Malware Analysis Report

2025-01-22 08:29

Sample ID 241026-fy3vdszgpc
Target c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f
SHA256 c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f
Tags
discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f

Threat Level: Shows suspicious behavior

The file c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery spyware stealer

Reads user/profile data of web browsers

Executes dropped EXE

Deletes itself

Drops startup file

Loads dropped DLL

Enumerates connected drives

Drops file in Program Files directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Runs net.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-26 05:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-26 05:17

Reported

2024-10-26 05:20

Platform

win7-20240903-en

Max time kernel

150s

Max time network

121s

Command Line

C:\Windows\Explorer.EXE

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jre7\lib\zi\SystemV\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\lo\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInViews\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre7\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\am_ET\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Media Player\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AFTRNOON\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\COMPASS\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\br\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\1033\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\Mahjong\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\intf\modules\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ms\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\oc\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RADIAL\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Google\Chrome\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\zu\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\demux\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\Dll.dll C:\Windows\Logo1_.exe N/A
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Logo1_.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3044 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe C:\Windows\SysWOW64\net.exe
PID 3044 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe C:\Windows\SysWOW64\net.exe
PID 3044 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe C:\Windows\SysWOW64\net.exe
PID 3044 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe C:\Windows\SysWOW64\net.exe
PID 536 wrote to memory of 2684 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 536 wrote to memory of 2684 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 536 wrote to memory of 2684 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 536 wrote to memory of 2684 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3044 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe C:\Windows\SysWOW64\cmd.exe
PID 3044 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe C:\Windows\Logo1_.exe
PID 3044 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe C:\Windows\Logo1_.exe
PID 3044 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe C:\Windows\Logo1_.exe
PID 3044 wrote to memory of 1336 N/A C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe C:\Windows\Logo1_.exe
PID 1336 wrote to memory of 2848 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1336 wrote to memory of 2848 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1336 wrote to memory of 2848 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1336 wrote to memory of 2848 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2696 wrote to memory of 2980 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe
PID 2696 wrote to memory of 2980 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe
PID 2696 wrote to memory of 2980 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe
PID 2696 wrote to memory of 2980 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe
PID 2848 wrote to memory of 2860 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2848 wrote to memory of 2860 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2848 wrote to memory of 2860 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2848 wrote to memory of 2860 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1336 wrote to memory of 2820 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1336 wrote to memory of 2820 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1336 wrote to memory of 2820 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1336 wrote to memory of 2820 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2820 wrote to memory of 2640 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2820 wrote to memory of 2640 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2820 wrote to memory of 2640 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2820 wrote to memory of 2640 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1336 wrote to memory of 1192 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 1336 wrote to memory of 1192 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe

"C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$aCD3E.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe

"C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

N/A

Files

memory/3044-0-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$aCD3E.bat

MD5 db5464e7c29ea62ef344188744034958
SHA1 d9d6cc70018d0609e9c5f87977b2ca805831380b
SHA256 eca19d5701ddf6f9425db1419e7fb3f938a5ccdf04b979422bbc4d2a26773f10
SHA512 2444643ca369edacb1d0882aeded0a2b7427fc9c01c10a9f69a42e7e20022629fa61dc859f55f662208e817e95691a1ae8432756228dbf19936b78fe317953fb

memory/3044-12-0x0000000000230000-0x000000000026F000-memory.dmp

C:\Windows\Logo1_.exe

MD5 680e1d68d1c18cdb5e1fddd097cd0056
SHA1 3679880b26ab1a994375a7aa9ead9b17025ef30e
SHA256 9f250d09197e2a3e5f063b06c9995f5802b48852f9d98af43419e119698ccbc3
SHA512 15b9dfc38a515ab4ee8e9eca27a5a2d223b55ec5ab517e14a94a4da32ecfcba8b9f7589c429d92472617033f757c7843119ac1ec28f373600545a66e9873553b

memory/3044-18-0x0000000000230000-0x000000000026F000-memory.dmp

memory/1336-20-0x0000000000400000-0x000000000043F000-memory.dmp

memory/3044-17-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe.exe

MD5 dfc18f7068913dde25742b856788d7ca
SHA1 cbaa23f782c2ddcd7c9ff024fd0b096952a2b387
SHA256 ff4ac75c02247000da084de006c214d3dd3583867bd3533ba788e22734c7a2bf
SHA512 d0c7ec1dae41a803325b51c12490c355ed779d297daa35247889950491e52427810132f0829fc7ffa3022f1a106f4e4ba78ed612223395313a6f267e9ab24945

memory/1192-29-0x00000000024F0000-0x00000000024F1000-memory.dmp

memory/1336-32-0x0000000000400000-0x000000000043F000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-312935884-697965778-3955649944-1000\_desktop.ini

MD5 28a582403dbb209b6c5cb7bada9c918d
SHA1 db58560be63032a4cbd738d2d639e5bf764d6277
SHA256 b5a9fa3acde4d9499ea08a6d9ff193fc9cda57f04141f82d2422a4008f451200
SHA512 511b4d3886d671d01c66d2509b784a199e68a00f2597d311d8d0770f0b1030680136ee450343a8d6c4b51d9de8448bafdde44dc1a1c6e62bccde47d5af03fbae

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 adce245bf56632815d54108708b35fa3
SHA1 25b54878819eac7cb1adb8aa2f882b7ebfcee9bf
SHA256 1c2725f039ba18df4d32f9702d6db923373b493620a2b5294ee213074e6c4e59
SHA512 8437c7889191c2e518713a55a28cc1119b6424f5a5c254a71659f383f71a81df6511eedde5c983af98934465b13c1b0bf58c952b47bc2bb9e42b145ec389277d

memory/1336-3001-0x0000000000400000-0x000000000043F000-memory.dmp

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 13689a976739ee578cca7c130b7fef1a
SHA1 fc996cec103246b14384ca0d44f6dda9263e8287
SHA256 b834be980b6259818c6bab3ea0c7dce63605f3ffdc3609c7d8969f08e149a22a
SHA512 ea0bdbc66ab6b830721433d7f85db4ae4e8c05afa3b72e13553f331b669b1ffe3917fad2426b6f5b21b674a7e1d88474633143c82825a6ea57b7e16778c8654f

memory/1336-4191-0x0000000000400000-0x000000000043F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-26 05:17

Reported

2024-10-26 05:20

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

136s

Command Line

C:\Windows\Explorer.EXE

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ar-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\en-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-ma\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\tr-tr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\tr-tr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LEVEL\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\meta\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Defender\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\el\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-fr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\fi-fi\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ru-ru\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\7-Zip\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Media Player\uk-UA\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\tr-tr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-tw\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fi-fi\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fi-fi\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\es-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\Diagnostics\Simple\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\zh-tw\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\sk\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\images\themeless\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\he-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Media Player\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\de-de\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sv-se\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\host\fxr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Cultures\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ar\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\meta\reader\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\Diagnostics\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\it-it\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Locales\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\setup_wm.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\lib\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\default-browser-agent.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\es-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ko-kr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-gb\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\VisualElements\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\Dll.dll C:\Windows\Logo1_.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Logo1_.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4672 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe C:\Windows\SysWOW64\net.exe
PID 4672 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe C:\Windows\SysWOW64\net.exe
PID 4672 wrote to memory of 3380 N/A C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe C:\Windows\SysWOW64\net.exe
PID 3380 wrote to memory of 3480 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3380 wrote to memory of 3480 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3380 wrote to memory of 3480 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4672 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe C:\Windows\SysWOW64\cmd.exe
PID 4672 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe C:\Windows\SysWOW64\cmd.exe
PID 4672 wrote to memory of 3584 N/A C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe C:\Windows\SysWOW64\cmd.exe
PID 4672 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe C:\Windows\Logo1_.exe
PID 4672 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe C:\Windows\Logo1_.exe
PID 4672 wrote to memory of 4724 N/A C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe C:\Windows\Logo1_.exe
PID 4724 wrote to memory of 3552 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4724 wrote to memory of 3552 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4724 wrote to memory of 3552 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3584 wrote to memory of 4968 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe
PID 3584 wrote to memory of 4968 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe
PID 3552 wrote to memory of 4684 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3552 wrote to memory of 4684 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3552 wrote to memory of 4684 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4724 wrote to memory of 2084 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4724 wrote to memory of 2084 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4724 wrote to memory of 2084 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2084 wrote to memory of 4040 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2084 wrote to memory of 4040 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2084 wrote to memory of 4040 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4724 wrote to memory of 3428 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 4724 wrote to memory of 3428 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe

"C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aDDBD.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe

"C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 73.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/4672-0-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\Logo1_.exe

MD5 680e1d68d1c18cdb5e1fddd097cd0056
SHA1 3679880b26ab1a994375a7aa9ead9b17025ef30e
SHA256 9f250d09197e2a3e5f063b06c9995f5802b48852f9d98af43419e119698ccbc3
SHA512 15b9dfc38a515ab4ee8e9eca27a5a2d223b55ec5ab517e14a94a4da32ecfcba8b9f7589c429d92472617033f757c7843119ac1ec28f373600545a66e9873553b

memory/4724-8-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4672-11-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$aDDBD.bat

MD5 936a15e066db1af5aa4ae05defd27b24
SHA1 8fcf94d1b7174befbb6780566e2d7cf9da67b834
SHA256 cdcc5fdffb2fe3180589f69e0b8a7401c4884beec109d6a8ddf8d3767a9cfc24
SHA512 506ba1d0dc14013166bde0adcba6c1ddf61bfef63ba0de3c9f6087ee87aa10582da21f5f632ce6e1079485eb1bbb69fe112184595255694758c316a24a4d6a63

C:\Users\Admin\AppData\Local\Temp\c0fe53af9d938a5ad4e4f948598380be14c0007103f134eb3e93018948e1119f.exe.exe

MD5 dfc18f7068913dde25742b856788d7ca
SHA1 cbaa23f782c2ddcd7c9ff024fd0b096952a2b387
SHA256 ff4ac75c02247000da084de006c214d3dd3583867bd3533ba788e22734c7a2bf
SHA512 d0c7ec1dae41a803325b51c12490c355ed779d297daa35247889950491e52427810132f0829fc7ffa3022f1a106f4e4ba78ed612223395313a6f267e9ab24945

memory/4724-18-0x0000000000400000-0x000000000043F000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-3442511616-637977696-3186306149-1000\_desktop.ini

MD5 28a582403dbb209b6c5cb7bada9c918d
SHA1 db58560be63032a4cbd738d2d639e5bf764d6277
SHA256 b5a9fa3acde4d9499ea08a6d9ff193fc9cda57f04141f82d2422a4008f451200
SHA512 511b4d3886d671d01c66d2509b784a199e68a00f2597d311d8d0770f0b1030680136ee450343a8d6c4b51d9de8448bafdde44dc1a1c6e62bccde47d5af03fbae

C:\Program Files\7-Zip\7z.exe

MD5 afb82271e04d2a0073e4e2a750fac715
SHA1 81d1f5dd6577d5bd3c59c334a6845f4e2e2df9e1
SHA256 6958b58f48d0c3e90e733eba366c0ead7e90f8ace80aff25884536b54d3e8048
SHA512 a499430d02d1fbd05ef49c2ee58477815aa9361f028e914aaab419e7bf0a4d617eade94ba206307d621ec65751731cbb1d35f17e22d2baa15550bdbe34bab069

memory/4724-3062-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe

MD5 f1e098dbb74b7c2096521dca1c6eb4cc
SHA1 ba104c77f746c3840759283bca1d9eb0a5efa31f
SHA256 5bd886fcd7d8d45626cfceb2fbbf92818cb960acfd96ed124641ed1943f3ea0a
SHA512 a00facee10bb7cb961d01cc0ff6b185bcda39d9f34b49cc80f50f527fee918fdc34df8c9c73bf4257d231a9c178a23620f02617c0387f30e6e090dd1274b34e7

C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

MD5 e0725f04ef2eb236cf23dbdc14d512a5
SHA1 ef9875c8bd15d6c9cdcb0a4025470fae9e0d00b2
SHA256 ca3e9560c3c22fbb4efc142647d6918fe315dda96b5e00c9f0431f55ca97bcaa
SHA512 2dacc3b71e320017826ef563affec0c895cdda9cd293b6814df20aefa5d936e6fbed1d387f9224e533f473243ecb6ea5865d0919f56459c6c3e014e07d241a4e

memory/4724-8953-0x0000000000400000-0x000000000043F000-memory.dmp