Malware Analysis Report

2025-01-22 08:28

Sample ID 241026-fyr3wszgnh
Target 421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884
SHA256 421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884
Tags
discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884

Threat Level: Shows suspicious behavior

The file 421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery spyware stealer

Reads user/profile data of web browsers

Drops startup file

Deletes itself

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Drops file in Program Files directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-26 05:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-26 05:17

Reported

2024-10-26 05:19

Platform

win7-20240903-en

Max time kernel

149s

Max time network

122s

Command Line

C:\Windows\Explorer.EXE

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\Acrobat\ActiveX\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Defender\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BREEZE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\fr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\Mahjong\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ne\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access_output\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\DVD Maker\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\FreeCell\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office14\1033\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\keytool.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Portal\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\Mahjong\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ff\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\META-INF\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\Mahjong\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ie\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\css\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\Dll.dll C:\Windows\Logo1_.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Logo1_.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2036 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe C:\Windows\SysWOW64\net.exe
PID 2036 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe C:\Windows\SysWOW64\net.exe
PID 2036 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe C:\Windows\SysWOW64\net.exe
PID 2036 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe C:\Windows\SysWOW64\net.exe
PID 1912 wrote to memory of 1780 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1912 wrote to memory of 1780 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1912 wrote to memory of 1780 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1912 wrote to memory of 1780 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2036 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe C:\Windows\SysWOW64\cmd.exe
PID 2036 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe C:\Windows\Logo1_.exe
PID 2036 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe C:\Windows\Logo1_.exe
PID 2036 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe C:\Windows\Logo1_.exe
PID 2036 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe C:\Windows\Logo1_.exe
PID 2180 wrote to memory of 2012 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2180 wrote to memory of 2012 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2180 wrote to memory of 2012 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2180 wrote to memory of 2012 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2012 wrote to memory of 2072 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2012 wrote to memory of 2072 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2012 wrote to memory of 2072 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2012 wrote to memory of 2072 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1908 wrote to memory of 1884 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe
PID 1908 wrote to memory of 1884 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe
PID 1908 wrote to memory of 1884 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe
PID 1908 wrote to memory of 1884 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe
PID 2180 wrote to memory of 804 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2180 wrote to memory of 804 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2180 wrote to memory of 804 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2180 wrote to memory of 804 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 804 wrote to memory of 2596 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 804 wrote to memory of 2596 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 804 wrote to memory of 2596 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 804 wrote to memory of 2596 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2180 wrote to memory of 1204 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 2180 wrote to memory of 1204 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe

"C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a9CFB.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe

"C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

N/A

Files

memory/2036-0-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a9CFB.bat

MD5 682e6cee864bd5a7e9d900310708c073
SHA1 a4b40be28a5cc1c1c30e0be646e13c19eaeeec42
SHA256 6e82db5859bcaddb1dbb83aa988be9b20cb900384c0ebe234e6c97535306a4bb
SHA512 ac178f9379dfbdd3bffebb1caad273babc935efe7a14a07b74c19cb574c0772cdbe23bad484d99878bbec3e87bb0d9be2f40b85dc3ca0e3ab63cbd0250c957cd

C:\Windows\Logo1_.exe

MD5 680e1d68d1c18cdb5e1fddd097cd0056
SHA1 3679880b26ab1a994375a7aa9ead9b17025ef30e
SHA256 9f250d09197e2a3e5f063b06c9995f5802b48852f9d98af43419e119698ccbc3
SHA512 15b9dfc38a515ab4ee8e9eca27a5a2d223b55ec5ab517e14a94a4da32ecfcba8b9f7589c429d92472617033f757c7843119ac1ec28f373600545a66e9873553b

memory/2036-17-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2180-19-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2036-18-0x0000000001C70000-0x0000000001CAF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe.exe

MD5 50f289df0c19484e970849aac4e6f977
SHA1 3dc77c8830836ab844975eb002149b66da2e10be
SHA256 b9b179b305c5268ad428b6ae59de10b4fe99cf0199bbc89b7017181905e97305
SHA512 877d852ea1062b90e2fd2f3c4dc7d05d9697e9a9b2929c830a770b62741f6a11e06de73275eb871113f11143faf1cb40d99f7c247862ffb778d26833ed5d7e38

memory/1204-30-0x0000000002DC0000-0x0000000002DC1000-memory.dmp

memory/2036-33-0x0000000001C70000-0x0000000001CAF000-memory.dmp

memory/2180-34-0x0000000000400000-0x000000000043F000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-3063565911-2056067323-3330884624-1000\_desktop.ini

MD5 28a582403dbb209b6c5cb7bada9c918d
SHA1 db58560be63032a4cbd738d2d639e5bf764d6277
SHA256 b5a9fa3acde4d9499ea08a6d9ff193fc9cda57f04141f82d2422a4008f451200
SHA512 511b4d3886d671d01c66d2509b784a199e68a00f2597d311d8d0770f0b1030680136ee450343a8d6c4b51d9de8448bafdde44dc1a1c6e62bccde47d5af03fbae

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 adce245bf56632815d54108708b35fa3
SHA1 25b54878819eac7cb1adb8aa2f882b7ebfcee9bf
SHA256 1c2725f039ba18df4d32f9702d6db923373b493620a2b5294ee213074e6c4e59
SHA512 8437c7889191c2e518713a55a28cc1119b6424f5a5c254a71659f383f71a81df6511eedde5c983af98934465b13c1b0bf58c952b47bc2bb9e42b145ec389277d

memory/2180-3004-0x0000000000400000-0x000000000043F000-memory.dmp

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 13689a976739ee578cca7c130b7fef1a
SHA1 fc996cec103246b14384ca0d44f6dda9263e8287
SHA256 b834be980b6259818c6bab3ea0c7dce63605f3ffdc3609c7d8969f08e149a22a
SHA512 ea0bdbc66ab6b830721433d7f85db4ae4e8c05afa3b72e13553f331b669b1ffe3917fad2426b6f5b21b674a7e1d88474633143c82825a6ea57b7e16778c8654f

memory/2180-4186-0x0000000000400000-0x000000000043F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-26 05:17

Reported

2024-10-26 05:19

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

151s

Command Line

C:\Windows\Explorer.EXE

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\fonts\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-tw\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\es-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\Font\PFM\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ca-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\uk-ua\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\it-it\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ru-ru\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\EBWebView\x86\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Extensions\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Crashpad\attachments\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\da-dk\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\orbd.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Network Sharing\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\it-it\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\libs\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ca-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ar-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jconsole.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EVRGREEN\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Portal\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\tr-tr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ca-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\cs-cz\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Validator\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\it-it\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ja-jp\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\fr-fr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ar-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ja-jp\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\wmlaunch.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-gb\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sl-sl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ja-jp\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\legal\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ro-ro\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\TextConv\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ky\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\da-dk\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sl-sl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\de-de\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\plugin2\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\id\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nl-nl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SPRING\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\IDTemplates\ENU\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-fr\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Dll.dll C:\Windows\Logo1_.exe N/A
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Logo1_.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2260 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe C:\Windows\SysWOW64\net.exe
PID 2260 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe C:\Windows\SysWOW64\net.exe
PID 2260 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe C:\Windows\SysWOW64\net.exe
PID 2564 wrote to memory of 4252 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2564 wrote to memory of 4252 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2564 wrote to memory of 4252 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2260 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe C:\Windows\SysWOW64\cmd.exe
PID 2260 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe C:\Windows\SysWOW64\cmd.exe
PID 2260 wrote to memory of 1556 N/A C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe C:\Windows\SysWOW64\cmd.exe
PID 2260 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe C:\Windows\Logo1_.exe
PID 2260 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe C:\Windows\Logo1_.exe
PID 2260 wrote to memory of 3232 N/A C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe C:\Windows\Logo1_.exe
PID 3232 wrote to memory of 3464 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3232 wrote to memory of 3464 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3232 wrote to memory of 3464 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3464 wrote to memory of 2264 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3464 wrote to memory of 2264 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3464 wrote to memory of 2264 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1556 wrote to memory of 4664 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe
PID 1556 wrote to memory of 4664 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe
PID 3232 wrote to memory of 3188 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3232 wrote to memory of 3188 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3232 wrote to memory of 3188 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3188 wrote to memory of 2756 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3188 wrote to memory of 2756 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3188 wrote to memory of 2756 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3232 wrote to memory of 3444 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 3232 wrote to memory of 3444 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe

"C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aC0DF.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe

"C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp

Files

memory/2260-0-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2260-10-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\Logo1_.exe

MD5 680e1d68d1c18cdb5e1fddd097cd0056
SHA1 3679880b26ab1a994375a7aa9ead9b17025ef30e
SHA256 9f250d09197e2a3e5f063b06c9995f5802b48852f9d98af43419e119698ccbc3
SHA512 15b9dfc38a515ab4ee8e9eca27a5a2d223b55ec5ab517e14a94a4da32ecfcba8b9f7589c429d92472617033f757c7843119ac1ec28f373600545a66e9873553b

memory/3232-11-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$aC0DF.bat

MD5 05d64bcb48994d18f587e88f48c25bbd
SHA1 ac97afde3ac71f87f3f167858d935e14d83c5c34
SHA256 fa6e2d28c411bdd9c9d3cfd7a1862a13a1862f4a2d33668b8dbcfe7b25832fbd
SHA512 ce830d0c23388a0100bfe24615fe2429cdb801d1197737bfb6063d54e7a3806c905761af25c0bec2947f7b1658159f229cc1e280ab58ab6de81c74c2e656e4b4

C:\Users\Admin\AppData\Local\Temp\421895599af99e0f9736e956e211508b61607d232afa91ffb6b4fb7ecb329884.exe.exe

MD5 50f289df0c19484e970849aac4e6f977
SHA1 3dc77c8830836ab844975eb002149b66da2e10be
SHA256 b9b179b305c5268ad428b6ae59de10b4fe99cf0199bbc89b7017181905e97305
SHA512 877d852ea1062b90e2fd2f3c4dc7d05d9697e9a9b2929c830a770b62741f6a11e06de73275eb871113f11143faf1cb40d99f7c247862ffb778d26833ed5d7e38

memory/3232-18-0x0000000000400000-0x000000000043F000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-493223053-2004649691-1575712786-1000\_desktop.ini

MD5 28a582403dbb209b6c5cb7bada9c918d
SHA1 db58560be63032a4cbd738d2d639e5bf764d6277
SHA256 b5a9fa3acde4d9499ea08a6d9ff193fc9cda57f04141f82d2422a4008f451200
SHA512 511b4d3886d671d01c66d2509b784a199e68a00f2597d311d8d0770f0b1030680136ee450343a8d6c4b51d9de8448bafdde44dc1a1c6e62bccde47d5af03fbae

C:\Program Files\7-Zip\7z.exe

MD5 afb82271e04d2a0073e4e2a750fac715
SHA1 81d1f5dd6577d5bd3c59c334a6845f4e2e2df9e1
SHA256 6958b58f48d0c3e90e733eba366c0ead7e90f8ace80aff25884536b54d3e8048
SHA512 a499430d02d1fbd05ef49c2ee58477815aa9361f028e914aaab419e7bf0a4d617eade94ba206307d621ec65751731cbb1d35f17e22d2baa15550bdbe34bab069

memory/3232-3306-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe

MD5 f1e098dbb74b7c2096521dca1c6eb4cc
SHA1 ba104c77f746c3840759283bca1d9eb0a5efa31f
SHA256 5bd886fcd7d8d45626cfceb2fbbf92818cb960acfd96ed124641ed1943f3ea0a
SHA512 a00facee10bb7cb961d01cc0ff6b185bcda39d9f34b49cc80f50f527fee918fdc34df8c9c73bf4257d231a9c178a23620f02617c0387f30e6e090dd1274b34e7

C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

MD5 e0725f04ef2eb236cf23dbdc14d512a5
SHA1 ef9875c8bd15d6c9cdcb0a4025470fae9e0d00b2
SHA256 ca3e9560c3c22fbb4efc142647d6918fe315dda96b5e00c9f0431f55ca97bcaa
SHA512 2dacc3b71e320017826ef563affec0c895cdda9cd293b6814df20aefa5d936e6fbed1d387f9224e533f473243ecb6ea5865d0919f56459c6c3e014e07d241a4e

memory/3232-8910-0x0000000000400000-0x000000000043F000-memory.dmp