Malware Analysis Report

2025-06-15 20:08

Sample ID 240515-ncpdwaeh37
Target e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7
SHA256 e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7

Threat Level: Shows suspicious behavior

The file e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7 was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Loads dropped DLL

Drops startup file

Deletes itself

Reads user/profile data of web browsers

Executes dropped EXE

Enumerates connected drives

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-15 11:15

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-15 11:15

Reported

2024-05-15 11:17

Platform

win7-20240508-en

Max time kernel

149s

Max time network

122s

Command Line

C:\Windows\Explorer.EXE

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CAPSULES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\ja\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\rmid.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ro\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\sv\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\gui\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Reference Assemblies\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\es_MX\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Internet Explorer\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\1033\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\lib\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Defender\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ps\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Media Player\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\FreeCell\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\fur\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\zh_CN\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Triedit\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre7\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office14\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\Mahjong\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Internet Explorer\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Google\Chrome\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\OldAge\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\id\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\Minesweeper\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\sl\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\sm\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Install\{A0DB34BA-83CF-47F6-9C74-18E331645027}\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\hu\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ne\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\Dll.dll C:\Windows\Logo1_.exe N/A

Enumerates physical storage devices

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2900 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe C:\Windows\SysWOW64\net.exe
PID 2900 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe C:\Windows\SysWOW64\net.exe
PID 2900 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe C:\Windows\SysWOW64\net.exe
PID 2900 wrote to memory of 1688 N/A C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe C:\Windows\SysWOW64\net.exe
PID 1688 wrote to memory of 2076 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1688 wrote to memory of 2076 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1688 wrote to memory of 2076 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1688 wrote to memory of 2076 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2900 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe C:\Windows\SysWOW64\cmd.exe
PID 2900 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe C:\Windows\SysWOW64\cmd.exe
PID 2900 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe C:\Windows\SysWOW64\cmd.exe
PID 2900 wrote to memory of 1728 N/A C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe C:\Windows\SysWOW64\cmd.exe
PID 2900 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe C:\Windows\Logo1_.exe
PID 2900 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe C:\Windows\Logo1_.exe
PID 2900 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe C:\Windows\Logo1_.exe
PID 2900 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe C:\Windows\Logo1_.exe
PID 2692 wrote to memory of 2716 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2692 wrote to memory of 2716 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2692 wrote to memory of 2716 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2692 wrote to memory of 2716 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1728 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe
PID 1728 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe
PID 1728 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe
PID 1728 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe
PID 2716 wrote to memory of 2836 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2716 wrote to memory of 2836 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2716 wrote to memory of 2836 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2716 wrote to memory of 2836 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2692 wrote to memory of 2928 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2692 wrote to memory of 2928 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2692 wrote to memory of 2928 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2692 wrote to memory of 2928 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2928 wrote to memory of 2684 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2928 wrote to memory of 2684 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2928 wrote to memory of 2684 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2928 wrote to memory of 2684 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2692 wrote to memory of 1204 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 2692 wrote to memory of 1204 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe

"C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a1FB1.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe

"C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

N/A

Files

memory/2900-0-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a1FB1.bat

MD5 5758ade1bccdbe19b8e2ff3b6bea0ab0
SHA1 49d3dc66b9f7430c9991e0fd77059b1b04347980
SHA256 6a049ca0359ee88adcd71aac517222ab5b74c241f6842724baae9b7df531a6ff
SHA512 b5763aaffa6635287e9bd25ee3a030a139ed466a1ef4127b0eb05542860abb032c231729cbb3d488de05db17863ad2aaa022ebee7b7fd65c4891e25a93d3473f

C:\Windows\Logo1_.exe

MD5 341ec829f1445cfc22901ee3564a2407
SHA1 3b7d6d531808cf3d17f484d7984c5cbb2ae6d850
SHA256 f99b2ae8656781e1be65ad464d0472b39ca4fb48a31d9949ed12b0992390dc82
SHA512 1fd0ddca12d5b9cfc5ff6c5d3fb1bb5686a6a17e552f6af631ce019bd0f0fe194bd5770f96ad5af3226de91217c9715955d211145e373904b671cf75052da751

memory/2692-19-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2900-18-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2900-17-0x0000000001C80000-0x0000000001CBF000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe.exe

MD5 30ac0b832d75598fb3ec37b6f2a8c86a
SHA1 6f47dbfd6ff36df7ba581a4cef024da527dc3046
SHA256 1ea0839c8dc95ad2c060af7d042c40c0daed58ce8e4524c0fba12fd73e4afb74
SHA512 505870601a4389b7ed2c8fecf85835adfd2944cbc10801f74bc4e08f5a0d6ecc9a52052fc37e216304cd1655129021862294a698ed36b3b43d428698f7263057

memory/1204-29-0x0000000002D80000-0x0000000002D81000-memory.dmp

memory/2692-32-0x0000000000400000-0x000000000043F000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-2737914667-933161113-3798636211-1000\_desktop.ini

MD5 9d187c446579e70f430c5bb5556efc0c
SHA1 0379a56b3d4a9e75d426a088cd523d01929186b2
SHA256 544ddbeef004b81b45d0e94b3b745247127ea912498b2037a66e1b9e896ab85f
SHA512 6844cb10d0d40b145129edd38157ede9fdb8dacf2c8a0888c7478ff1d0346e5dfd451bb297aea18097330751ae7520761e4a51804b8fb60c19541b97c600ddbc

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 3ac7773258fe0684e8a28f3793a74ed3
SHA1 316fba91c21ea13e4576a5eeec832fd585c31ca0
SHA256 9f41dbbbdf4edcf63ba6262af0ae0d9a13874d0e008522af866f12f3e71b198f
SHA512 8d2647018107b940fe80b5ab979570b9f255764195976272b8c2ee8640b0e91493d5e7fa598b4ce29bda8f87cf495c6c71fd62734d51761b04bb5127eb5b2b4a

memory/2692-3343-0x0000000000400000-0x000000000043F000-memory.dmp

memory/2692-4174-0x0000000000400000-0x000000000043F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-15 11:15

Reported

2024-05-15 11:17

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

150s

Command Line

C:\Windows\Explorer.EXE

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-gb\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\da-dk\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\Shared\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\ja-jp\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\en-gb\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\themes\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\sv-se\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sl-sl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sl-sl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins3d\prc\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ca-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\Diagnostics\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\INDUST\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ku_IQ\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\sl\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sl-si\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\fr-ma\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\amd64\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\nl-nl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fi-fi\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\es-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_extractor\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sv-se\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\da-dk\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\sl-si\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ESEN\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ro-ro\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\sl-si\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ar-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\en-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Media Player\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Google\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_chroma\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ko-kr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\chrome_installer.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft.NET\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-gb\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\es-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Notifications\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft.NET\ADOMD.NET\130\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\Comprehensive\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\es-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Dll.dll C:\Windows\Logo1_.exe N/A
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A

Enumerates physical storage devices

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1304 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe C:\Windows\SysWOW64\net.exe
PID 1304 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe C:\Windows\SysWOW64\net.exe
PID 1304 wrote to memory of 5096 N/A C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe C:\Windows\SysWOW64\net.exe
PID 5096 wrote to memory of 4820 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 5096 wrote to memory of 4820 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 5096 wrote to memory of 4820 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1304 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe C:\Windows\SysWOW64\cmd.exe
PID 1304 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe C:\Windows\SysWOW64\cmd.exe
PID 1304 wrote to memory of 4440 N/A C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe C:\Windows\SysWOW64\cmd.exe
PID 1304 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe C:\Windows\Logo1_.exe
PID 1304 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe C:\Windows\Logo1_.exe
PID 1304 wrote to memory of 4564 N/A C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe C:\Windows\Logo1_.exe
PID 4564 wrote to memory of 5060 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4564 wrote to memory of 5060 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4564 wrote to memory of 5060 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 5060 wrote to memory of 1884 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 5060 wrote to memory of 1884 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 5060 wrote to memory of 1884 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4440 wrote to memory of 2312 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe
PID 4440 wrote to memory of 2312 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe
PID 4564 wrote to memory of 2992 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4564 wrote to memory of 2992 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4564 wrote to memory of 2992 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2992 wrote to memory of 3476 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2992 wrote to memory of 3476 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2992 wrote to memory of 3476 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4564 wrote to memory of 3516 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 4564 wrote to memory of 3516 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe

"C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a49F9.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe

"C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 g.bing.com udp
US 131.253.33.237:443 g.bing.com tcp
NL 23.62.61.90:443 www.bing.com tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.33.253.131.in-addr.arpa udp
US 8.8.8.8:53 90.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
NL 23.62.61.90:443 www.bing.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 28.143.109.104.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 105.246.116.51.in-addr.arpa udp

Files

memory/1304-0-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Windows\Logo1_.exe

MD5 341ec829f1445cfc22901ee3564a2407
SHA1 3b7d6d531808cf3d17f484d7984c5cbb2ae6d850
SHA256 f99b2ae8656781e1be65ad464d0472b39ca4fb48a31d9949ed12b0992390dc82
SHA512 1fd0ddca12d5b9cfc5ff6c5d3fb1bb5686a6a17e552f6af631ce019bd0f0fe194bd5770f96ad5af3226de91217c9715955d211145e373904b671cf75052da751

memory/1304-8-0x0000000000400000-0x000000000043F000-memory.dmp

memory/4564-10-0x0000000000400000-0x000000000043F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a49F9.bat

MD5 0ecf482ebff471b3ad4d18964f32bb80
SHA1 6fc3b578ddf1b3faef5d2d68f52a5a61e76a5b27
SHA256 791d06aac5a9a5c0c83019b4b08fad60234a746b98a4c5a6f240faa9b7b881bf
SHA512 be5b738dfc3512ca5b5a729b56f3793cf74306f5abe9ec98d5cb3329e0f4d5cf515432830f05500277d1298dd1f14a068fcbbf1a64a1613690a3e4a979d1dd82

C:\Users\Admin\AppData\Local\Temp\e63c506ebbb78edf9cf045193b69c1b58ab40b3f00dff2f36a5a8e1497a768f7.exe.exe

MD5 30ac0b832d75598fb3ec37b6f2a8c86a
SHA1 6f47dbfd6ff36df7ba581a4cef024da527dc3046
SHA256 1ea0839c8dc95ad2c060af7d042c40c0daed58ce8e4524c0fba12fd73e4afb74
SHA512 505870601a4389b7ed2c8fecf85835adfd2944cbc10801f74bc4e08f5a0d6ecc9a52052fc37e216304cd1655129021862294a698ed36b3b43d428698f7263057

memory/4564-17-0x0000000000400000-0x000000000043F000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-3906287020-2915474608-1755617787-1000\_desktop.ini

MD5 9d187c446579e70f430c5bb5556efc0c
SHA1 0379a56b3d4a9e75d426a088cd523d01929186b2
SHA256 544ddbeef004b81b45d0e94b3b745247127ea912498b2037a66e1b9e896ab85f
SHA512 6844cb10d0d40b145129edd38157ede9fdb8dacf2c8a0888c7478ff1d0346e5dfd451bb297aea18097330751ae7520761e4a51804b8fb60c19541b97c600ddbc

C:\Program Files\7-Zip\7z.exe

MD5 20307acbf355d7d7204aea6d3b02a782
SHA1 2e2a1fabd856207be414b8717131d04581d6514a
SHA256 ebf6cdf9f57f2f50c05ade8511c8ea0e1b775891cea9e4fa081e58624e5b3007
SHA512 4b27b30e22ee94f23a82ceca0d0fc00970e25f654b9736d14b1b78d8e64039189f7d772351f1ace71a34d337b8e00994a238a8edc0bc25672af19a07d253fbaf

memory/4564-3757-0x0000000000400000-0x000000000043F000-memory.dmp

C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

MD5 c0651f5f5ed8c9967b91a89a86cc4dc4
SHA1 6866b91667021c6cc7fd680451a5ea183dce3cd1
SHA256 d09336ea46c4c6e8b83dff2aa4bd31d9e993bcd572e6b274449adc5f9e51627d
SHA512 1cf7354f1b204415fd099c1fdaeecda5f0daec86948cee48da433d847d0ce94fee7fcf2365675868e82450891244b04902d730d6b0e0dfb5c29df1cd4b5d8ad6

memory/4564-8702-0x0000000000400000-0x000000000043F000-memory.dmp