Malware Analysis Report

2025-06-15 20:08

Sample ID 240515-ncmv2seh34
Target 11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7
SHA256 11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7

Threat Level: Shows suspicious behavior

The file 11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7 was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Reads user/profile data of web browsers

Deletes itself

Executes dropped EXE

Loads dropped DLL

Drops startup file

Enumerates connected drives

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Runs net.exe

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-15 11:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 11:15

Reported

2024-05-15 11:17

Platform

win7-20240221-en

Max time kernel

150s

Max time network

120s

Command Line

C:\Windows\Explorer.EXE

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Defender\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Extensions\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Journal\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Africa\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Rectangles\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\gd\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\Services\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\7-Zip\Lang\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\meta\reader\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\mk\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Internet Explorer\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\on_desktop\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Triedit\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Kentucky\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\windows-amd64\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Defender\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Journal\Templates\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Australia\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ast\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\demux\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\mn\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\Dll.dll C:\Windows\Logo1_.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 808 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe C:\Windows\SysWOW64\net.exe
PID 808 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe C:\Windows\SysWOW64\net.exe
PID 808 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe C:\Windows\SysWOW64\net.exe
PID 808 wrote to memory of 2032 N/A C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe C:\Windows\SysWOW64\net.exe
PID 2032 wrote to memory of 1760 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2032 wrote to memory of 1760 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2032 wrote to memory of 1760 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2032 wrote to memory of 1760 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 808 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe C:\Windows\SysWOW64\cmd.exe
PID 808 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe C:\Windows\SysWOW64\cmd.exe
PID 808 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe C:\Windows\SysWOW64\cmd.exe
PID 808 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe C:\Windows\SysWOW64\cmd.exe
PID 808 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe C:\Windows\Logo1_.exe
PID 808 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe C:\Windows\Logo1_.exe
PID 808 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe C:\Windows\Logo1_.exe
PID 808 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe C:\Windows\Logo1_.exe
PID 2652 wrote to memory of 2576 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2652 wrote to memory of 2576 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2652 wrote to memory of 2576 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2652 wrote to memory of 2576 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2588 wrote to memory of 2720 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe
PID 2588 wrote to memory of 2720 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe
PID 2588 wrote to memory of 2720 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe
PID 2588 wrote to memory of 2720 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe
PID 2576 wrote to memory of 2732 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2576 wrote to memory of 2732 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2576 wrote to memory of 2732 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2576 wrote to memory of 2732 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2652 wrote to memory of 2756 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2652 wrote to memory of 2756 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2652 wrote to memory of 2756 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2652 wrote to memory of 2756 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2756 wrote to memory of 2708 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2756 wrote to memory of 2708 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2756 wrote to memory of 2708 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2756 wrote to memory of 2708 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2652 wrote to memory of 1256 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 2652 wrote to memory of 1256 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe

"C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a1D50.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe

"C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

N/A

Files

memory/808-0-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a1D50.bat

MD5 0593712d48337e4343f278f91d6fab51
SHA1 814f159d7895fd0d9e9fe9697d23e3128fee5022
SHA256 e6d1119dbe2cfa5eaa1851c6c4712abfd196d356cb449ea6dc3a40bf70973688
SHA512 50e9f2903eb44ecf542e3799a749d21447090d00bfddd685e4809c241b4324a1f72a8cf4326f51335048d3fc6c1c422b78be8bf399a024c1512ace0328721950

C:\Windows\Logo1_.exe

MD5 341ec829f1445cfc22901ee3564a2407
SHA1 3b7d6d531808cf3d17f484d7984c5cbb2ae6d850
SHA256 f99b2ae8656781e1be65ad464d0472b39ca4fb48a31d9949ed12b0992390dc82
SHA512 1fd0ddca12d5b9cfc5ff6c5d3fb1bb5686a6a17e552f6af631ce019bd0f0fe194bd5770f96ad5af3226de91217c9715955d211145e373904b671cf75052da751

memory/808-16-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2652-18-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe.exe

MD5 2e0d056ad62b6ef87a091003714fd512
SHA1 73150bddb5671c36413d9fbc94a668f132a2edc5
SHA256 cb83f04591cc1d602e650dd5c12f4470cf21b04328477bd6a52081f37c04bd7c
SHA512 b8e920f8b7547aec6f5771e3e6119b01157e5e36a92c67142b0d73ffe0d501d933581e1fc752e5bba9ce819e3897be9c146bebfc0018e91318b0c99d188a2580

memory/1256-27-0x0000000002A40000-0x0000000002A41000-memory.dmp

memory/2652-31-0x0000000000400000-0x000000000043F000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-3452737119-3959686427-228443150-1000\_desktop.ini

MD5 9d187c446579e70f430c5bb5556efc0c
SHA1 0379a56b3d4a9e75d426a088cd523d01929186b2
SHA256 544ddbeef004b81b45d0e94b3b745247127ea912498b2037a66e1b9e896ab85f
SHA512 6844cb10d0d40b145129edd38157ede9fdb8dacf2c8a0888c7478ff1d0346e5dfd451bb297aea18097330751ae7520761e4a51804b8fb60c19541b97c600ddbc

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 3ac7773258fe0684e8a28f3793a74ed3
SHA1 316fba91c21ea13e4576a5eeec832fd585c31ca0
SHA256 9f41dbbbdf4edcf63ba6262af0ae0d9a13874d0e008522af866f12f3e71b198f
SHA512 8d2647018107b940fe80b5ab979570b9f255764195976272b8c2ee8640b0e91493d5e7fa598b4ce29bda8f87cf495c6c71fd62734d51761b04bb5127eb5b2b4a

memory/2652-3318-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2652-4133-0x0000000000400000-0x000000000043F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 11:15

Reported

2024-05-15 11:18

Platform

win10v2004-20240226-en

Max time kernel

157s

Max time network

162s

Command Line

C:\Windows\Explorer.EXE

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ESEN\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ar-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\hr-hr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\EBWebView\x86\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\sk\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\tr-tr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\tet\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\plugins\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\en-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\uk\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sk-sk\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\it-it\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\he-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\uk-ua\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\dotnet.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\de\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fr-ma\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\it\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account-select\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\nb-no\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\pl-pl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-gb\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\nb-no\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\msedge_pwa_launcher.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\zh-cn\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\en-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\he-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.17\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\identity_proxy\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\fi\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\cs-cz\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\nl-nl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fi-fi\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\uk-ua\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugins\rhp\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fr-fr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Google\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\16\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files-select\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\fr-fr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\nl-nl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sl-sl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sv-se\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\EBWebView\x64\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\Locales\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\Dll.dll C:\Windows\Logo1_.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 380 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe C:\Windows\SysWOW64\net.exe
PID 380 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe C:\Windows\SysWOW64\net.exe
PID 380 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe C:\Windows\SysWOW64\net.exe
PID 380 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe C:\Windows\SysWOW64\cmd.exe
PID 380 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe C:\Windows\SysWOW64\cmd.exe
PID 380 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe C:\Windows\SysWOW64\cmd.exe
PID 380 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe C:\Windows\Logo1_.exe
PID 380 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe C:\Windows\Logo1_.exe
PID 380 wrote to memory of 1496 N/A C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe C:\Windows\Logo1_.exe
PID 1452 wrote to memory of 2188 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1452 wrote to memory of 2188 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1452 wrote to memory of 2188 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1496 wrote to memory of 2428 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1496 wrote to memory of 2428 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1496 wrote to memory of 2428 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2428 wrote to memory of 4040 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2428 wrote to memory of 4040 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2428 wrote to memory of 4040 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1496 wrote to memory of 4500 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1496 wrote to memory of 4500 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1496 wrote to memory of 4500 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1160 wrote to memory of 3608 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe
PID 1160 wrote to memory of 3608 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe
PID 4500 wrote to memory of 4940 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4500 wrote to memory of 4940 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4500 wrote to memory of 4940 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1496 wrote to memory of 3156 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 1496 wrote to memory of 3156 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe

"C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a43F9.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe

"C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3892 --field-trial-handle=2272,i,4858140932023865871,5726683989663339295,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
FR 216.58.214.74:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 74.214.58.216.in-addr.arpa udp
US 8.8.8.8:53 29.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 28.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 23.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 213.143.182.52.in-addr.arpa udp

Files

memory/380-0-0x0000000000400000-0x000000000043F000-memory.dmp

memory/380-6-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\Logo1_.exe

MD5 341ec829f1445cfc22901ee3564a2407
SHA1 3b7d6d531808cf3d17f484d7984c5cbb2ae6d850
SHA256 f99b2ae8656781e1be65ad464d0472b39ca4fb48a31d9949ed12b0992390dc82
SHA512 1fd0ddca12d5b9cfc5ff6c5d3fb1bb5686a6a17e552f6af631ce019bd0f0fe194bd5770f96ad5af3226de91217c9715955d211145e373904b671cf75052da751

memory/1496-9-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a43F9.bat

MD5 dd9903605186cdd58999ef2abd2f50fb
SHA1 4d06e4bfc1c1e094fb12e31488e6aecb2cf57438
SHA256 69d2e7a1e46532b7c41fd5f43e3e591ad9f5b8b8994c3df9b7eb515be6044a23
SHA512 ed87588a9baad6dafceb11cb6130f0aaf65b1815ac61b93520556a6f415351366f5de89d163956f6ba570080d69bec140cd524716f0d862104a6a994dfa24192

C:\Users\Admin\AppData\Local\Temp\11d3a0949c2abbf0fd5afd510d435f92ec511b24b045c8ac3fb6aab0caad1ca7.exe.exe

MD5 2e0d056ad62b6ef87a091003714fd512
SHA1 73150bddb5671c36413d9fbc94a668f132a2edc5
SHA256 cb83f04591cc1d602e650dd5c12f4470cf21b04328477bd6a52081f37c04bd7c
SHA512 b8e920f8b7547aec6f5771e3e6119b01157e5e36a92c67142b0d73ffe0d501d933581e1fc752e5bba9ce819e3897be9c146bebfc0018e91318b0c99d188a2580

memory/1496-18-0x0000000000400000-0x000000000043F000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\_desktop.ini

MD5 9d187c446579e70f430c5bb5556efc0c
SHA1 0379a56b3d4a9e75d426a088cd523d01929186b2
SHA256 544ddbeef004b81b45d0e94b3b745247127ea912498b2037a66e1b9e896ab85f
SHA512 6844cb10d0d40b145129edd38157ede9fdb8dacf2c8a0888c7478ff1d0346e5dfd451bb297aea18097330751ae7520761e4a51804b8fb60c19541b97c600ddbc

C:\Program Files\7-Zip\7z.exe

MD5 20307acbf355d7d7204aea6d3b02a782
SHA1 2e2a1fabd856207be414b8717131d04581d6514a
SHA256 ebf6cdf9f57f2f50c05ade8511c8ea0e1b775891cea9e4fa081e58624e5b3007
SHA512 4b27b30e22ee94f23a82ceca0d0fc00970e25f654b9736d14b1b78d8e64039189f7d772351f1ace71a34d337b8e00994a238a8edc0bc25672af19a07d253fbaf

memory/1496-101-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1496-344-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1496-1607-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1496-2641-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1496-5577-0x0000000000400000-0x000000000043F000-memory.dmp

C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe

MD5 407d9e4c9bddf64762371463891b1006
SHA1 24b05da67f6d6a33807a74b43c728549a97ab7ba
SHA256 62816173c7319fdfd0ea73291bae772c6b116568b3ca2f71ae4268489ed29bb9
SHA512 7d74b2f03c6fef4d17b295e0541b8ab04d434918ef5c9bde4301b296cd1144fa2e6a0808297dbae38b9b232017e6fb457667e4fb3a655d02d9c4aee36aaae7ab

memory/1496-8080-0x0000000000400000-0x000000000043F000-memory.dmp

memory/1496-8819-0x0000000000400000-0x000000000043F000-memory.dmp