Malware Analysis Report

2025-03-15 04:19

Sample ID 241026-bnrbdsydnl
Target 9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a
SHA256 9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a
Tags
discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a

Threat Level: Shows suspicious behavior

The file 9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery spyware stealer

Reads user/profile data of web browsers

Drops startup file

Executes dropped EXE

Deletes itself

Loads dropped DLL

Enumerates connected drives

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Runs net.exe

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-26 01:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-26 01:17

Reported

2024-10-26 01:20

Platform

win7-20240903-en

Max time kernel

149s

Max time network

122s

Command Line

C:\Windows\Explorer.EXE

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BOLDSTRI\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PAPYRUS\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Minesweeper\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\IRIS\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Mail\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\Help\en_US\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Defender\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Indian\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\tt\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\DEEPBLUE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\INDUST\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\sq\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\et\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\META-INF\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\Chess\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Media Player\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\ktab.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\kinit.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\TextConv\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\TextConv\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\Dll.dll C:\Windows\Logo1_.exe N/A
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Logo1_.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2872 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe C:\Windows\SysWOW64\net.exe
PID 2872 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe C:\Windows\SysWOW64\net.exe
PID 2872 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe C:\Windows\SysWOW64\net.exe
PID 2872 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe C:\Windows\SysWOW64\net.exe
PID 2080 wrote to memory of 1324 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2080 wrote to memory of 1324 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2080 wrote to memory of 1324 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2080 wrote to memory of 1324 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2872 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe C:\Windows\SysWOW64\cmd.exe
PID 2872 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe C:\Windows\Logo1_.exe
PID 2872 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe C:\Windows\Logo1_.exe
PID 2872 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe C:\Windows\Logo1_.exe
PID 2872 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe C:\Windows\Logo1_.exe
PID 2896 wrote to memory of 2124 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2896 wrote to memory of 2124 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2896 wrote to memory of 2124 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2896 wrote to memory of 2124 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2124 wrote to memory of 1964 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2124 wrote to memory of 1964 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2124 wrote to memory of 1964 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2124 wrote to memory of 1964 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2360 wrote to memory of 2780 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe
PID 2360 wrote to memory of 2780 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe
PID 2360 wrote to memory of 2780 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe
PID 2360 wrote to memory of 2780 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe
PID 2896 wrote to memory of 2972 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2896 wrote to memory of 2972 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2896 wrote to memory of 2972 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2896 wrote to memory of 2972 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2972 wrote to memory of 2692 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2972 wrote to memory of 2692 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2972 wrote to memory of 2692 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2972 wrote to memory of 2692 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2896 wrote to memory of 1204 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 2896 wrote to memory of 1204 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe

"C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a8CF4.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe

"C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

N/A

Files

memory/2872-0-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a8CF4.bat

MD5 4b96bd9dc584d316db06ce4083d01eb5
SHA1 ce91f8eac7397747293a6fe78a7cebb7392df730
SHA256 ba613e8a762a7d8c4c6f80ad4682366af9bb0fe650a11b366db24c0c9d9ef244
SHA512 9871e23e923bf83a63aa429219f66a0c95935baa660104e68d20e17313684ca4535655fa98c65fe3dbe4015e648b7295046d7235e461c9ec78d0517f04909469

C:\Windows\Logo1_.exe

MD5 b90669fd70758712b3fb708f93b4fdc5
SHA1 ef70fda1f2d738d64a773f318960aa71eee808c6
SHA256 bb4e4469e8acbc1546b9e81d1b8a40edac80a7f8ea4660fad9dd58af7b84c369
SHA512 691df4a56d1a3d8b7d60f81eca004602615c4b96ba98ccaf1b19d72f8cfcacd6126cc4e6dc52690abc1c90a8fee6812613a9c3a41e020036e0895945560f67b7

memory/2896-16-0x0000000000400000-0x000000000043D000-memory.dmp

memory/2872-19-0x0000000000400000-0x000000000043D000-memory.dmp

memory/2872-18-0x0000000000230000-0x000000000026D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe

MD5 dfc18f7068913dde25742b856788d7ca
SHA1 cbaa23f782c2ddcd7c9ff024fd0b096952a2b387
SHA256 ff4ac75c02247000da084de006c214d3dd3583867bd3533ba788e22734c7a2bf
SHA512 d0c7ec1dae41a803325b51c12490c355ed779d297daa35247889950491e52427810132f0829fc7ffa3022f1a106f4e4ba78ed612223395313a6f267e9ab24945

memory/1204-28-0x0000000002DF0000-0x0000000002DF1000-memory.dmp

memory/2896-31-0x0000000000400000-0x000000000043D000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-3533259084-2542256011-65585152-1000\_desktop.ini

MD5 28a582403dbb209b6c5cb7bada9c918d
SHA1 db58560be63032a4cbd738d2d639e5bf764d6277
SHA256 b5a9fa3acde4d9499ea08a6d9ff193fc9cda57f04141f82d2422a4008f451200
SHA512 511b4d3886d671d01c66d2509b784a199e68a00f2597d311d8d0770f0b1030680136ee450343a8d6c4b51d9de8448bafdde44dc1a1c6e62bccde47d5af03fbae

memory/2896-2961-0x0000000000400000-0x000000000043D000-memory.dmp

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 28959031896021bc7ca9f579de2cc456
SHA1 3577f294e56af20384c17c2e6b30043d3fb467ce
SHA256 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec
SHA512 8ccc791701cbf875cff76feb50e78391fdc4375e0bd78c59111a657059e2f4c8c91b8603755bd5cfc1feb1abcc98b3eda6e3f810de8e8d60eb35090eecb21020

memory/2896-4143-0x0000000000400000-0x000000000043D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-26 01:17

Reported

2024-10-26 01:20

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

151s

Command Line

C:\Windows\Explorer.EXE

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\MEIPreload\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\IRIS\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\features\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sl-si\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\cs-cz\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\HelpCfg\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ast\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Defender\uk-UA\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\de-de\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\host\fxr\8.0.2\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javap.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\QUAD\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateComRegisterShell64.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\en-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ne\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nb-no\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-gb\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\pt-br\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\it-it\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Internet Explorer\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\host\fxr\6.0.27\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ko-kr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ar-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fr-fr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ko-kr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ar-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sk-sk\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\he-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Google\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ie\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sv-se\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\d3d11\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\cs-cz\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fr-ma\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Configuration\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\JOURNAL\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sk-sk\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\pl-pl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\he-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\nl-nl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ro-ro\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ro-ro\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hr-hr\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\Dll.dll C:\Windows\Logo1_.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Logo1_.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1620 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe C:\Windows\SysWOW64\net.exe
PID 1620 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe C:\Windows\SysWOW64\net.exe
PID 1620 wrote to memory of 3560 N/A C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe C:\Windows\SysWOW64\net.exe
PID 3560 wrote to memory of 212 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3560 wrote to memory of 212 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3560 wrote to memory of 212 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1620 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe C:\Windows\SysWOW64\cmd.exe
PID 1620 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe C:\Windows\Logo1_.exe
PID 1620 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe C:\Windows\Logo1_.exe
PID 1620 wrote to memory of 2684 N/A C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe C:\Windows\Logo1_.exe
PID 2684 wrote to memory of 1676 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2684 wrote to memory of 1676 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2684 wrote to memory of 1676 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1676 wrote to memory of 3384 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1676 wrote to memory of 3384 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1676 wrote to memory of 3384 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3344 wrote to memory of 3744 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe
PID 3344 wrote to memory of 3744 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe
PID 2684 wrote to memory of 4424 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2684 wrote to memory of 4424 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2684 wrote to memory of 4424 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4424 wrote to memory of 3160 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4424 wrote to memory of 3160 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4424 wrote to memory of 3160 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2684 wrote to memory of 3464 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 2684 wrote to memory of 3464 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe

"C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a91EF.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe

"C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

Country Destination Domain Proto
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 101.11.19.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 udp

Files

memory/1620-0-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Windows\Logo1_.exe

MD5 b90669fd70758712b3fb708f93b4fdc5
SHA1 ef70fda1f2d738d64a773f318960aa71eee808c6
SHA256 bb4e4469e8acbc1546b9e81d1b8a40edac80a7f8ea4660fad9dd58af7b84c369
SHA512 691df4a56d1a3d8b7d60f81eca004602615c4b96ba98ccaf1b19d72f8cfcacd6126cc4e6dc52690abc1c90a8fee6812613a9c3a41e020036e0895945560f67b7

memory/2684-8-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1620-11-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a91EF.bat

MD5 00548c2785aee58413f85c96e290dfd5
SHA1 82519c16c53101f5c6590bca2f510eab9f50a20e
SHA256 058880483d350e49f98abcdd3aeb85fcb7541da64a136f0804a17d742a8e3dc2
SHA512 f6a7149da01deb766bc630dd33c4f9966151c37576c04dbf22ba5075edd38fadc7d9517a6b31b4a7fad3ddcd3169837713bfb533ae023f619845be52f658f06e

C:\Users\Admin\AppData\Local\Temp\9b9a3aaf2b7c2786ee409e1c44b98f50a371c03c34463e4db9b5cd54d1eadc3a.exe.exe

MD5 dfc18f7068913dde25742b856788d7ca
SHA1 cbaa23f782c2ddcd7c9ff024fd0b096952a2b387
SHA256 ff4ac75c02247000da084de006c214d3dd3583867bd3533ba788e22734c7a2bf
SHA512 d0c7ec1dae41a803325b51c12490c355ed779d297daa35247889950491e52427810132f0829fc7ffa3022f1a106f4e4ba78ed612223395313a6f267e9ab24945

memory/2684-18-0x0000000000400000-0x000000000043D000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-2878641211-696417878-3864914810-1000\_desktop.ini

MD5 28a582403dbb209b6c5cb7bada9c918d
SHA1 db58560be63032a4cbd738d2d639e5bf764d6277
SHA256 b5a9fa3acde4d9499ea08a6d9ff193fc9cda57f04141f82d2422a4008f451200
SHA512 511b4d3886d671d01c66d2509b784a199e68a00f2597d311d8d0770f0b1030680136ee450343a8d6c4b51d9de8448bafdde44dc1a1c6e62bccde47d5af03fbae

C:\Program Files\7-Zip\7z.exe

MD5 ad3f2708c484c172a0eba76e05c1e8cd
SHA1 915656c6ddfd2e08c687f58a7067ac4ac2fe420e
SHA256 4714aeca0672b67fe73aef3c4ff44beae1f656eba2b0e3579db74d53817246ed
SHA512 c4c7d23e2317307f67d7932a5f0bb083fae18b150043e00f5290962b95315aa12531642d2f0c413c98d9357b18ec757e015b0a844b779dde7e8f0ed9f911d0e8

memory/2684-3454-0x0000000000400000-0x000000000043D000-memory.dmp

C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

MD5 efcce7232eb78a3095a2cedcfcff1d26
SHA1 fcecbd07f20e3500faa209e80cf1c78af3fd10a7
SHA256 c091a8efdac1e393ae2cc2b45686cf63b9ed2ad73d7b334031a13fa340f65429
SHA512 d787335cb0f515a626e16f6d99ce151eccbca0f7888db2405bdc2445e96afff22afe292a06d57b6f8ae6c24ea3c8d114649b23b2cfe7352f921e55e47503fef4

memory/2684-8808-0x0000000000400000-0x000000000043D000-memory.dmp