Malware Analysis Report

2024-11-30 04:27

Sample ID 240613-a2173sxene
Target 0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819
SHA256 0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819

Threat Level: Shows suspicious behavior

The file 0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819 was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Deletes itself

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Drops startup file

Enumerates connected drives

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

Runs net.exe

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 00:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 00:43

Reported

2024-06-13 00:45

Platform

win7-20231129-en

Max time kernel

149s

Max time network

120s

Command Line

C:\Windows\Explorer.EXE

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\VideoLAN\VLC\locale\id\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\text_renderer\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Defender\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\cmm\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\dialogs\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SPRING\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\bckgzm.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUECALM\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ga\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Mail\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ckb\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\JOURNAL\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\More Games\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\Dll.dll C:\Windows\Logo1_.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2660 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe C:\Windows\SysWOW64\net.exe
PID 2660 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe C:\Windows\SysWOW64\net.exe
PID 2660 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe C:\Windows\SysWOW64\net.exe
PID 2660 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe C:\Windows\SysWOW64\net.exe
PID 1692 wrote to memory of 2380 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1692 wrote to memory of 2380 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1692 wrote to memory of 2380 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1692 wrote to memory of 2380 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2660 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 1876 N/A C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe C:\Windows\SysWOW64\cmd.exe
PID 2660 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe C:\Windows\Logo1_.exe
PID 2660 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe C:\Windows\Logo1_.exe
PID 2660 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe C:\Windows\Logo1_.exe
PID 2660 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe C:\Windows\Logo1_.exe
PID 1876 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe
PID 1876 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe
PID 1876 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe
PID 1876 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe
PID 2292 wrote to memory of 2636 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2292 wrote to memory of 2636 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2292 wrote to memory of 2636 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2292 wrote to memory of 2636 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2636 wrote to memory of 2148 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2636 wrote to memory of 2148 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2636 wrote to memory of 2148 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2636 wrote to memory of 2148 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2292 wrote to memory of 2792 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2292 wrote to memory of 2792 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2292 wrote to memory of 2792 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2292 wrote to memory of 2792 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2792 wrote to memory of 2608 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2792 wrote to memory of 2608 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2792 wrote to memory of 2608 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2792 wrote to memory of 2608 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2292 wrote to memory of 1380 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 2292 wrote to memory of 1380 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe

"C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$aCCD.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe

"C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

N/A

Files

memory/2660-0-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$aCCD.bat

MD5 0aa11992af642a8e2a88e4e240cbc87f
SHA1 79f8dd81320d40cc483b3df65acbcad2ac0465ab
SHA256 31449d307300b401d1636c5a658d050b0e2aff0273179d665fb68ab3a8bbe3b3
SHA512 a4f510d2f5b4cbebf508c968385947fe6709bfbe30e25546949feebd5e05a2a37b4115e05af63fda47e12be6f082bdd00e95ce1e1730166fccd12d9d176c5853

C:\Windows\Logo1_.exe

MD5 9f85e7536d590c9790216db83cd4226e
SHA1 4ba479e9e327319c546916f382b5dda9b0217973
SHA256 6ce51f68013320d84f843b0d21c772d7fe1316ae74987e719dbd96ad59fa2273
SHA512 1ae9fc776270b6d45834dfc7c6648832df68a1016ae4456153e3fb7524cd190431fc2828dc7933ee2ccd9eac7a08c11e7697a3dcbbcde96d76335b1b08f292ea

memory/2660-16-0x00000000001C0000-0x00000000001FD000-memory.dmp

memory/2660-18-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe.exe

MD5 40ac62c087648ccc2c58dae066d34c98
SHA1 0e87efb6ddfe59e534ea9e829cad35be8563e5f7
SHA256 482c4c1562490e164d5f17990253373691aa5eab55a81c7f890fe9583a9ea916
SHA512 0c1ff13ff88409d54fee2ceb07fe65135ce2a9aa6f8da51ac0158abb2cfbb3a898ef26f476931986f1367622f21a7c0b0e742d0f4de8be6e215596b0d88c518f

memory/1380-27-0x0000000002480000-0x0000000002481000-memory.dmp

memory/2292-31-0x0000000000400000-0x000000000043D000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-3627615824-4061627003-3019543961-1000\_desktop.ini

MD5 4f2460b507685f7d7bfe6393f335f1c9
SHA1 378d42f114b1515872e58de6662373af31ab8c7b
SHA256 47a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42
SHA512 75dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 21f41242248811873c1451b1bbf0abbb
SHA1 85fe06af630b6d5b26f4e2686483cd2b21f21238
SHA256 5ead7b2db6bd91ffa233801881641df6c7fc35e7c1f1606ebb0293780e909ab1
SHA512 a8729dbc757312b7dbbcf975a3b395b2f7e0e7844110ea4d544d02a699bb6a90f9786273f26a9efc52b56ede0c2c7ee2a6ab19262c528f6a69eab4a5b3af6768

memory/2292-2976-0x0000000000400000-0x000000000043D000-memory.dmp

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 7b714d463f7db900d5b6e757778a8ab8
SHA1 2cfc0e9f54236af8e10b0bfa551d87a20982b733
SHA256 c995370836939a29853611830ca08d437286d4f45603edce88f36aa1f99a0d97
SHA512 e8fe8823b5b7f282c24c964cbf4f248b7562259a13410bf95997288727f9bfc6ea51c4aa40182b649a2235bafc02062e0c57f4f62876b5174395071a8d68f9bb

memory/2292-4123-0x0000000000400000-0x000000000043D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 00:43

Reported

2024-06-13 00:45

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

152s

Command Line

C:\Windows\Explorer.EXE

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\es-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ro-ro\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\HelpCfg\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\amd64\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STUDIO\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hr-hr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\hy\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\it-it\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\pl-pl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\da-dk\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sk-sk\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateOnDemand.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office16\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\AS OLEDB\140\Cartridges\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\cef\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\nl-nl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\nb-no\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Media Player\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SONORA\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\hi_contrast\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\da-dk\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sv-se\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_splitter\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\uk-ua\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\es-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\es-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\hu-hu\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\zh-tw\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sl-sl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ca-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\fr-ma\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\it\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sl-sl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\_platform_specific\win_x64\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\plugins\rhp\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\eu-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_CA\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Updates\Apply\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\tr-tr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\he-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\Dll.dll C:\Windows\Logo1_.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 992 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe C:\Windows\SysWOW64\net.exe
PID 992 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe C:\Windows\SysWOW64\net.exe
PID 992 wrote to memory of 924 N/A C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe C:\Windows\SysWOW64\net.exe
PID 924 wrote to memory of 2092 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 924 wrote to memory of 2092 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 924 wrote to memory of 2092 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 992 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe C:\Windows\SysWOW64\cmd.exe
PID 992 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe C:\Windows\SysWOW64\cmd.exe
PID 992 wrote to memory of 4404 N/A C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe C:\Windows\SysWOW64\cmd.exe
PID 992 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe C:\Windows\Logo1_.exe
PID 992 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe C:\Windows\Logo1_.exe
PID 992 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe C:\Windows\Logo1_.exe
PID 2196 wrote to memory of 4868 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2196 wrote to memory of 4868 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2196 wrote to memory of 4868 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4404 wrote to memory of 3204 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe
PID 4404 wrote to memory of 3204 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe
PID 4868 wrote to memory of 4012 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4868 wrote to memory of 4012 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4868 wrote to memory of 4012 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2196 wrote to memory of 5108 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2196 wrote to memory of 5108 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2196 wrote to memory of 5108 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 5108 wrote to memory of 4472 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 5108 wrote to memory of 4472 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 5108 wrote to memory of 4472 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2196 wrote to memory of 3436 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 2196 wrote to memory of 3436 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe

"C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a421A.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe

"C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 105.193.132.51.in-addr.arpa udp

Files

memory/992-0-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Windows\Logo1_.exe

MD5 9f85e7536d590c9790216db83cd4226e
SHA1 4ba479e9e327319c546916f382b5dda9b0217973
SHA256 6ce51f68013320d84f843b0d21c772d7fe1316ae74987e719dbd96ad59fa2273
SHA512 1ae9fc776270b6d45834dfc7c6648832df68a1016ae4456153e3fb7524cd190431fc2828dc7933ee2ccd9eac7a08c11e7697a3dcbbcde96d76335b1b08f292ea

memory/992-9-0x0000000000400000-0x000000000043D000-memory.dmp

memory/2196-11-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a421A.bat

MD5 f0a8c83171f8e843d6b923cc76f03a6c
SHA1 03800e05a8f7545be3c6ed1e756768224d9e13f3
SHA256 f9b61143a2b7a29c8a509539711e9d0de0a35796915bcba16d24ad74ae8721cf
SHA512 7c36851c12c7027fc0c51634b80ee23d8d54472a885ae9566a3f2804b69f45b66641bc93612f56c3186b6724edabfb0ec14c85ec1d152d108dedb8d1909e4313

C:\Users\Admin\AppData\Local\Temp\0ef10058d9340430c9bef5f6a195822f87b08d19d70f2c93680c079405b22819.exe.exe

MD5 40ac62c087648ccc2c58dae066d34c98
SHA1 0e87efb6ddfe59e534ea9e829cad35be8563e5f7
SHA256 482c4c1562490e164d5f17990253373691aa5eab55a81c7f890fe9583a9ea916
SHA512 0c1ff13ff88409d54fee2ceb07fe65135ce2a9aa6f8da51ac0158abb2cfbb3a898ef26f476931986f1367622f21a7c0b0e742d0f4de8be6e215596b0d88c518f

memory/2196-18-0x0000000000400000-0x000000000043D000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-2447855248-390457009-3660902674-1000\_desktop.ini

MD5 4f2460b507685f7d7bfe6393f335f1c9
SHA1 378d42f114b1515872e58de6662373af31ab8c7b
SHA256 47a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42
SHA512 75dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb

C:\Program Files\7-Zip\7z.exe

MD5 84077a87183a7cb06546028816b7904f
SHA1 192f2e65f048c44d212d089814d6cbfda79c75d0
SHA256 465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5
SHA512 9f9b0136a70cd24a540c3825694885334eb1e1dadf5e192bafdf2280befbef8c9746efa14e7d3059807a9a0ae64215eb41301dc4410411715e48917b81f8d2f4

memory/2196-2942-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 21f41242248811873c1451b1bbf0abbb
SHA1 85fe06af630b6d5b26f4e2686483cd2b21f21238
SHA256 5ead7b2db6bd91ffa233801881641df6c7fc35e7c1f1606ebb0293780e909ab1
SHA512 a8729dbc757312b7dbbcf975a3b395b2f7e0e7844110ea4d544d02a699bb6a90f9786273f26a9efc52b56ede0c2c7ee2a6ab19262c528f6a69eab4a5b3af6768

C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

MD5 1ad09ab121869e9bedf81b1e82331d05
SHA1 21270e52207071b7d304acb7d776c9abba38c15c
SHA256 834cd914a6bc7c3eadf3b23bacc01433aa6a32411ab547d958604a1c434518b7
SHA512 4b1f28d726ec031fd0350a21ea7091087ae2688818716f7add7524fdf06a07d5937a4aa53c6029d2fab093714b1b48b8032927b56e2c207158946f6c71e6646b

memory/2196-8692-0x0000000000400000-0x000000000043D000-memory.dmp