Malware Analysis Report

2024-12-01 01:48

Sample ID 241110-bsgmrawerr
Target fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac
SHA256 fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac
Tags
discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac

Threat Level: Shows suspicious behavior

The file fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery spyware stealer

Reads user/profile data of web browsers

Deletes itself

Drops startup file

Loads dropped DLL

Executes dropped EXE

Enumerates connected drives

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Runs net.exe

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:24

Reported

2024-11-10 01:26

Platform

win7-20240903-en

Max time kernel

149s

Max time network

123s

Command Line

C:\Windows\Explorer.EXE

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\defaults\pref\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\EURO\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Triedit\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EDGE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\schemagen.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\mk\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ne\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA6\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\ktab.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Journal\PDIALOG.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Triedit\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\TextConv\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\sr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\zu\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Esl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\Solitaire\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\spu\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Media Player\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\control\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\Dll.dll C:\Windows\Logo1_.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Logo1_.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1972 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe C:\Windows\SysWOW64\net.exe
PID 1972 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe C:\Windows\SysWOW64\net.exe
PID 1972 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe C:\Windows\SysWOW64\net.exe
PID 1972 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe C:\Windows\SysWOW64\net.exe
PID 1908 wrote to memory of 2124 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1908 wrote to memory of 2124 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1908 wrote to memory of 2124 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1908 wrote to memory of 2124 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1972 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe C:\Windows\SysWOW64\cmd.exe
PID 1972 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe C:\Windows\SysWOW64\cmd.exe
PID 1972 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe C:\Windows\SysWOW64\cmd.exe
PID 1972 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe C:\Windows\SysWOW64\cmd.exe
PID 1972 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe C:\Windows\Logo1_.exe
PID 1972 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe C:\Windows\Logo1_.exe
PID 1972 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe C:\Windows\Logo1_.exe
PID 1972 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe C:\Windows\Logo1_.exe
PID 2120 wrote to memory of 2716 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2120 wrote to memory of 2716 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2120 wrote to memory of 2716 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2120 wrote to memory of 2716 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2716 wrote to memory of 2876 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2716 wrote to memory of 2876 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2716 wrote to memory of 2876 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2716 wrote to memory of 2876 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1264 wrote to memory of 2824 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe
PID 1264 wrote to memory of 2824 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe
PID 1264 wrote to memory of 2824 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe
PID 1264 wrote to memory of 2824 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe
PID 2120 wrote to memory of 1920 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2120 wrote to memory of 1920 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2120 wrote to memory of 1920 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2120 wrote to memory of 1920 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1920 wrote to memory of 2252 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1920 wrote to memory of 2252 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1920 wrote to memory of 2252 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1920 wrote to memory of 2252 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2120 wrote to memory of 1200 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 1200 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe

"C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a9DE5.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe

"C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

N/A

Files

memory/1972-0-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a9DE5.bat

MD5 f959f3507c8412a02b3867e1cec703f9
SHA1 9476ac9e740f1659d63ce608d94f59fdf4e1e0ae
SHA256 46111aedec7e6b81425c7475e885e8c5bb7c9c60d8869da7771070f209542a36
SHA512 aad18e8fc9441dfd80450f38f3dc449632a87ccf4e4738bc7b3ab62b4eef9dd9378cb0d2861a9de82d229c638af1c52b6cb61c870cda37748108a5532e24e952

C:\Windows\Logo1_.exe

MD5 a71bfcd1ef96edb3cc326e1b76824622
SHA1 387956a928cafd3b7bf815274ac9ddfb01e59562
SHA256 0cd414bed04b78dd4100d3bdddc3fa140a3558caf58072d00359f3e88760c370
SHA512 3add11586e4795a4c92b18fc12e0639beef6f2b60f7c5db7276c94f88f2aab7a9c4ad0ad2b60b48646eabc9a5a6cd3607c539223fc210201da7963caa5b7dc92

memory/2120-20-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1972-18-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1972-17-0x0000000000230000-0x000000000026D000-memory.dmp

memory/1972-16-0x0000000000230000-0x000000000026D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe.exe

MD5 33b4c87f18b4c49114d7a8980241657a
SHA1 254c67b915e45ad8584434a4af5e06ca730baa3b
SHA256 587296f3ff624295079471e529104385e5c30ddc46462096d343c76515e1d662
SHA512 42b48b4dcd76a8b2200cfafddc064c053a9d1a4b91b81dee9153322c0b2269e4d75f340c1bf7e7750351fb656445efaf1e1fe0f7e543497b247dd3f83f0c86f9

memory/1200-29-0x0000000002E10000-0x0000000002E11000-memory.dmp

memory/2120-33-0x0000000000400000-0x000000000043D000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-4177215427-74451935-3209572229-1000\_desktop.ini

MD5 2a3fd5c71388ca70bcd12900f65d5a77
SHA1 7619579d21480b9a4800bc830dbf20354e50b979
SHA256 a48a9bee0ea1d148d80a848e506f13606a80f84e7f4fa4a3ceeb0f47eab1bf40
SHA512 0e803903a477f9761178c6892c45f3522f9af5b6ef550f446c0dea329dcbe2753760a17086397ff4f9c66ec93a3dbbd1e7b6aaaa71f77c70c9c8de81429c3aa0

memory/2120-3002-0x0000000000400000-0x000000000043D000-memory.dmp

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 41d5bd106a62b9a38b1c76df058c795d
SHA1 f4d66b06c910103c30e24010f380d2d98bd49cab
SHA256 a3d71d07d47ca777c1976260894fa8f618a7dc9e5626150b578dd01f722d522f
SHA512 46326985ebc5f47fe1542b04b5d78ef58b9fbf3ae7e8f08346b26dbc767eef6a46cebb5d27acc08cb7ce280e814e31032168566d2c2c75f0e0a54745ab976f22

memory/2120-4191-0x0000000000400000-0x000000000043D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 01:24

Reported

2024-11-10 01:26

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

143s

Command Line

C:\Windows\Explorer.EXE

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\he-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\fr-fr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\es-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Templates\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\Cultures\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\nb-no\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\eu-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\dc-annotations\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\eu-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleCrashHandler64.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\host\fxr\7.0.16\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\REFINED\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\16\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\he-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\Diagnostics\Simple\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Photo Viewer\uk-UA\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ca-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sv-se\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\es-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\pl-pl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\en-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\cmm\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\te\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ar-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\hu-hu\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account-select\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\Media Renderer\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdeps.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsimport.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\Fonts\private\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\meta\art\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\da-dk\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\he-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\spu\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hu-hu\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdate.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\sl-si\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\dark\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\versions\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\uk-UA\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\nl-nl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\pl-pl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\hr-hr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nb-no\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\plugins\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\eu-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\Oracle\Java\javapath\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\ext\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ach\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\or_IN\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ro-ro\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\en-gb\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\Dll.dll C:\Windows\Logo1_.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Logo1_.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3884 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe C:\Windows\SysWOW64\net.exe
PID 3884 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe C:\Windows\SysWOW64\net.exe
PID 3884 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe C:\Windows\SysWOW64\net.exe
PID 4128 wrote to memory of 2820 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4128 wrote to memory of 2820 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4128 wrote to memory of 2820 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3884 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe C:\Windows\SysWOW64\cmd.exe
PID 3884 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe C:\Windows\SysWOW64\cmd.exe
PID 3884 wrote to memory of 1596 N/A C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe C:\Windows\SysWOW64\cmd.exe
PID 3884 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe C:\Windows\Logo1_.exe
PID 3884 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe C:\Windows\Logo1_.exe
PID 3884 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe C:\Windows\Logo1_.exe
PID 1840 wrote to memory of 2960 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1840 wrote to memory of 2960 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1840 wrote to memory of 2960 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1596 wrote to memory of 3636 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe
PID 1596 wrote to memory of 3636 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe
PID 2960 wrote to memory of 3972 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2960 wrote to memory of 3972 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2960 wrote to memory of 3972 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1840 wrote to memory of 1604 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1840 wrote to memory of 1604 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1840 wrote to memory of 1604 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1604 wrote to memory of 1516 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1604 wrote to memory of 1516 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1604 wrote to memory of 1516 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1840 wrote to memory of 3392 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 1840 wrote to memory of 3392 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe

"C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8107.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe

"C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp

Files

memory/3884-0-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Windows\Logo1_.exe

MD5 a71bfcd1ef96edb3cc326e1b76824622
SHA1 387956a928cafd3b7bf815274ac9ddfb01e59562
SHA256 0cd414bed04b78dd4100d3bdddc3fa140a3558caf58072d00359f3e88760c370
SHA512 3add11586e4795a4c92b18fc12e0639beef6f2b60f7c5db7276c94f88f2aab7a9c4ad0ad2b60b48646eabc9a5a6cd3607c539223fc210201da7963caa5b7dc92

memory/1840-11-0x0000000000400000-0x000000000043D000-memory.dmp

memory/3884-10-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a8107.bat

MD5 7b0ca00538279ac72e4cfcec57e7d5b8
SHA1 242c138d023e15bdbb9d0c6332faa698a883175a
SHA256 94382da14b6763194c2477b6e5dfda14ca4698b65468fb4837106df7119113ec
SHA512 da0894c7707a13a0adbda6c2fc49f2fe7056168996a04985ee8f555b3edbca3ae3a09ec38807d884405ed195858a56a92b01481b7919b7cd1827a1e9dace68e9

C:\Users\Admin\AppData\Local\Temp\fb1b47840ef631a7da44f580234af26bbc7b561a7374ff38f16817b708fee3ac.exe.exe

MD5 33b4c87f18b4c49114d7a8980241657a
SHA1 254c67b915e45ad8584434a4af5e06ca730baa3b
SHA256 587296f3ff624295079471e529104385e5c30ddc46462096d343c76515e1d662
SHA512 42b48b4dcd76a8b2200cfafddc064c053a9d1a4b91b81dee9153322c0b2269e4d75f340c1bf7e7750351fb656445efaf1e1fe0f7e543497b247dd3f83f0c86f9

memory/1840-18-0x0000000000400000-0x000000000043D000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-3227495264-2217614367-4027411560-1000\_desktop.ini

MD5 2a3fd5c71388ca70bcd12900f65d5a77
SHA1 7619579d21480b9a4800bc830dbf20354e50b979
SHA256 a48a9bee0ea1d148d80a848e506f13606a80f84e7f4fa4a3ceeb0f47eab1bf40
SHA512 0e803903a477f9761178c6892c45f3522f9af5b6ef550f446c0dea329dcbe2753760a17086397ff4f9c66ec93a3dbbd1e7b6aaaa71f77c70c9c8de81429c3aa0

C:\Program Files\GrantSend.exe

MD5 5d4baa68ae2c30fbc20ee67f96ba8016
SHA1 2571fa536da172fc7481ec867df65b6559e43a55
SHA256 09c0856b5faa94861eac590d21312619ba31a90feccd85be1fc24ab1c23178c7
SHA512 83661a2e8353db5cebb821b60338c8ccf89d2f9da5cb3bc1ccf9a72f1e51d734bb553399f7cd75d3bc810aee387a2b287212fd92582d3519aadc66e9c3ebd21c

memory/1840-3222-0x0000000000400000-0x000000000043D000-memory.dmp

C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

MD5 33d1fbbb3236bc3a2843e45b01da9c5d
SHA1 c0847581b9a49f6b37cf8e6785578ea96b4de8a1
SHA256 48817c256c311abe3645d6b5a56e4c0361b9e781943bf5301951efa87e694ea0
SHA512 1e2692e1701ba9ba3d8d8a6420458270526a519eb413d725757e58133abcbd9d5835255d54e4f188da51e01635b974f50fafc5abc558c959f3c43ecb051c9274

memory/1840-8900-0x0000000000400000-0x000000000043D000-memory.dmp