Malware Analysis Report

2024-10-23 21:03

Sample ID 240613-xen1kasarq
Target dfa8cf384960fea9ca3c2741f3ab17a70b72e9f73597005c4c0612763afe1186
SHA256 dfa8cf384960fea9ca3c2741f3ab17a70b72e9f73597005c4c0612763afe1186
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

dfa8cf384960fea9ca3c2741f3ab17a70b72e9f73597005c4c0612763afe1186

Threat Level: Shows suspicious behavior

The file dfa8cf384960fea9ca3c2741f3ab17a70b72e9f73597005c4c0612763afe1186 was found to be: Shows suspicious behavior.

Malicious Activity Summary


Deletes itself

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Runs net.exe

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 18:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 18:46

Reported

2024-06-13 18:48

Platform

win7-20240611-en

Max time kernel

149s

Max time network

121s

Command Line

C:\Windows\Explorer.EXE

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\VideoLAN\VLC\locale\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\sidebar.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\DVD Maker\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\sw\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\logger\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\3082\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EDGE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\es_MX\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre7\lib\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ko\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\d3d11\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\Accessories\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\pack200.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\gd\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Atlantic\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\1036\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\intf\modules\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\services_discovery\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\tt\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\sd\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.en\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\ICU\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\vDll.dll C:\Windows\Logo1_.exe N/A
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\dfa8cf384960fea9ca3c2741f3ab17a70b72e9f73597005c4c0612763afe1186.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\dfa8cf384960fea9ca3c2741f3ab17a70b72e9f73597005c4c0612763afe1186.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A

Enumerates physical storage devices

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1868 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\dfa8cf384960fea9ca3c2741f3ab17a70b72e9f73597005c4c0612763afe1186.exe C:\Windows\SysWOW64\cmd.exe
PID 1868 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\dfa8cf384960fea9ca3c2741f3ab17a70b72e9f73597005c4c0612763afe1186.exe C:\Windows\SysWOW64\cmd.exe
PID 1868 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\dfa8cf384960fea9ca3c2741f3ab17a70b72e9f73597005c4c0612763afe1186.exe C:\Windows\SysWOW64\cmd.exe
PID 1868 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\dfa8cf384960fea9ca3c2741f3ab17a70b72e9f73597005c4c0612763afe1186.exe C:\Windows\SysWOW64\cmd.exe
PID 1868 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\dfa8cf384960fea9ca3c2741f3ab17a70b72e9f73597005c4c0612763afe1186.exe C:\Windows\Logo1_.exe
PID 1868 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\dfa8cf384960fea9ca3c2741f3ab17a70b72e9f73597005c4c0612763afe1186.exe C:\Windows\Logo1_.exe
PID 1868 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\dfa8cf384960fea9ca3c2741f3ab17a70b72e9f73597005c4c0612763afe1186.exe C:\Windows\Logo1_.exe
PID 1868 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\dfa8cf384960fea9ca3c2741f3ab17a70b72e9f73597005c4c0612763afe1186.exe C:\Windows\Logo1_.exe
PID 2704 wrote to memory of 2716 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2704 wrote to memory of 2716 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2704 wrote to memory of 2716 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2704 wrote to memory of 2716 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2428 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\dfa8cf384960fea9ca3c2741f3ab17a70b72e9f73597005c4c0612763afe1186.exe
PID 2428 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\dfa8cf384960fea9ca3c2741f3ab17a70b72e9f73597005c4c0612763afe1186.exe
PID 2428 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\dfa8cf384960fea9ca3c2741f3ab17a70b72e9f73597005c4c0612763afe1186.exe
PID 2428 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\dfa8cf384960fea9ca3c2741f3ab17a70b72e9f73597005c4c0612763afe1186.exe
PID 2716 wrote to memory of 2652 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2716 wrote to memory of 2652 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2716 wrote to memory of 2652 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2716 wrote to memory of 2652 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2660 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\dfa8cf384960fea9ca3c2741f3ab17a70b72e9f73597005c4c0612763afe1186.exe C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
PID 2660 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\dfa8cf384960fea9ca3c2741f3ab17a70b72e9f73597005c4c0612763afe1186.exe C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
PID 2660 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\dfa8cf384960fea9ca3c2741f3ab17a70b72e9f73597005c4c0612763afe1186.exe C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
PID 2660 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\dfa8cf384960fea9ca3c2741f3ab17a70b72e9f73597005c4c0612763afe1186.exe C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
PID 2704 wrote to memory of 1380 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 2704 wrote to memory of 1380 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\dfa8cf384960fea9ca3c2741f3ab17a70b72e9f73597005c4c0612763afe1186.exe

"C:\Users\Admin\AppData\Local\Temp\dfa8cf384960fea9ca3c2741f3ab17a70b72e9f73597005c4c0612763afe1186.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a13CF.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\dfa8cf384960fea9ca3c2741f3ab17a70b72e9f73597005c4c0612763afe1186.exe

"C:\Users\Admin\AppData\Local\Temp\dfa8cf384960fea9ca3c2741f3ab17a70b72e9f73597005c4c0612763afe1186.exe"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

Network

N/A

Files

memory/1868-0-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a13CF.bat

MD5 4ca01690e87e5794a46652c5579de0f5
SHA1 08fec4ae4ca07e6ce0c891cc8f53901619b46f3e
SHA256 43a476a70154339772bfd2f2bf31a42342bd97c1ec8ab76ffc0afe8b01b37c15
SHA512 55681715a2eb9ecfdb00926e28380a5c63160e8f8400ad0e7d3dc45a7e6970c6f47f92891d97d28585545045f39a9810167cfb9647aec071b0891654cfd1ea58

memory/1868-12-0x0000000000220000-0x0000000000255000-memory.dmp

C:\Windows\Logo1_.exe

MD5 522f5828b177b3aa961c91c390994c15
SHA1 5942de653667031a36340cce4099e3f6a28d3d51
SHA256 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd
SHA512 91be6026a7633ec5951f4a9e7ca55cf6d0050b3e03f6746e39d71dbc215fb43b7a3a57ac996d5dd32c4b00d98714cc354cebc2d3c2c2a526a05e982bf4540711

memory/1868-18-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2704-22-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dfa8cf384960fea9ca3c2741f3ab17a70b72e9f73597005c4c0612763afe1186.exe.exe

MD5 a83eca93a0dde026ee845a76b08faafa
SHA1 2eb951e88272b326e48ecc91d88a5423a6233fae
SHA256 f2b2cb78ef1fd7e90bd45ef2a175583ee3c49380748c08e770be52931915ad18
SHA512 f3edb0db98c17c6d6fb6a9676fb3ca8a5f97cad4495b5054d40c0cc7075e8439c1b8f12d7226bb885a638d6be255d7cc5fc2e6e5e4b14751d3efea1fd2027e88

\Users\Admin\AppData\Local\Temp\nst1557.tmp\System.dll

MD5 ca332bb753b0775d5e806e236ddcec55
SHA1 f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f
SHA256 df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d
SHA512 2de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00

\Users\Admin\AppData\Local\Temp\nst1557.tmp\WeChatInstallDll.dll

MD5 91153d3fc0b835b072aeebc4d8837faf
SHA1 1e1e524be7c69077229973e385c447d9692ad937
SHA256 a7971bce47584535e9033f9d72d8f6f386c7d8deef3b93e11de50cf9574f7413
SHA512 2b49c6d701cc6f0d25a81258dcec2159ab3ea30389d18aadcc486c540f5daf6adedf998def1bf5c5fb4a5712755dbca710387c862a89138b23ec081682e835ec

\Users\Admin\AppData\Local\Temp\nst1557.tmp\FindProcDLL.dll

MD5 633625aa3be670a515fa87ff3a566d90
SHA1 de035c083125aef5df0a55c153ef6cc4dd4c15b4
SHA256 bda8e0ddb672ea3558ad68634c49da06cd72f93d7fca642ca41df00e26512df1
SHA512 3c687ddf0e4e93a6787a23a93e2011df42898f6d21101c848a1b7c7bd2eddd5d49fdd0748e47e6235e7808596d00a1ecf79b5c975d050dd8d00a95f515a444a9

memory/2556-52-0x0000000007130000-0x00000000071DB000-memory.dmp

memory/2556-55-0x0000000007130000-0x00000000071DB000-memory.dmp

memory/1380-63-0x0000000002A10000-0x0000000002A11000-memory.dmp

memory/2704-96-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2556-97-0x0000000007130000-0x00000000071DB000-memory.dmp

memory/2556-98-0x0000000007130000-0x00000000071DB000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-2812790648-3157963462-487717889-1000\_desktop.ini

MD5 4f2460b507685f7d7bfe6393f335f1c9
SHA1 378d42f114b1515872e58de6662373af31ab8c7b
SHA256 47a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42
SHA512 75dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb

memory/2704-105-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2556-106-0x0000000007130000-0x00000000071DB000-memory.dmp

memory/2704-112-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2704-158-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2704-164-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2704-459-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2704-1941-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 e723a1bc7f82cb9ebbb977cdc1fb1be3
SHA1 69f4ed87384d009a9669dfb8f26482e1435bcdb1
SHA256 2cea9cadd842f36c80e051ed4cbd759e6269674d54ef65ec7056b5ac71ee4913
SHA512 2c79d02c7e32c37e46f18996fe87e3b269068449d4df2e0539ef63c01cd4be8a84c8e3954f5985159eb2428fdd5bb62ca2eafa3c3c4bae51a3b4a64facaa0c0c

memory/2704-3401-0x0000000000400000-0x0000000000435000-memory.dmp

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 88eb1bca8c399bc3f46e99cdde2f047e
SHA1 55fafbceb011e1af2edced978686a90971bd95f2
SHA256 42fd78c05bc240d4ded16ac974f17c336f6ae3a1814d548021c48a942cc30428
SHA512 149d4de0c024e25a13a7bb17471e6f48391d4f26b1c8388672320eed1c255f84219ad7b72bbebc531ae558d5192dd4bb6d0dddd6c65a45300c8e8348a4fb3728

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 18:46

Reported

2024-06-13 18:48

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

93s

Command Line

C:\Windows\Explorer.EXE

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk-1.8\jre\legal\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\RTL\contrast-white\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-ma\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\tr-tr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\th\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\32BitMAPIBroker.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\es-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ca-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\root\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\sk-sk\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ar-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nl-nl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\pt-br\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\it-it\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\es-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_x64__8wekyb3d8bbwe\Assets\AppTiles\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sl-sl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\zh-cn\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\meta\art\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_output\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_GB\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fi-fi\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\he-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Solitaire.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1906.2182.0_x64__8wekyb3d8bbwe\WinMetadata\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\tr-tr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\win_x64\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-us\pages\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sk-sk\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\en-gb\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Download\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\hr-hr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\zh-tw\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstaller.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\it-it\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.2.2_2.2.27405.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sv-se\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\sl-si\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example1.Diagnostics\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\fr-ma\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ro-ro\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\vDll.dll C:\Windows\Logo1_.exe N/A
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\dfa8cf384960fea9ca3c2741f3ab17a70b72e9f73597005c4c0612763afe1186.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\dfa8cf384960fea9ca3c2741f3ab17a70b72e9f73597005c4c0612763afe1186.exe N/A

Enumerates physical storage devices

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 208 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\dfa8cf384960fea9ca3c2741f3ab17a70b72e9f73597005c4c0612763afe1186.exe C:\Windows\SysWOW64\cmd.exe
PID 208 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\dfa8cf384960fea9ca3c2741f3ab17a70b72e9f73597005c4c0612763afe1186.exe C:\Windows\SysWOW64\cmd.exe
PID 208 wrote to memory of 1980 N/A C:\Users\Admin\AppData\Local\Temp\dfa8cf384960fea9ca3c2741f3ab17a70b72e9f73597005c4c0612763afe1186.exe C:\Windows\SysWOW64\cmd.exe
PID 208 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\dfa8cf384960fea9ca3c2741f3ab17a70b72e9f73597005c4c0612763afe1186.exe C:\Windows\Logo1_.exe
PID 208 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\dfa8cf384960fea9ca3c2741f3ab17a70b72e9f73597005c4c0612763afe1186.exe C:\Windows\Logo1_.exe
PID 208 wrote to memory of 1052 N/A C:\Users\Admin\AppData\Local\Temp\dfa8cf384960fea9ca3c2741f3ab17a70b72e9f73597005c4c0612763afe1186.exe C:\Windows\Logo1_.exe
PID 1052 wrote to memory of 116 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1052 wrote to memory of 116 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1052 wrote to memory of 116 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 116 wrote to memory of 552 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 116 wrote to memory of 552 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 116 wrote to memory of 552 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1980 wrote to memory of 1536 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\dfa8cf384960fea9ca3c2741f3ab17a70b72e9f73597005c4c0612763afe1186.exe
PID 1980 wrote to memory of 1536 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\dfa8cf384960fea9ca3c2741f3ab17a70b72e9f73597005c4c0612763afe1186.exe
PID 1980 wrote to memory of 1536 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\dfa8cf384960fea9ca3c2741f3ab17a70b72e9f73597005c4c0612763afe1186.exe
PID 1536 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\dfa8cf384960fea9ca3c2741f3ab17a70b72e9f73597005c4c0612763afe1186.exe C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
PID 1536 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\dfa8cf384960fea9ca3c2741f3ab17a70b72e9f73597005c4c0612763afe1186.exe C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
PID 1536 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\dfa8cf384960fea9ca3c2741f3ab17a70b72e9f73597005c4c0612763afe1186.exe C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe
PID 1052 wrote to memory of 3400 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 1052 wrote to memory of 3400 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\dfa8cf384960fea9ca3c2741f3ab17a70b72e9f73597005c4c0612763afe1186.exe

"C:\Users\Admin\AppData\Local\Temp\dfa8cf384960fea9ca3c2741f3ab17a70b72e9f73597005c4c0612763afe1186.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5052.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\dfa8cf384960fea9ca3c2741f3ab17a70b72e9f73597005c4c0612763afe1186.exe

"C:\Users\Admin\AppData\Local\Temp\dfa8cf384960fea9ca3c2741f3ab17a70b72e9f73597005c4c0612763afe1186.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu.tmp\Au_.exe" _?=C:\Users\Admin\AppData\Local\Temp\

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 197.121.18.2.in-addr.arpa udp
BE 2.17.107.130:443 www.bing.com tcp
US 8.8.8.8:53 130.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 21.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 130.211.222.173.in-addr.arpa udp
US 8.8.8.8:53 87.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

memory/208-0-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\Logo1_.exe

MD5 522f5828b177b3aa961c91c390994c15
SHA1 5942de653667031a36340cce4099e3f6a28d3d51
SHA256 3c8345f2ebf5d6e07ed35d105a7e347020c0dd3904957cc6c52d0531c0830fdd
SHA512 91be6026a7633ec5951f4a9e7ca55cf6d0050b3e03f6746e39d71dbc215fb43b7a3a57ac996d5dd32c4b00d98714cc354cebc2d3c2c2a526a05e982bf4540711

memory/208-9-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1052-11-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a5052.bat

MD5 2b1244296728660703f744b25c45abc8
SHA1 41e662d97d90e5d8ec1a202799b1fb522ab54c2d
SHA256 ba09b9d5eaf9a47e4320f640e6e7110f65ba1001e7da0a6e74d0ec3c0aedf528
SHA512 16ab57ee843ce23fc8759aadb8e274c2f431b81665ffcb93ec35b0207873fc27afbedaf854a87aa2cc934e42381072064773f590650e8879c3da02661fe60300

C:\Users\Admin\AppData\Local\Temp\dfa8cf384960fea9ca3c2741f3ab17a70b72e9f73597005c4c0612763afe1186.exe.exe

MD5 a83eca93a0dde026ee845a76b08faafa
SHA1 2eb951e88272b326e48ecc91d88a5423a6233fae
SHA256 f2b2cb78ef1fd7e90bd45ef2a175583ee3c49380748c08e770be52931915ad18
SHA512 f3edb0db98c17c6d6fb6a9676fb3ca8a5f97cad4495b5054d40c0cc7075e8439c1b8f12d7226bb885a638d6be255d7cc5fc2e6e5e4b14751d3efea1fd2027e88

C:\Users\Admin\AppData\Local\Temp\nsu52F4.tmp\System.dll

MD5 ca332bb753b0775d5e806e236ddcec55
SHA1 f35ef76592f20850baef2ebbd3c9a2cfb5ad8d8f
SHA256 df5ae79fa558dc7af244ec6e53939563b966e7dbd8867e114e928678dbd56e5d
SHA512 2de0956a1ad58ad7086e427e89b819089f2a7f1e4133ed2a0a736adc0614e8588ebe2d97f1b59ab8886d662aeb40e0b4838c6a65fbfc652253e3a45664a03a00

C:\Users\Admin\AppData\Local\Temp\nsu52F4.tmp\WeChatInstallDll.dll

MD5 91153d3fc0b835b072aeebc4d8837faf
SHA1 1e1e524be7c69077229973e385c447d9692ad937
SHA256 a7971bce47584535e9033f9d72d8f6f386c7d8deef3b93e11de50cf9574f7413
SHA512 2b49c6d701cc6f0d25a81258dcec2159ab3ea30389d18aadcc486c540f5daf6adedf998def1bf5c5fb4a5712755dbca710387c862a89138b23ec081682e835ec

C:\Users\Admin\AppData\Local\Temp\nsu52F4.tmp\FindProcDLL.dll

MD5 633625aa3be670a515fa87ff3a566d90
SHA1 de035c083125aef5df0a55c153ef6cc4dd4c15b4
SHA256 bda8e0ddb672ea3558ad68634c49da06cd72f93d7fca642ca41df00e26512df1
SHA512 3c687ddf0e4e93a6787a23a93e2011df42898f6d21101c848a1b7c7bd2eddd5d49fdd0748e47e6235e7808596d00a1ecf79b5c975d050dd8d00a95f515a444a9

memory/64-39-0x00000000078B0000-0x000000000795B000-memory.dmp

memory/64-42-0x00000000078B0000-0x000000000795B000-memory.dmp

memory/64-43-0x00000000078B0000-0x000000000795B000-memory.dmp

memory/64-52-0x00000000078B0000-0x000000000795B000-memory.dmp

memory/64-53-0x00000000078B0000-0x000000000795B000-memory.dmp

memory/64-61-0x00000000078B0000-0x000000000795B000-memory.dmp

memory/64-62-0x00000000078B0000-0x000000000795B000-memory.dmp

memory/64-70-0x00000000078B0000-0x000000000795B000-memory.dmp

memory/64-71-0x00000000078B0000-0x000000000795B000-memory.dmp

memory/64-79-0x00000000078B0000-0x000000000795B000-memory.dmp

memory/64-87-0x00000000078B0000-0x000000000795B000-memory.dmp

memory/64-95-0x00000000078B0000-0x000000000795B000-memory.dmp

memory/1052-96-0x0000000000400000-0x0000000000435000-memory.dmp

memory/64-97-0x00000000078B0000-0x000000000795B000-memory.dmp

memory/64-98-0x00000000078B0000-0x000000000795B000-memory.dmp

memory/64-99-0x00000000078B0000-0x000000000795B000-memory.dmp

memory/64-100-0x00000000078B0000-0x000000000795B000-memory.dmp

memory/64-101-0x00000000078B0000-0x000000000795B000-memory.dmp

memory/64-102-0x00000000078B0000-0x000000000795B000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-3169499791-3545231813-3156325206-1000\_desktop.ini

MD5 4f2460b507685f7d7bfe6393f335f1c9
SHA1 378d42f114b1515872e58de6662373af31ab8c7b
SHA256 47a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42
SHA512 75dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb

memory/1052-109-0x0000000000400000-0x0000000000435000-memory.dmp

memory/64-111-0x00000000078B0000-0x000000000795B000-memory.dmp

memory/64-110-0x00000000078B0000-0x000000000795B000-memory.dmp

memory/64-112-0x00000000078B0000-0x000000000795B000-memory.dmp

memory/64-113-0x00000000078B0000-0x000000000795B000-memory.dmp

memory/64-114-0x00000000078B0000-0x000000000795B000-memory.dmp

memory/64-115-0x00000000078B0000-0x000000000795B000-memory.dmp

memory/64-116-0x00000000078B0000-0x000000000795B000-memory.dmp

memory/64-117-0x00000000078B0000-0x000000000795B000-memory.dmp

memory/1052-123-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1052-127-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Program Files\7-Zip\7z.exe

MD5 905cd9b391a0e6f621c9a5fd4e28b109
SHA1 96e337bb3df23112d7639de71f8aa75ad0107b7f
SHA256 8a37e051b4fa0fb0264e0f398463ed17c13fffc27d2e9a4d58ad915495d013ae
SHA512 63b92cf479b2717a39d46de3035a129aefd239d9910812c246240e0cbb9dab608b4240a29672211faa35aa1df2960c0dede50196153726165142cd4cf74e0c42

memory/1052-158-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1052-1322-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 e723a1bc7f82cb9ebbb977cdc1fb1be3
SHA1 69f4ed87384d009a9669dfb8f26482e1435bcdb1
SHA256 2cea9cadd842f36c80e051ed4cbd759e6269674d54ef65ec7056b5ac71ee4913
SHA512 2c79d02c7e32c37e46f18996fe87e3b269068449d4df2e0539ef63c01cd4be8a84c8e3954f5985159eb2428fdd5bb62ca2eafa3c3c4bae51a3b4a64facaa0c0c

memory/1052-4890-0x0000000000400000-0x0000000000435000-memory.dmp

C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

MD5 9cba1e86016b20490fff38fb45ff4963
SHA1 378720d36869d50d06e9ffeef87488fbc2a8c8f7
SHA256 a22e6d0f5c7d44fefc2204e0f7c7b048e1684f6cf249ba98c006bbf791c22d19
SHA512 2f3737d29ea3925d10ea5c717786425f6434be732974586328f03691a35cd1539828e3301685749e5c4135b8094f15b87fb9659915de63678a25749e2f8f5765

memory/1052-5329-0x0000000000400000-0x0000000000435000-memory.dmp