Malware Analysis Report

2025-03-15 04:36

Sample ID 241027-181s1a1pan
Target 490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe
SHA256 490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe
Tags
discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe

Threat Level: Shows suspicious behavior

The file 490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery spyware stealer

Drops startup file

Executes dropped EXE

Reads user/profile data of web browsers

Deletes itself

Loads dropped DLL

Enumerates connected drives

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

System Location Discovery: System Language Discovery

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-27 22:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-27 22:19

Reported

2024-10-27 22:23

Platform

win7-20240903-en

Max time kernel

149s

Max time network

123s

Command Line

C:\Windows\Explorer.EXE

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Games\Mahjong\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Mail\wab.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre7\lib\ext\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_chroma\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\java-rmi.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\SpeechEngines\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ne\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Defender\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\fur\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\DESIGNER\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PROFILE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\1033\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Internet Explorer\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Triedit\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\fi\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\th\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EXPEDITN\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows NT\TableTextService\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Uninstall Information\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\skins\fonts\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Mozilla Firefox\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\nn\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ICE\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\Dll.dll C:\Windows\Logo1_.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Logo1_.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2672 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe C:\Windows\SysWOW64\net.exe
PID 2672 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe C:\Windows\SysWOW64\net.exe
PID 2672 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe C:\Windows\SysWOW64\net.exe
PID 2672 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe C:\Windows\SysWOW64\net.exe
PID 2212 wrote to memory of 2508 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2212 wrote to memory of 2508 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2212 wrote to memory of 2508 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2212 wrote to memory of 2508 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2672 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 596 N/A C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe C:\Windows\SysWOW64\cmd.exe
PID 2672 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe C:\Windows\Logo1_.exe
PID 2672 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe C:\Windows\Logo1_.exe
PID 2672 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe C:\Windows\Logo1_.exe
PID 2672 wrote to memory of 2264 N/A C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe C:\Windows\Logo1_.exe
PID 2264 wrote to memory of 484 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2264 wrote to memory of 484 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2264 wrote to memory of 484 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2264 wrote to memory of 484 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 484 wrote to memory of 2884 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 484 wrote to memory of 2884 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 484 wrote to memory of 2884 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 484 wrote to memory of 2884 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 596 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe
PID 596 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe
PID 596 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe
PID 596 wrote to memory of 2868 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe
PID 2264 wrote to memory of 2860 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2264 wrote to memory of 2860 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2264 wrote to memory of 2860 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2264 wrote to memory of 2860 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2860 wrote to memory of 1916 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2860 wrote to memory of 1916 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2860 wrote to memory of 1916 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2860 wrote to memory of 1916 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2264 wrote to memory of 1112 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 2264 wrote to memory of 1112 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe

"C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$aBBD0.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe

"C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

N/A

Files

memory/2672-0-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$aBBD0.bat

MD5 4bcc391fd80bd35dd7f5eb40e21b4dfb
SHA1 7622ac27611a3fd37b82d5b5211c8cb31f37c94c
SHA256 15e28876d33525737f335e831057684c9f99655fc4a3e6fba1d5fbc3adc05f07
SHA512 12fdb3670b6e489986a50acbef8694e4b7888c8832c49d633126b6742a0b8fe6fa0e947659f2d37c49025587215762ab157555fcb8d0135b0b86f6ddbd9f6586

memory/2672-19-0x0000000000230000-0x000000000026F000-memory.dmp

memory/2672-18-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2672-17-0x0000000000230000-0x000000000026F000-memory.dmp

C:\Windows\Logo1_.exe

MD5 a41e528e57375acc788aa848f3b18b58
SHA1 1df9561f65e3e8e3e987d6b79e202e84f2048b21
SHA256 032f6fb6838bbec15be24649eac0293fdc0c6d8794e94aa7a1cb0015587f9401
SHA512 dfc5b341eef7c2d2930063d29ccc284afd480701d5184d3bf9b0ed9d6c508adb2fb6f9091b767a26917c2b73e920d1125fd1f3d68cfa847c2589f5fdfe0716dc

memory/2264-20-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe

MD5 87912631f20ab91421228cd219922519
SHA1 71a90e384de55c6f5257466e53f6c0add270a01d
SHA256 fcfdb5e2601430a674f599e054f65471e42cb18f8484aa8d8eb38f0c6f4e9c6d
SHA512 0843a6a6a1e7e6d394db8d939e5e11ddfbed917e262dcb41fddee490d7e1657d45edd93fa2e734a6d8419b2f935ef53c0185d626a83ef1e7d53db8e261f8fc8a

memory/1112-29-0x0000000002550000-0x0000000002551000-memory.dmp

memory/2264-33-0x0000000000400000-0x000000000043F000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-2872745919-2748461613-2989606286-1000\_desktop.ini

MD5 718bfb92f559ca14a82c7a2cb2c8215c
SHA1 9f17457d0b5980e5a634208930802e20799ee8d6
SHA256 3d2fb0ad016be8c2bf29e6b47092e95fb2913f89927c45261dde2f9072b746d6
SHA512 b612293b28c691823ee89ecda9759567949b1801a9491288a54e505941c4daf1f9f49e358b226fa3b4876b8052ba5c17ccefe71f1b24cc9e1daecd906087ce3e

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 534ef4a4f5354acf40536ea526912070
SHA1 e4c6ddc3832ec07c2db4584257e17c6e15324704
SHA256 46808cf6fde182857713a967752a528b768377f864af055f38b3bef291a10bd8
SHA512 a7332b3aa32570f3bcf03d99d1dc2dbee9070dec74141e71c12be6ba6ec137ffcbe4ce93721857b36a3e61909c713241196d51f79480ea2a0c58fc9300b4c467

memory/2264-3003-0x0000000000400000-0x000000000043F000-memory.dmp

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 13689a976739ee578cca7c130b7fef1a
SHA1 fc996cec103246b14384ca0d44f6dda9263e8287
SHA256 b834be980b6259818c6bab3ea0c7dce63605f3ffdc3609c7d8969f08e149a22a
SHA512 ea0bdbc66ab6b830721433d7f85db4ae4e8c05afa3b72e13553f331b669b1ffe3917fad2426b6f5b21b674a7e1d88474633143c82825a6ea57b7e16778c8654f

memory/2264-4193-0x0000000000400000-0x000000000043F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-27 22:19

Reported

2024-10-27 22:23

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

153s

Command Line

C:\Windows\Explorer.EXE

Signatures

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\Templates\1033\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\root\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\uk-ua\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VC\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\host\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\ja-jp\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\eu-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Multimedia Platform\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\kab\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Examples\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-gb\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\da-dk\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ja-jp\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\cs-cz\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\fr-fr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\he-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\tr-tr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\nl-nl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\lib\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\meta\art\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ja-jp\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sl-si\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\images\themes\dark\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ne\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\it-it\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files-select\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\hr-hr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\hu-hu\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\REFINED\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\cs-cz\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\es-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\es-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\plugins\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fr-ma\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LEVEL\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javadoc.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUEPRNT\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EXPEDITN\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\mr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\zh-tw\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\win_x64\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ro-ro\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\it-it\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-il\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Dll.dll C:\Windows\Logo1_.exe N/A
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Logo1_.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2072 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe C:\Windows\SysWOW64\net.exe
PID 2072 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe C:\Windows\SysWOW64\net.exe
PID 2072 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe C:\Windows\SysWOW64\net.exe
PID 1300 wrote to memory of 3436 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1300 wrote to memory of 3436 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1300 wrote to memory of 3436 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2072 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe C:\Windows\SysWOW64\cmd.exe
PID 2072 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe C:\Windows\SysWOW64\cmd.exe
PID 2072 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe C:\Windows\SysWOW64\cmd.exe
PID 2072 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe C:\Windows\Logo1_.exe
PID 2072 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe C:\Windows\Logo1_.exe
PID 2072 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe C:\Windows\Logo1_.exe
PID 4904 wrote to memory of 5004 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4904 wrote to memory of 5004 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4904 wrote to memory of 5004 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 5004 wrote to memory of 2880 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 5004 wrote to memory of 2880 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 5004 wrote to memory of 2880 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1668 wrote to memory of 1308 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe
PID 1668 wrote to memory of 1308 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe
PID 1668 wrote to memory of 1308 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe
PID 4904 wrote to memory of 3264 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4904 wrote to memory of 3264 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4904 wrote to memory of 3264 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3264 wrote to memory of 4020 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3264 wrote to memory of 4020 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3264 wrote to memory of 4020 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4904 wrote to memory of 3396 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 4904 wrote to memory of 3396 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe

"C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aAA2A.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe

"C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 udp

Files

memory/2072-0-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\Logo1_.exe

MD5 a41e528e57375acc788aa848f3b18b58
SHA1 1df9561f65e3e8e3e987d6b79e202e84f2048b21
SHA256 032f6fb6838bbec15be24649eac0293fdc0c6d8794e94aa7a1cb0015587f9401
SHA512 dfc5b341eef7c2d2930063d29ccc284afd480701d5184d3bf9b0ed9d6c508adb2fb6f9091b767a26917c2b73e920d1125fd1f3d68cfa847c2589f5fdfe0716dc

memory/4904-8-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2072-11-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$aAA2A.bat

MD5 341d740dc31a2e2f9b2fe286b43a6dcf
SHA1 7ee75f9826087438558ac75088516dc9fa3e1203
SHA256 ce812040f1b3895ea64900c28c86a84a0449088a4292516e64e6bd9ffddced2a
SHA512 ade75e1caba9b4d8d269014e1d50d01c2d565d3ffa3c8e10e980a83a4857f1e537e2f6849e60a37007ef6d9f65d1e0ca3349ebef2213bba3f1c8260078e808f6

C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe.exe

MD5 87912631f20ab91421228cd219922519
SHA1 71a90e384de55c6f5257466e53f6c0add270a01d
SHA256 fcfdb5e2601430a674f599e054f65471e42cb18f8484aa8d8eb38f0c6f4e9c6d
SHA512 0843a6a6a1e7e6d394db8d939e5e11ddfbed917e262dcb41fddee490d7e1657d45edd93fa2e734a6d8419b2f935ef53c0185d626a83ef1e7d53db8e261f8fc8a

memory/4904-18-0x0000000000400000-0x000000000043F000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-3227495264-2217614367-4027411560-1000\_desktop.ini

MD5 718bfb92f559ca14a82c7a2cb2c8215c
SHA1 9f17457d0b5980e5a634208930802e20799ee8d6
SHA256 3d2fb0ad016be8c2bf29e6b47092e95fb2913f89927c45261dde2f9072b746d6
SHA512 b612293b28c691823ee89ecda9759567949b1801a9491288a54e505941c4daf1f9f49e358b226fa3b4876b8052ba5c17ccefe71f1b24cc9e1daecd906087ce3e

C:\Program Files\7-Zip\7z.exe

MD5 9e2a3e0665ab03f40860cec92bce41ee
SHA1 141107aea8f388ba91b9d8273d88ff493bb1e77e
SHA256 c4553458773fbe2d86c511ff78ce6a0f00afe20eeb13140e1303cbd7b75f69a4
SHA512 f9d58891fdeeace650d01f7a562fd75ac58e77466b211d0fe90c98bb3b6396f7df90f0a3005b5398e0593c19e4edf75c951e1bd79c228d29e47c2c59b960e414

memory/4904-2748-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe

MD5 2c74d440eaf8f4d9ebdaf431fed2102d
SHA1 4281804bdd247899a12a2ddfc4eedcd5bc313fbe
SHA256 e7585e15f53b58e02b39c07512e32717fa17c8fcfec1bb510e24b6a626e8de27
SHA512 1c031c965728641c9011dd85edd7ba401fc7835274ad0a3d2a60a494ec6596ba39968face346a2196ecc28967f11091fe9fce78032d425ef4dce5223d33a3aa9

C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

MD5 e0725f04ef2eb236cf23dbdc14d512a5
SHA1 ef9875c8bd15d6c9cdcb0a4025470fae9e0d00b2
SHA256 ca3e9560c3c22fbb4efc142647d6918fe315dda96b5e00c9f0431f55ca97bcaa
SHA512 2dacc3b71e320017826ef563affec0c895cdda9cd293b6814df20aefa5d936e6fbed1d387f9224e533f473243ecb6ea5865d0919f56459c6c3e014e07d241a4e

memory/4904-8784-0x0000000000400000-0x000000000043F000-memory.dmp