Malware Analysis Report

2025-08-10 19:57

Sample ID 250630-v8tf2a1wh1
Target 88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1
SHA256 88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1
Tags
discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V16

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1

Threat Level: Shows suspicious behavior

The file 88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery spyware stealer

Drops startup file

Executes dropped EXE

Reads user/profile data of web browsers

Enumerates connected drives

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Runs net.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-06-30 17:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-06-30 17:40

Reported

2025-06-30 17:42

Platform

win10v2004-20250610-en

Max time kernel

149s

Max time network

135s

Command Line

C:\Windows\Explorer.EXE

Signatures

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\pt-br\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsPowerShell\Configuration\Registration\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-cn\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\Diagnostics\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\brx\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\uk-ua\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ne\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sv-se\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sk-sk\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\zh-cn\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Configuration\Schema\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\lt\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ru-ru\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ar-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\sk-sk\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\edge_BITS_4460_43435197\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\Configuration\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\en-gb\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Google\Update\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\eu-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-fr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Crashpad\reports\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_splitter\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ru-ru\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\pt-br\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ru-ru\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fr-fr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\he-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\tr-tr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sl-si\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\he-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\EBWebView\x64\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\uk-UA\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ml\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\sq\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sl-si\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\SAMPLES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-ma\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ko-kr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ro-ro\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\home-view\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\lt\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Photo Viewer\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\cs-cz\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\it-it\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office15\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\Dll.dll C:\Windows\Logo1_.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Logo1_.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 32 wrote to memory of 5656 N/A C:\Users\Admin\AppData\Local\Temp\88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1.exe C:\Windows\SysWOW64\cmd.exe
PID 32 wrote to memory of 5656 N/A C:\Users\Admin\AppData\Local\Temp\88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1.exe C:\Windows\SysWOW64\cmd.exe
PID 32 wrote to memory of 5656 N/A C:\Users\Admin\AppData\Local\Temp\88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1.exe C:\Windows\SysWOW64\cmd.exe
PID 32 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1.exe C:\Windows\Logo1_.exe
PID 32 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1.exe C:\Windows\Logo1_.exe
PID 32 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1.exe C:\Windows\Logo1_.exe
PID 1276 wrote to memory of 3660 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1276 wrote to memory of 3660 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1276 wrote to memory of 3660 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3660 wrote to memory of 1352 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3660 wrote to memory of 1352 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3660 wrote to memory of 1352 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 5656 wrote to memory of 4412 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1.exe
PID 5656 wrote to memory of 4412 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1.exe
PID 5656 wrote to memory of 4412 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1.exe
PID 1276 wrote to memory of 3468 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 1276 wrote to memory of 3468 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1.exe

"C:\Users\Admin\AppData\Local\Temp\88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6CA4.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1.exe

"C:\Users\Admin\AppData\Local\Temp\88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 23.4.84.73:443 www.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 c.pki.goog udp
GB 142.250.179.227:80 c.pki.goog tcp

Files

memory/32-0-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1276-8-0x0000000000400000-0x000000000044E000-memory.dmp

C:\Windows\Logo1_.exe

MD5 1934a87528ad83e4e2da42d9106ce783
SHA1 394f69976c156865c1e6064092f090a4ec3b23ed
SHA256 97a6902a72bd0f254bd04178a2e8e4710eb2afa14f0b897f8c728a62c7b3ddf6
SHA512 f65912e0e47ab2e3b374af4ca89c06e549c3ff32b08e5da48e41de1c86b7c66019e716d38ea00b53d521606bef7d6677d3ade5c62c420fa875b7df385b6fa386

memory/32-11-0x0000000000400000-0x000000000044E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a6CA4.bat

MD5 7a57a730b9281d7f5d01c90978016ead
SHA1 94680ca091b7ec76409c5cad1834f2f218fc24d5
SHA256 731f3086e8d9827d43fff6d0df439eabb480e9acb648e1aad533ae5861c5c091
SHA512 b83206c12754a6de4bdb55edf7c805fd5412c0c092f8712d89e71c37d01d4c82079e05573db549dba13c8e737fdc2f2749e235fd6ddc526fe164edb0d99d172f

C:\Users\Admin\AppData\Local\Temp\88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1.exe.exe

MD5 6f581a41167d2d484fcba20e6fc3c39a
SHA1 d48de48d24101b9baaa24f674066577e38e6b75c
SHA256 3eb8d53778eab9fb13b4c97aeab56e4bad2a6ea3748d342f22eaf4d7aa3185a7
SHA512 e1177b6cea89445d58307b3327c78909adff225497f9abb8de571cdd114b547a8f515ec3ab038b583bf752a085b231f6329d6ca82fbe6be8a58cd97a1dbaf0f6

F:\$RECYCLE.BIN\S-1-5-21-815616237-4012932787-4224613991-1000\_desktop.ini

MD5 8d5d367ed8a2afc1fc0b8fc7d14da98c
SHA1 fddfad39cd8b448d0d3dbb6e9c67752999568783
SHA256 93740c0db50f557803e16032194380e92e586f9cd845c4543eae2c3aa97d95f6
SHA512 3215518f650fe697fa80054e2e7e98a55a23832309347704985d502ecf46726048291ace0a619b669726fda404c9235047a21563971a238864ee3523f5bbe96b

C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\setup.exe

MD5 33961636c1782c47d500b0defe08dc74
SHA1 7cd2dfef5e4a4b40da3b70f20af7dec9371ef8af
SHA256 386509c30bc2440a1c02b68a496bcf072b96b5534c00841d5d398c0ba8f370a1
SHA512 f424198489450e9d71445e58175028237158d7e8ffa7e65d4c72439cb271dfd320f2ba29d9b64bb3735627a9f0952a0238fcc7dbaa7a1d3ae03ed679fae35751

memory/1276-2448-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1276-2449-0x0000000000400000-0x000000000044E000-memory.dmp

memory/1276-10059-0x0000000000400000-0x000000000044E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-06-30 17:40

Reported

2025-06-30 17:42

Platform

win11-20250619-en

Max time kernel

150s

Max time network

109s

Command Line

C:\Windows\Explorer.EXE

Signatures

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\libs\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\collect_feedback\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-gb\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\de-de\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\fr-fr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft Help\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\es-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\edge_game_assist\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\ResiliencyLinks\WidevineCdm\_platform_specific\win_x64\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\it\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\OneNote\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Filters\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\en-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\nl-nl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sv-se\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ca-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CAPSULES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\tr-tr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\nl-nl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ja-jp\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\tr-tr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ro-ro\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ru-ru\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\de-de\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ar-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\en-gb\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\ja\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\Office16\MSIPC\zh-CN\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\mn\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Photo Viewer\uk-UA\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hu-hu\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ja-jp\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nb-no\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSIPC\kk\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\et\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Mail\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\pl-pl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\fi-fi\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ru-ru\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ca-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\nb-no\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\tr-tr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft.NET\ADOMD.NET\130\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\sk-sk\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fi-fi\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\en-gb\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\zh-tw\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\nb-no\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\Dll.dll C:\Windows\Logo1_.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Logo1_.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4752 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1.exe C:\Windows\SysWOW64\cmd.exe
PID 4752 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1.exe C:\Windows\SysWOW64\cmd.exe
PID 4752 wrote to memory of 4116 N/A C:\Users\Admin\AppData\Local\Temp\88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1.exe C:\Windows\SysWOW64\cmd.exe
PID 4752 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1.exe C:\Windows\Logo1_.exe
PID 4752 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1.exe C:\Windows\Logo1_.exe
PID 4752 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1.exe C:\Windows\Logo1_.exe
PID 4232 wrote to memory of 3040 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4232 wrote to memory of 3040 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4232 wrote to memory of 3040 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3040 wrote to memory of 5024 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3040 wrote to memory of 5024 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3040 wrote to memory of 5024 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4116 wrote to memory of 5860 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1.exe
PID 4116 wrote to memory of 5860 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1.exe
PID 4116 wrote to memory of 5860 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1.exe
PID 4232 wrote to memory of 3308 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 4232 wrote to memory of 3308 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1.exe

"C:\Users\Admin\AppData\Local\Temp\88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8F4F.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1.exe

"C:\Users\Admin\AppData\Local\Temp\88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1.exe"

Network

Country Destination Domain Proto
US 52.111.227.13:443 tcp

Files

memory/4752-0-0x0000000000400000-0x000000000044E000-memory.dmp

memory/4232-8-0x0000000000400000-0x000000000044E000-memory.dmp

C:\Windows\Logo1_.exe

MD5 1934a87528ad83e4e2da42d9106ce783
SHA1 394f69976c156865c1e6064092f090a4ec3b23ed
SHA256 97a6902a72bd0f254bd04178a2e8e4710eb2afa14f0b897f8c728a62c7b3ddf6
SHA512 f65912e0e47ab2e3b374af4ca89c06e549c3ff32b08e5da48e41de1c86b7c66019e716d38ea00b53d521606bef7d6677d3ade5c62c420fa875b7df385b6fa386

memory/4752-9-0x0000000000400000-0x000000000044E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a8F4F.bat

MD5 540a0155ad86afb53ca6742e74f1c44b
SHA1 992c84c85eaf314086eb793d199e57f0880a5d90
SHA256 ec652a11fd9e261744ef7657af3004938df9543b9da5958412977101d9aa7490
SHA512 bbf48f735ff9730e2b50d002975f65f356a4ac417297a8ab6c48333b5a3f61cb5d0ae57e18838f8e7755956cfe4fedf7947bff8ce9d6530837b0446b1a518b35

C:\Users\Admin\AppData\Local\Temp\88ed15f69bbccb8217e3aa44c553ba1602aaa7ee1d40c202093d7756094eddf1.exe.exe

MD5 6f581a41167d2d484fcba20e6fc3c39a
SHA1 d48de48d24101b9baaa24f674066577e38e6b75c
SHA256 3eb8d53778eab9fb13b4c97aeab56e4bad2a6ea3748d342f22eaf4d7aa3185a7
SHA512 e1177b6cea89445d58307b3327c78909adff225497f9abb8de571cdd114b547a8f515ec3ab038b583bf752a085b231f6329d6ca82fbe6be8a58cd97a1dbaf0f6

F:\$RECYCLE.BIN\S-1-5-21-707770698-2523217751-1187874351-1000\_desktop.ini

MD5 8d5d367ed8a2afc1fc0b8fc7d14da98c
SHA1 fddfad39cd8b448d0d3dbb6e9c67752999568783
SHA256 93740c0db50f557803e16032194380e92e586f9cd845c4543eae2c3aa97d95f6
SHA512 3215518f650fe697fa80054e2e7e98a55a23832309347704985d502ecf46726048291ace0a619b669726fda404c9235047a21563971a238864ee3523f5bbe96b

C:\Program Files\Google\Chrome\Application\133.0.6943.60\Installer\setup.exe

MD5 33961636c1782c47d500b0defe08dc74
SHA1 7cd2dfef5e4a4b40da3b70f20af7dec9371ef8af
SHA256 386509c30bc2440a1c02b68a496bcf072b96b5534c00841d5d398c0ba8f370a1
SHA512 f424198489450e9d71445e58175028237158d7e8ffa7e65d4c72439cb271dfd320f2ba29d9b64bb3735627a9f0952a0238fcc7dbaa7a1d3ae03ed679fae35751

memory/4232-2611-0x0000000000400000-0x000000000044E000-memory.dmp

memory/4232-2612-0x0000000000400000-0x000000000044E000-memory.dmp

memory/4232-10126-0x0000000000400000-0x000000000044E000-memory.dmp