Malware Analysis Report

2024-12-01 01:19

Sample ID 241110-bwktkswjfz
Target 21896b7f89b893f57c799a6ec2ec6f35c15ef4bdd60cc3434e6a1069abed7b31
SHA256 21896b7f89b893f57c799a6ec2ec6f35c15ef4bdd60cc3434e6a1069abed7b31
Tags
discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

21896b7f89b893f57c799a6ec2ec6f35c15ef4bdd60cc3434e6a1069abed7b31

Threat Level: Shows suspicious behavior

The file 21896b7f89b893f57c799a6ec2ec6f35c15ef4bdd60cc3434e6a1069abed7b31 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery

Executes dropped EXE

Deletes itself

Loads dropped DLL

Enumerates connected drives

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Program crash

System Location Discovery: System Language Discovery

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 01:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 01:29

Reported

2024-11-10 01:32

Platform

win7-20241010-en

Max time kernel

150s

Max time network

18s

Command Line

C:\Windows\Explorer.EXE

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Kentucky\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ga\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\deploy\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\BrightOrange\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Computers\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Americana\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Library\Analysis\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\PROPLUS\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\defaults\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\gu\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroTextExtractor.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\HWRCustomization\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Proof.en\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EXPEDITN\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Mozilla Firefox\uninstall\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\More Games\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\pl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\JOURNAL\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\DVD Maker\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre7\lib\ext\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.flightrecorder_5.5.0.165303\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\Minesweeper\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\it\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows NT\Accessories\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\tt\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\21896b7f89b893f57c799a6ec2ec6f35c15ef4bdd60cc3434e6a1069abed7b31.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\21896b7f89b893f57c799a6ec2ec6f35c15ef4bdd60cc3434e6a1069abed7b31.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\vDll.dll C:\Windows\Logo1_.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\21896b7f89b893f57c799a6ec2ec6f35c15ef4bdd60cc3434e6a1069abed7b31.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Logo1_.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\21896b7f89b893f57c799a6ec2ec6f35c15ef4bdd60cc3434e6a1069abed7b31.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2116 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\21896b7f89b893f57c799a6ec2ec6f35c15ef4bdd60cc3434e6a1069abed7b31.exe C:\Windows\SysWOW64\cmd.exe
PID 2116 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\21896b7f89b893f57c799a6ec2ec6f35c15ef4bdd60cc3434e6a1069abed7b31.exe C:\Windows\SysWOW64\cmd.exe
PID 2116 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\21896b7f89b893f57c799a6ec2ec6f35c15ef4bdd60cc3434e6a1069abed7b31.exe C:\Windows\SysWOW64\cmd.exe
PID 2116 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\21896b7f89b893f57c799a6ec2ec6f35c15ef4bdd60cc3434e6a1069abed7b31.exe C:\Windows\SysWOW64\cmd.exe
PID 2116 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\21896b7f89b893f57c799a6ec2ec6f35c15ef4bdd60cc3434e6a1069abed7b31.exe C:\Windows\Logo1_.exe
PID 2116 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\21896b7f89b893f57c799a6ec2ec6f35c15ef4bdd60cc3434e6a1069abed7b31.exe C:\Windows\Logo1_.exe
PID 2116 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\21896b7f89b893f57c799a6ec2ec6f35c15ef4bdd60cc3434e6a1069abed7b31.exe C:\Windows\Logo1_.exe
PID 2116 wrote to memory of 2184 N/A C:\Users\Admin\AppData\Local\Temp\21896b7f89b893f57c799a6ec2ec6f35c15ef4bdd60cc3434e6a1069abed7b31.exe C:\Windows\Logo1_.exe
PID 2184 wrote to memory of 2036 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2184 wrote to memory of 2036 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2184 wrote to memory of 2036 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2184 wrote to memory of 2036 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2036 wrote to memory of 2964 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2036 wrote to memory of 2964 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2036 wrote to memory of 2964 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2036 wrote to memory of 2964 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2424 wrote to memory of 3048 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\21896b7f89b893f57c799a6ec2ec6f35c15ef4bdd60cc3434e6a1069abed7b31.exe
PID 2424 wrote to memory of 3048 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\21896b7f89b893f57c799a6ec2ec6f35c15ef4bdd60cc3434e6a1069abed7b31.exe
PID 2424 wrote to memory of 3048 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\21896b7f89b893f57c799a6ec2ec6f35c15ef4bdd60cc3434e6a1069abed7b31.exe
PID 2424 wrote to memory of 3048 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\21896b7f89b893f57c799a6ec2ec6f35c15ef4bdd60cc3434e6a1069abed7b31.exe
PID 2424 wrote to memory of 3048 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\21896b7f89b893f57c799a6ec2ec6f35c15ef4bdd60cc3434e6a1069abed7b31.exe
PID 2424 wrote to memory of 3048 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\21896b7f89b893f57c799a6ec2ec6f35c15ef4bdd60cc3434e6a1069abed7b31.exe
PID 2424 wrote to memory of 3048 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\21896b7f89b893f57c799a6ec2ec6f35c15ef4bdd60cc3434e6a1069abed7b31.exe
PID 3048 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\21896b7f89b893f57c799a6ec2ec6f35c15ef4bdd60cc3434e6a1069abed7b31.exe C:\Windows\SysWOW64\WerFault.exe
PID 3048 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\21896b7f89b893f57c799a6ec2ec6f35c15ef4bdd60cc3434e6a1069abed7b31.exe C:\Windows\SysWOW64\WerFault.exe
PID 3048 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\21896b7f89b893f57c799a6ec2ec6f35c15ef4bdd60cc3434e6a1069abed7b31.exe C:\Windows\SysWOW64\WerFault.exe
PID 3048 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\21896b7f89b893f57c799a6ec2ec6f35c15ef4bdd60cc3434e6a1069abed7b31.exe C:\Windows\SysWOW64\WerFault.exe
PID 2184 wrote to memory of 1212 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 2184 wrote to memory of 1212 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\21896b7f89b893f57c799a6ec2ec6f35c15ef4bdd60cc3434e6a1069abed7b31.exe

"C:\Users\Admin\AppData\Local\Temp\21896b7f89b893f57c799a6ec2ec6f35c15ef4bdd60cc3434e6a1069abed7b31.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a9A1D.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\21896b7f89b893f57c799a6ec2ec6f35c15ef4bdd60cc3434e6a1069abed7b31.exe

"C:\Users\Admin\AppData\Local\Temp\21896b7f89b893f57c799a6ec2ec6f35c15ef4bdd60cc3434e6a1069abed7b31.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 552

Network

N/A

Files

memory/2116-0-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a9A1D.bat

MD5 6ce722e95fc30dcad588a3b469d99e93
SHA1 0ae094247ab2132657cc225a79cc2806d3878346
SHA256 a435d9680429bde0a8e261192d780bb63cf1ca2eed83b4c79ed00f0a650ccc93
SHA512 6dc9ee2965478899592a6a2de98236e169095af3eaf0e10c797fc1a09759f3f8255247e3477b61846c0712a376d759078e0dc95ee7bdff8179375318aa108ebb

C:\Windows\Logo1_.exe

MD5 8d79bd6a4273fffe7138b06625504e00
SHA1 e9e9a9cf8e835cd533e51606f6d99ecb47d990fc
SHA256 90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c
SHA512 9aa90c89fed48fbc97594fb788ef82dbb3d722a7f536e0cf063729acef01440d8e9531d35851622cdcd8b59e0a8798833eda6f8de2b018109997b1baec577c33

memory/2184-18-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2116-17-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\21896b7f89b893f57c799a6ec2ec6f35c15ef4bdd60cc3434e6a1069abed7b31.exe.exe

MD5 ab594a013f13b863dfab4631a70d11d8
SHA1 a07ecf665eaf9718a37372bd7590ca04742e663f
SHA256 3013bd7f6f46b2f76c4fe4dc2ea374fa609539d258b2f7b450d9c5e25ef72015
SHA512 8d0ff0883c2a94e7c64eda393572a11b709f2a6d0b701dacc4b792bae3ff6397eaad9693535f8634d003189bda1e76944b2403259c36ba17eb42cf85f82c94e8

memory/3048-28-0x0000000074BBE000-0x0000000074BBF000-memory.dmp

memory/3048-29-0x0000000000B90000-0x0000000000BA2000-memory.dmp

memory/1212-36-0x0000000002B60000-0x0000000002B61000-memory.dmp

memory/2184-40-0x0000000000400000-0x0000000000436000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-3692679935-4019334568-335155002-1000\_desktop.ini

MD5 2a3fd5c71388ca70bcd12900f65d5a77
SHA1 7619579d21480b9a4800bc830dbf20354e50b979
SHA256 a48a9bee0ea1d148d80a848e506f13606a80f84e7f4fa4a3ceeb0f47eab1bf40
SHA512 0e803903a477f9761178c6892c45f3522f9af5b6ef550f446c0dea329dcbe2753760a17086397ff4f9c66ec93a3dbbd1e7b6aaaa71f77c70c9c8de81429c3aa0

memory/2184-48-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2184-55-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2184-63-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2184-101-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2184-106-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2184-253-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2184-1883-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 44b1d976ac1b619eb8f20332e9307cd1
SHA1 2644ec5390e5bd5c7e45f9b0316378881ae36a7e
SHA256 98b56337fed63960a955fde77cf678b5d3df5aa620e0834d0d1be24cabdba0fd
SHA512 745410aacc11176be2efab183f0bd8e8d71ec26d9931051d4248963f62f962e66b5e4554923dff01b5ad562ab93b8010dcce855278f09e8cca781a83c4eb2340

memory/2184-3343-0x0000000000400000-0x0000000000436000-memory.dmp

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 40429fbe4769cde892d72cde845b3df8
SHA1 f5c804acf1e4659b85010ca8926f2eee4ee4ae62
SHA256 00c3830d8357fbd8e92cd7e440a848424bf94a68784664dcf469707b448b42d6
SHA512 e774273101c90343328379a114ba7349fe532145b0beff7c62f0702ad762502b9823da3d2397c55a7040c80e42c2b5562a8021d3663c7621de05dba03cb2ef51

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 01:29

Reported

2024-11-10 01:32

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

135s

Command Line

C:\Windows\Explorer.EXE

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\themes\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-100_8wekyb3d8bbwe\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.NET.Native.Runtime.2.2_2.2.27328.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCS\Assets\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\hu-hu\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\eu-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\de\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sk-sk\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\hr-hr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\Simple\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\Microsoft.Support.SDK\Assets\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\hu-hu\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\Simple\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\tr-tr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ko-kr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\unpack200.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Multimedia Platform\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Internet Explorer\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\fi-fi\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\es-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sl-sl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\uk-UA\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ar-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Crashpad\reports\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ms\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\it-it\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\en-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\nl-nl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.People_2019.305.632.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\SIGNUP\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fi-FI\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Videos\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\bin\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ro-ro\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ro-ro\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\fr-fr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\HoloTileAssets\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\plugins\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\it-it\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\hr-hr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\da-DK\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\21896b7f89b893f57c799a6ec2ec6f35c15ef4bdd60cc3434e6a1069abed7b31.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\vDll.dll C:\Windows\Logo1_.exe N/A
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\21896b7f89b893f57c799a6ec2ec6f35c15ef4bdd60cc3434e6a1069abed7b31.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\21896b7f89b893f57c799a6ec2ec6f35c15ef4bdd60cc3434e6a1069abed7b31.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Logo1_.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\21896b7f89b893f57c799a6ec2ec6f35c15ef4bdd60cc3434e6a1069abed7b31.exe N/A

Runs net.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2144 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\21896b7f89b893f57c799a6ec2ec6f35c15ef4bdd60cc3434e6a1069abed7b31.exe C:\Windows\SysWOW64\cmd.exe
PID 2144 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\21896b7f89b893f57c799a6ec2ec6f35c15ef4bdd60cc3434e6a1069abed7b31.exe C:\Windows\SysWOW64\cmd.exe
PID 2144 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\21896b7f89b893f57c799a6ec2ec6f35c15ef4bdd60cc3434e6a1069abed7b31.exe C:\Windows\SysWOW64\cmd.exe
PID 2144 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\21896b7f89b893f57c799a6ec2ec6f35c15ef4bdd60cc3434e6a1069abed7b31.exe C:\Windows\Logo1_.exe
PID 2144 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\21896b7f89b893f57c799a6ec2ec6f35c15ef4bdd60cc3434e6a1069abed7b31.exe C:\Windows\Logo1_.exe
PID 2144 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\21896b7f89b893f57c799a6ec2ec6f35c15ef4bdd60cc3434e6a1069abed7b31.exe C:\Windows\Logo1_.exe
PID 4788 wrote to memory of 2768 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4788 wrote to memory of 2768 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4788 wrote to memory of 2768 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2768 wrote to memory of 5112 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2768 wrote to memory of 5112 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2768 wrote to memory of 5112 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2024 wrote to memory of 3812 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\21896b7f89b893f57c799a6ec2ec6f35c15ef4bdd60cc3434e6a1069abed7b31.exe
PID 2024 wrote to memory of 3812 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\21896b7f89b893f57c799a6ec2ec6f35c15ef4bdd60cc3434e6a1069abed7b31.exe
PID 2024 wrote to memory of 3812 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\21896b7f89b893f57c799a6ec2ec6f35c15ef4bdd60cc3434e6a1069abed7b31.exe
PID 4788 wrote to memory of 3424 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 4788 wrote to memory of 3424 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\21896b7f89b893f57c799a6ec2ec6f35c15ef4bdd60cc3434e6a1069abed7b31.exe

"C:\Users\Admin\AppData\Local\Temp\21896b7f89b893f57c799a6ec2ec6f35c15ef4bdd60cc3434e6a1069abed7b31.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6225.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\21896b7f89b893f57c799a6ec2ec6f35c15ef4bdd60cc3434e6a1069abed7b31.exe

"C:\Users\Admin\AppData\Local\Temp\21896b7f89b893f57c799a6ec2ec6f35c15ef4bdd60cc3434e6a1069abed7b31.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3812 -ip 3812

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3812 -s 796

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

memory/2144-0-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\Logo1_.exe

MD5 8d79bd6a4273fffe7138b06625504e00
SHA1 e9e9a9cf8e835cd533e51606f6d99ecb47d990fc
SHA256 90eeb4757d0a09477070cec4c254a25533cefa01cf22c772e116f7b6e99ca56c
SHA512 9aa90c89fed48fbc97594fb788ef82dbb3d722a7f536e0cf063729acef01440d8e9531d35851622cdcd8b59e0a8798833eda6f8de2b018109997b1baec577c33

memory/2144-9-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4788-10-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a6225.bat

MD5 c08887c1428c36e3df1ba218e2bdf5c8
SHA1 b468e1a281a8e7eee4ad326d1304903c917a4f09
SHA256 cd28fcd02efa14a6bdf7dfaf4ac3e76894f337f1b7abc5c785a1c142600e4e55
SHA512 d80173c66d3deac2ea8207891412c4248ebe582b2b3b6f03cbcc51829919d3a89af974e98cbdd0e61384285b0e098b734cf8c9345c2f68ccd5fad0c0abcc4718

C:\Users\Admin\AppData\Local\Temp\21896b7f89b893f57c799a6ec2ec6f35c15ef4bdd60cc3434e6a1069abed7b31.exe.exe

MD5 ab594a013f13b863dfab4631a70d11d8
SHA1 a07ecf665eaf9718a37372bd7590ca04742e663f
SHA256 3013bd7f6f46b2f76c4fe4dc2ea374fa609539d258b2f7b450d9c5e25ef72015
SHA512 8d0ff0883c2a94e7c64eda393572a11b709f2a6d0b701dacc4b792bae3ff6397eaad9693535f8634d003189bda1e76944b2403259c36ba17eb42cf85f82c94e8

memory/3812-19-0x00000000742EE000-0x00000000742EF000-memory.dmp

memory/3812-20-0x0000000000F60000-0x0000000000F72000-memory.dmp

memory/3812-21-0x0000000005F40000-0x00000000064E4000-memory.dmp

memory/4788-23-0x0000000000400000-0x0000000000436000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-3756129449-3121373848-4276368241-1000\_desktop.ini

MD5 2a3fd5c71388ca70bcd12900f65d5a77
SHA1 7619579d21480b9a4800bc830dbf20354e50b979
SHA256 a48a9bee0ea1d148d80a848e506f13606a80f84e7f4fa4a3ceeb0f47eab1bf40
SHA512 0e803903a477f9761178c6892c45f3522f9af5b6ef550f446c0dea329dcbe2753760a17086397ff4f9c66ec93a3dbbd1e7b6aaaa71f77c70c9c8de81429c3aa0

memory/4788-31-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4788-37-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4788-41-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Program Files\7-Zip\7z.exe

MD5 edaa33ebb9b8a64e18538a0c6e98e8d9
SHA1 4d264bee24780297cb2a5ee8938025a18b7ea628
SHA256 88feb2e0a2ad7d177db262c8f49044c863d002355af8242a412ac69cbee1dbf2
SHA512 6d9e47186ee4f87ae3043e7247b61e94d0c1278cff38544d966696d49e5601f0af8452a31e1bf06c7f62887833f4230533fa036bdbfaa32533b4d58b8148cfd9

memory/4788-1071-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4788-1238-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe

MD5 fdc95026717686b36d356c9053eb1019
SHA1 3d301424838bbc55d88ba9dbcb6a65612ff54b9b
SHA256 e2813a7fb0a036eb9b0861b1687ba73d8380ecb2b9cbe0eededd4edfd8ad7f49
SHA512 9890073e956436de9dd5c09c7b36a718f7a746655ed4fb7eceb7390b500888475f4b64c29d26eeda62240be5c8efc6a1735c4322d6d9cde9bb60315d64bf4fff

memory/4788-4789-0x0000000000400000-0x0000000000436000-memory.dmp

C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

MD5 c6d6354b442f8417dc66b1723a800f2f
SHA1 94525ba06431ca98c5b8b58c60b24ac8811b1748
SHA256 848e14757895f1da1da61c8bb06127caaeb36eb3361768b3baf1a7974ad16716
SHA512 49b347afad74e96aeedddaaf3bbf7cb261c5590b4991af35f3fcd5fe2a22954266e5dc84b100590731da608ba49aa04fd5f22c7997d20ca5999cc63103180a5f

memory/4788-5262-0x0000000000400000-0x0000000000436000-memory.dmp