b0ab10f |
| SHA256 | 66d7811a891b614f7fc174ae5a3ea1d29d1edde50b12fcaf51c0dc5b54a20b4a |
| SHA512 | 42db8c59820836fee76ffc877983f72d639d9e30171943ae04d8cd8bcd4ac61730a5e0f4b80a905f4f59c03fa8ba62e1c8f4c1e9095eca65f17a2f122a688ef5 |
memory/1196-31-0x0000000002560000-0x0000000002561000-memory.dmp
memory/2628-34-0x0000000000400000-0x000000000043D000-memory.dmp
F:\$RECYCLE.BIN\S-1-5-21-268080393-3149932598-1824759070-1000\_desktop.ini
| MD5 | 4f2460b507685f7d7bfe6393f335f1c9 |
| SHA1 | 378d42f114b1515872e58de6662373af31ab8c7b |
| SHA256 | 47a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42 |
| SHA512 | 75dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb |
C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
| MD5 | da30546751d760f44fb7575c89a7bf6c |
| SHA1 | 755c9d7ec5a3e1d83a53e47dfb1c08c0fcce724a |
| SHA256 | 28e78f117ce45ad8c1cbc1bdafdb851e696a3cd1c2c314ddb1729223ffb6ced5 |
| SHA512 | 5df079d358474eab0738b20deae1fd22b0bf3c46f5330007efcd2a869e068a9abd4dc7207ccc38955932691a728956b23ce4e3953110c68e27e5c704a5d5f3ff |
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
| MD5 | 7b714d463f7db900d5b6e757778a8ab8 |
| SHA1 | 2cfc0e9f54236af8e10b0bfa551d87a20982b733 |
| SHA256 | c995370836939a29853611830ca08d437286d4f45603edce88f36aa1f99a0d97 |
| SHA512 | e8fe8823b5b7f282c24c964cbf4f248b7562259a13410bf95997288727f9bfc6ea51c4aa40182b649a2235bafc02062e0c57f4f62876b5174395071a8d68f9bb |
memory/2628-3345-0x0000000000400000-0x000000000043D000-memory.dmp
memory/2628-4174-0x0000000000400000-0x000000000043D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 00:43
Reported
2024-06-13 00:45
Platform
win10v2004-20240508-en
Max time kernel
149s
Max time network
156s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Logo1_.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe | N/A |
Reads user/profile data of web browsers
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\J: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\Logo1_.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\de-de\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ar-ae\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\hu-hu\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Google\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Windows Photo Viewer\it-IT\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\COMPASS\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SKY\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\plugins\rhp\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\nb-no\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\hr-hr\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ro-ro\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Media Player\de-DE\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\NETWORK\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\cs-cz\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ja-jp\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\fr-fr\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\jstatd.exe | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sv-se\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\tr-tr\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\de-de\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ja-jp\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Internet Explorer\ielowutil.exe | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\uk\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\Network Sharing\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\tr-tr\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ca-es\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\bin\java.exe | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PROFILE\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\pt-br\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sl-sl\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\es-es\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\1033\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\meta\art\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-cn\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Windows Media Player\Skins\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\nl-nl\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\uk-ua\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\fr-fr\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\zh-tw\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\en-US\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\swidtag\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\uk-ua\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WindowsPowerShell\Configuration\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sl-si\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\lib\security\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\hr-hr\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\pl-pl\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\WindowsPowerShell\Configuration\Registration\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\dc-annotations\css\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\sl-sl\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\lua\extensions\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\sv-se\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\es-es\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\he-il\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Dll.dll | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Windows\rundl132.exe | C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe | N/A |
| File created | C:\Windows\Logo1_.exe | C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe | N/A |
| File opened for modification | C:\Windows\rundl132.exe | C:\Windows\Logo1_.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe
"C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe"
C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4A76.bat
C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe
"C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
Network
| Country | Destination | Domain | Proto |
| NL | 52.142.223.178:80 | tcp |
Files
memory/748-0-0x0000000000400000-0x000000000043D000-memory.dmp
C:\Windows\Logo1_.exe
| MD5 | cd88e1cdb51bb21341a5ebc4614c2993 |
| SHA1 | 24311f2925671aa9e269bf3caafeb9e5457f34c2 |
| SHA256 | bcbc3bac3b06c68e87b00cc8620ff68b28d1dc38c54ad029d2f86117f38995e7 |
| SHA512 | 59cceba548a123e446e49b9b34ef8b13fe100ba1c4329f8b16c963248f9b1eda4fa5015cf82cf2cac64f2b471761029808c26b134cd29ba757b232dcd5b76eb7 |
memory/1620-11-0x0000000000400000-0x000000000043D000-memory.dmp
memory/748-10-0x0000000000400000-0x000000000043D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\$$a4A76.bat
| MD5 | c98d562cb716a4e09da283de952bbd12 |
| SHA1 | 1514a6fd7550fd8e9087fd7855f4813bbf695b5b |
| SHA256 | 388e59c5fbfa99d0822f01f6f26133b99f485c7ef818e5f0c6e28a816eea239d |
| SHA512 | 30d3dd8ae80bfd9dc0d7eccf69cd20c484cbf20df067cc44eb8eb0868e5171307e1df5293cfee3fdb8b720efe01a1034bb85f99ebcd0008ecf20a7b544079a27 |
C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe.exe
| MD5 | c8e284efba3b50c9216dbe552d24f5b0 |
| SHA1 | c76b65dd211e03a2a53f57d87cc90df61b0ab10f |
| SHA256 | 66d7811a891b614f7fc174ae5a3ea1d29d1edde50b12fcaf51c0dc5b54a20b4a |
| SHA512 | 42db8c59820836fee76ffc877983f72d639d9e30171943ae04d8cd8bcd4ac61730a5e0f4b80a905f4f59c03fa8ba62e1c8f4c1e9095eca65f17a2f122a688ef5 |
memory/1620-18-0x0000000000400000-0x000000000043D000-memory.dmp
C:\_desktop.ini
| MD5 | 4f2460b507685f7d7bfe6393f335f1c9 |
| SHA1 | 378d42f114b1515872e58de6662373af31ab8c7b |
| SHA256 | 47a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42 |
| SHA512 | 75dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb |
C:\Program Files\7-Zip\7z.exe
| MD5 | d369fb65a7bea7f167abd442183c4d34 |
| SHA1 | f8b98ee3758743a59d69c283bbb3d267c436b761 |
| SHA256 | f3ef038fe97fa88da3ad24415d9b9a611b5d904e482ca7da3463f1644b109912 |
| SHA512 | 7edba551c45378ec1fd5b8bb04ebc54c64ecfd2665633f405632ec69a294d0a8648b4d738ae5eebcd4d743eb9dd70e70e9f5835df1a58c4ff5537071bdb3d956 |
C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
| MD5 | da30546751d760f44fb7575c89a7bf6c |
| SHA1 | 755c9d7ec5a3e1d83a53e47dfb1c08c0fcce724a |
| SHA256 | 28e78f117ce45ad8c1cbc1bdafdb851e696a3cd1c2c314ddb1729223ffb6ced5 |
| SHA512 | 5df079d358474eab0738b20deae1fd22b0bf3c46f5330007efcd2a869e068a9abd4dc7207ccc38955932691a728956b23ce4e3953110c68e27e5c704a5d5f3ff |
memory/1620-5220-0x0000000000400000-0x000000000043D000-memory.dmp
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
| MD5 | 1ad09ab121869e9bedf81b1e82331d05 |
| SHA1 | 21270e52207071b7d304acb7d776c9abba38c15c |
| SHA256 | 834cd914a6bc7c3eadf3b23bacc01433aa6a32411ab547d958604a1c434518b7 |
| SHA512 | 4b1f28d726ec031fd0350a21ea7091087ae2688818716f7add7524fdf06a07d5937a4aa53c6029d2fab093714b1b48b8032927b56e2c207158946f6c71e6646b |
memory/1620-8679-0x0000000000400000-0x000000000043D000-memory.dmp