Malware Analysis Report

2025-04-14 01:48

Sample ID 240602-2egzgaad96
Target 7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76
SHA256 7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76

Threat Level: Shows suspicious behavior

The file 7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76 was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Reads user/profile data of web browsers

Drops startup file

Deletes itself

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Runs net.exe

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-02 22:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-02 22:29

Reported

2024-06-02 22:32

Platform

win7-20240221-en

Max time kernel

149s

Max time network

122s

Command Line

C:\Windows\Explorer.EXE

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jre7\lib\amd64\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PAPYRUS\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VBA\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows NT\TableTextService\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ckb\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\Visualizations\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\DVD Maker\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\id\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_splitter\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\skins\fonts\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\DVD Maker\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\More Games\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\uninstall\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.rcp_4.4.0.v20141007-2301\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\Mahjong\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ARFR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\pt_PT\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\IRIS\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ka\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Argentina\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\PurblePlace.exe C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\Dll.dll C:\Windows\Logo1_.exe N/A
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2264 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe C:\Windows\SysWOW64\net.exe
PID 2264 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe C:\Windows\SysWOW64\net.exe
PID 2264 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe C:\Windows\SysWOW64\net.exe
PID 2264 wrote to memory of 1544 N/A C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe C:\Windows\SysWOW64\net.exe
PID 1544 wrote to memory of 2892 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1544 wrote to memory of 2892 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1544 wrote to memory of 2892 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1544 wrote to memory of 2892 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2264 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2536 N/A C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe C:\Windows\SysWOW64\cmd.exe
PID 2264 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe C:\Windows\Logo1_.exe
PID 2264 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe C:\Windows\Logo1_.exe
PID 2264 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe C:\Windows\Logo1_.exe
PID 2264 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe C:\Windows\Logo1_.exe
PID 2536 wrote to memory of 2588 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe
PID 2536 wrote to memory of 2588 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe
PID 2536 wrote to memory of 2588 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe
PID 2536 wrote to memory of 2588 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe
PID 2616 wrote to memory of 2652 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2616 wrote to memory of 2652 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2616 wrote to memory of 2652 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2616 wrote to memory of 2652 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2652 wrote to memory of 2680 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2652 wrote to memory of 2680 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2652 wrote to memory of 2680 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2652 wrote to memory of 2680 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2616 wrote to memory of 2636 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2616 wrote to memory of 2636 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2616 wrote to memory of 2636 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2616 wrote to memory of 2636 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2636 wrote to memory of 2424 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2636 wrote to memory of 2424 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2636 wrote to memory of 2424 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2636 wrote to memory of 2424 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2616 wrote to memory of 1200 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 2616 wrote to memory of 1200 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe

"C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$aF4C.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe

"C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

N/A

Files

memory/2264-0-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$aF4C.bat

MD5 bc0de3da726b344cd70a868186e23b86
SHA1 b20717a2013bd115569cd5cfc800c7499fd68bb5
SHA256 4bae4cf552f051538f4c3f9b9411431613e5b49719589bd20baeacf13be8c364
SHA512 db3b3e7946b04e648655c3fee884677122f187330af4a798268c01fe0b88fbb55a4d97a578caed6c275442fd1f9d3e94d75c21db8c99f3e0bd54d562d5d4fa10

C:\Windows\Logo1_.exe

MD5 f5a21d2ae39e85a9b986aa3060965b87
SHA1 b22d04580bfbcbc846d18f96ba92018cb1a8138a
SHA256 3e02caf1f845080b75cf865164adfa1c4855d5b6cab6af1664a97c37f3bab646
SHA512 e0bfbe521ca648fe2dabe227235e758d5663c8573440df8b9217f033cb005aaa7b802f7ad9d85bbedaef0ce73503f7a82923623d25483d4d665b0495fcfd5c6f

memory/2264-17-0x0000000000400000-0x000000000043D000-memory.dmp

memory/2264-16-0x0000000000230000-0x000000000026D000-memory.dmp

memory/2616-19-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe.exe

MD5 619f7135621b50fd1900ff24aade1524
SHA1 6c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA512 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

memory/1200-28-0x0000000002D40000-0x0000000002D41000-memory.dmp

memory/2616-32-0x0000000000400000-0x000000000043D000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-3452737119-3959686427-228443150-1000\_desktop.ini

MD5 af485d3db9f82d3e5bdc8c6d87fb742e
SHA1 f879c3dbd3d34e9789ff73896508bfbeabbf7468
SHA256 7a7b688ede50bbaf08d4579fbd8c6b6c99d9dd1206d95ab24d8174eb9be98759
SHA512 d5fe5155948320ef6d3f80c01c9a81f0d4f60bab381d921ab2e06b62475618b973b34346bd41b40af24f2b5aff64bba68710f405f7ff21a58f369acbaaee9360

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 f44aac5207fae774b320093a814fe8ce
SHA1 836a7d71f3853f69ea12919a7d5289fac24cb241
SHA256 666ca0e926bc557503309ada0633c33844d0feb048c815c503f381a0bf6ebddc
SHA512 ae387ac2a8dc838c30cb1869eca33c63d4a0a03d0e6d20ffe65650846abf55fe18d22599cd94747595ceaa27b802d3505230c4a0469cabd3037ee761215aa500

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 5e54b5419052a6321d15fe6088be5258
SHA1 420003c0ad68fa2b977bee9e2ca2d1a53f8f1ec2
SHA256 142a70f95c82ea8acba8d3550273a20411a5b82f6d1b1c9657db51c3f83d5d97
SHA512 6d2d2025ed17d6f730d3fbb3a5549e60cfe951c7d9e0063f4ecca045ee28a375eac11fb9aa9cc484b181369165a0f7abae967807bad16aac0e4b60b7a8092f71

memory/2616-3279-0x0000000000400000-0x000000000043D000-memory.dmp

memory/2616-4094-0x0000000000400000-0x000000000043D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-02 22:29

Reported

2024-06-02 22:32

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

103s

Command Line

C:\Windows\Explorer.EXE

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\cmm\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\es_MX\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\de-de\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ru-ru\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sv-se\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hant\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\sm\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\uz\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\root\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\en-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SONORA\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\mai\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\text_renderer\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\uk-UA\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\OFFICE16\1033\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\pl-pl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\da-dk\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\Notifications\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\16\BIN\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\fr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\misc\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\fi-fi\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\si\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-cn\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\root\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\versions\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Javascripts\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-tw\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\pt-br\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sl-sl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ro-ro\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\fi-fi\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\zh-cn\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\en-gb\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\pt-br\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.29\MicrosoftEdgeUpdate.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\default_apps\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-fr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\nb-no\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\dtplugin\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\mn\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\root\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\Dll.dll C:\Windows\Logo1_.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3216 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe C:\Windows\SysWOW64\net.exe
PID 3216 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe C:\Windows\SysWOW64\net.exe
PID 3216 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe C:\Windows\SysWOW64\net.exe
PID 1508 wrote to memory of 5112 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1508 wrote to memory of 5112 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1508 wrote to memory of 5112 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3216 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe C:\Windows\SysWOW64\cmd.exe
PID 3216 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe C:\Windows\SysWOW64\cmd.exe
PID 3216 wrote to memory of 396 N/A C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe C:\Windows\SysWOW64\cmd.exe
PID 3216 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe C:\Windows\Logo1_.exe
PID 3216 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe C:\Windows\Logo1_.exe
PID 3216 wrote to memory of 984 N/A C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe C:\Windows\Logo1_.exe
PID 984 wrote to memory of 2748 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 984 wrote to memory of 2748 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 984 wrote to memory of 2748 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2748 wrote to memory of 4704 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2748 wrote to memory of 4704 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2748 wrote to memory of 4704 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 396 wrote to memory of 4932 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe
PID 396 wrote to memory of 4932 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe
PID 984 wrote to memory of 1176 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 984 wrote to memory of 1176 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 984 wrote to memory of 1176 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1176 wrote to memory of 3824 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1176 wrote to memory of 3824 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1176 wrote to memory of 3824 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 984 wrote to memory of 3456 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 984 wrote to memory of 3456 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe

"C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3BC1.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe

"C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp

Files

memory/3216-0-0x0000000000400000-0x000000000043D000-memory.dmp

memory/3216-10-0x0000000000400000-0x000000000043D000-memory.dmp

memory/984-11-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Windows\Logo1_.exe

MD5 f5a21d2ae39e85a9b986aa3060965b87
SHA1 b22d04580bfbcbc846d18f96ba92018cb1a8138a
SHA256 3e02caf1f845080b75cf865164adfa1c4855d5b6cab6af1664a97c37f3bab646
SHA512 e0bfbe521ca648fe2dabe227235e758d5663c8573440df8b9217f033cb005aaa7b802f7ad9d85bbedaef0ce73503f7a82923623d25483d4d665b0495fcfd5c6f

C:\Users\Admin\AppData\Local\Temp\$$a3BC1.bat

MD5 bba5fdcd9545af7a691f9dddc3b85a37
SHA1 2a1027ce04c23a781f84b2d81a11a3598f69159f
SHA256 cdd3435fe09084233fb7d043cbbaee652f98261677fe220410ce5e4a24904dc1
SHA512 b6254eacb29134e6794eb48ecb4c2b4ec4f6a8f4ca7f1faafd1b807fd8cfc67eb75a743c51e09ccb7494c7cb0b764a9287e6670a71c85f184cbc6d520547c271

C:\Users\Admin\AppData\Local\Temp\7fc8d781c5afda0ce2b5a7772cb2e73d9b14b6d10d85f502e9232062b8879d76.exe.exe

MD5 619f7135621b50fd1900ff24aade1524
SHA1 6c7ea8bbd435163ae3945cbef30ef6b9872a4591
SHA256 344f076bb1211cb02eca9e5ed2c0ce59bcf74ccbc749ec611538fa14ecb9aad2
SHA512 2c7293c084d09bc2e3ae2d066dd7b331c810d9e2eeca8b236a8e87fdeb18e877b948747d3491fcaff245816507685250bd35f984c67a43b29b0ae31ecb2bd628

memory/984-18-0x0000000000400000-0x000000000043D000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-711569230-3659488422-571408806-1000\_desktop.ini

MD5 af485d3db9f82d3e5bdc8c6d87fb742e
SHA1 f879c3dbd3d34e9789ff73896508bfbeabbf7468
SHA256 7a7b688ede50bbaf08d4579fbd8c6b6c99d9dd1206d95ab24d8174eb9be98759
SHA512 d5fe5155948320ef6d3f80c01c9a81f0d4f60bab381d921ab2e06b62475618b973b34346bd41b40af24f2b5aff64bba68710f405f7ff21a58f369acbaaee9360

C:\Program Files\7-Zip\7z.exe

MD5 0e6d500107143697bcfba9450bc17c82
SHA1 f54f6251aa1f02777459466a0311ac093b2af7ef
SHA256 07481182a1f0952663948dc601a4532f1ed257cb853bc032c0557173040e995c
SHA512 6abb4b37772a348cec7cef9ee5d44b8bc0ebbce167029a2da2d6547df202315c3c334580d4ca26f36bc820d8d967dd8b987f791869090cfe60ac19a6bd38fbc2

memory/984-3000-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 f44aac5207fae774b320093a814fe8ce
SHA1 836a7d71f3853f69ea12919a7d5289fac24cb241
SHA256 666ca0e926bc557503309ada0633c33844d0feb048c815c503f381a0bf6ebddc
SHA512 ae387ac2a8dc838c30cb1869eca33c63d4a0a03d0e6d20ffe65650846abf55fe18d22599cd94747595ceaa27b802d3505230c4a0469cabd3037ee761215aa500

C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

MD5 9363a720e098b38389b25a7b18cfbcdd
SHA1 7b5e835b22262b47e6042e7aadecc67dac05f7db
SHA256 10579b661dade8697f252204f241952eb2029ea6978165f9336fd60a72b3205e
SHA512 564b873358ebe4d4d194b924e9934cb5c1666df901db2556e8cbab8276f8c4380a5bee157cc8eb2063fe0f48a1d0dc1cf339d3d3040d764c974e1c46b0870f88

memory/984-8665-0x0000000000400000-0x000000000043D000-memory.dmp