Malware Analysis Report

2024-11-30 04:25

Sample ID 240613-a21ljs1emq
Target 465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5
SHA256 465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5

Threat Level: Shows suspicious behavior

The file 465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5 was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Deletes itself

Executes dropped EXE

Reads user/profile data of web browsers

Loads dropped DLL

Drops startup file

Enumerates connected drives

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Runs net.exe

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 00:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 00:43

Reported

2024-06-13 00:45

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

51s

Command Line

C:\Windows\Explorer.EXE

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ff\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ko-kr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\da\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ro-ro\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\hr-hr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_output\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\javafx\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ka\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\zh_CN\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\spu\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\sv-se\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\en-gb\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\zh-tw\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\cmm\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ks_IN\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\eu-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\zh-cn\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Web Server Extensions\16\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ar-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ru-ru\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ko-kr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\eu-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Photo Viewer\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\tr-tr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ru-ru\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\nl-nl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sl-sl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\root\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\tr-tr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\legal\javafx\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUEPRNT\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\cs\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Media Player\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\plugins\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Dictionaries\en_US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\bin\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files-select\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\es-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ko-kr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\uz\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account-select\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\pt-br\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\eu-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fr-ma\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\Dll.dll C:\Windows\Logo1_.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1996 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe C:\Windows\SysWOW64\net.exe
PID 1996 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe C:\Windows\SysWOW64\net.exe
PID 1996 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe C:\Windows\SysWOW64\net.exe
PID 640 wrote to memory of 4792 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 640 wrote to memory of 4792 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 640 wrote to memory of 4792 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1996 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe C:\Windows\SysWOW64\cmd.exe
PID 1996 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe C:\Windows\SysWOW64\cmd.exe
PID 1996 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe C:\Windows\SysWOW64\cmd.exe
PID 1996 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe C:\Windows\Logo1_.exe
PID 1996 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe C:\Windows\Logo1_.exe
PID 1996 wrote to memory of 1952 N/A C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe C:\Windows\Logo1_.exe
PID 1952 wrote to memory of 3040 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1952 wrote to memory of 3040 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1952 wrote to memory of 3040 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1528 wrote to memory of 4368 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe
PID 1528 wrote to memory of 4368 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe
PID 3040 wrote to memory of 4436 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3040 wrote to memory of 4436 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3040 wrote to memory of 4436 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1952 wrote to memory of 4832 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1952 wrote to memory of 4832 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1952 wrote to memory of 4832 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4832 wrote to memory of 3160 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4832 wrote to memory of 3160 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4832 wrote to memory of 3160 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1952 wrote to memory of 3388 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 1952 wrote to memory of 3388 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe

"C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a48E0.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe

"C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/1996-0-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Windows\Logo1_.exe

MD5 9f85e7536d590c9790216db83cd4226e
SHA1 4ba479e9e327319c546916f382b5dda9b0217973
SHA256 6ce51f68013320d84f843b0d21c772d7fe1316ae74987e719dbd96ad59fa2273
SHA512 1ae9fc776270b6d45834dfc7c6648832df68a1016ae4456153e3fb7524cd190431fc2828dc7933ee2ccd9eac7a08c11e7697a3dcbbcde96d76335b1b08f292ea

memory/1996-10-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1952-11-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a48E0.bat

MD5 a919e4e53dbd7b938e73e437b54f7726
SHA1 6483f4b1b590ef1892870255183876d8e9b9e709
SHA256 38e1d0923027a15a27d26d9678b7da4cdfc656622cc24b5f7aa9fb0b415bcad9
SHA512 2e38c81061779c9fce75a5d47ee9a6e987c4953722fd117da5072bc494b7fdaffa287af9dd853c6afbac5e574ab9800f93fa5769596c7ef8b90e5a1e284a18d1

C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe.exe

MD5 9a1dd1d96481d61934dcc2d568971d06
SHA1 f136ef9bf8bd2fc753292fb5b7cf173a22675fb3
SHA256 8cebb25e240db3b6986fcaed6bc0b900fa09dad763a56fb71273529266c5c525
SHA512 7ac1581f8a29e778ba1a1220670796c47fa5b838417f8f635e2cb1998a01515cff3ee57045dacb78a8ec70d43754b970743aba600379fe6d9481958d32d8a5aa

memory/1952-18-0x0000000000400000-0x000000000043D000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-1337824034-2731376981-3755436523-1000\_desktop.ini

MD5 4f2460b507685f7d7bfe6393f335f1c9
SHA1 378d42f114b1515872e58de6662373af31ab8c7b
SHA256 47a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42
SHA512 75dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb

C:\Program Files\UnlockSuspend.exe

MD5 cf504df7fd9aa82d8cdfba0e4c7472b6
SHA1 d175474c45df3e54d01136fdccab531798dec1a6
SHA256 5c9ccade15ec585f9d85ada43bda588a09eb46fa58de9acf1f339083d8ca6b86
SHA512 41fa35453db64f0ee2444cb638a3d0a628b854508ab5e3c6f2237696e66422817ac60dbb3588fe997d508470659028f07dce404732b192dbf7e6d955eb068611

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 21f41242248811873c1451b1bbf0abbb
SHA1 85fe06af630b6d5b26f4e2686483cd2b21f21238
SHA256 5ead7b2db6bd91ffa233801881641df6c7fc35e7c1f1606ebb0293780e909ab1
SHA512 a8729dbc757312b7dbbcf975a3b395b2f7e0e7844110ea4d544d02a699bb6a90f9786273f26a9efc52b56ede0c2c7ee2a6ab19262c528f6a69eab4a5b3af6768

memory/1952-5221-0x0000000000400000-0x000000000043D000-memory.dmp

C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

MD5 1ad09ab121869e9bedf81b1e82331d05
SHA1 21270e52207071b7d304acb7d776c9abba38c15c
SHA256 834cd914a6bc7c3eadf3b23bacc01433aa6a32411ab547d958604a1c434518b7
SHA512 4b1f28d726ec031fd0350a21ea7091087ae2688818716f7add7524fdf06a07d5937a4aa53c6029d2fab093714b1b48b8032927b56e2c207158946f6c71e6646b

memory/1952-8682-0x0000000000400000-0x000000000043D000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 00:43

Reported

2024-06-13 00:45

Platform

win7-20240220-en

Max time kernel

150s

Max time network

121s

Command Line

C:\Windows\Explorer.EXE

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Windows Journal\Templates\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\defaults\pref\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Triedit\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\hy\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\management\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Internet Explorer\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\sidebar.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\zh_CN\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\tet\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\lua\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\DESIGNER\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ca\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\br\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Internet Explorer\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\More Games\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\packetizer\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\spu\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Help\1036\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\windows-amd64\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Indian\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\css\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\Dll.dll C:\Windows\Logo1_.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2388 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe C:\Windows\SysWOW64\net.exe
PID 2388 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe C:\Windows\SysWOW64\net.exe
PID 2388 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe C:\Windows\SysWOW64\net.exe
PID 2388 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe C:\Windows\SysWOW64\net.exe
PID 2964 wrote to memory of 3068 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2964 wrote to memory of 3068 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2964 wrote to memory of 3068 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2964 wrote to memory of 3068 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2388 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe C:\Windows\SysWOW64\cmd.exe
PID 2388 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe C:\Windows\Logo1_.exe
PID 2388 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe C:\Windows\Logo1_.exe
PID 2388 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe C:\Windows\Logo1_.exe
PID 2388 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe C:\Windows\Logo1_.exe
PID 2952 wrote to memory of 2728 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2952 wrote to memory of 2728 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2952 wrote to memory of 2728 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2952 wrote to memory of 2728 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1396 wrote to memory of 2796 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe
PID 1396 wrote to memory of 2796 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe
PID 1396 wrote to memory of 2796 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe
PID 1396 wrote to memory of 2796 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe
PID 2728 wrote to memory of 2956 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2728 wrote to memory of 2956 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2728 wrote to memory of 2956 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2728 wrote to memory of 2956 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2952 wrote to memory of 2460 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2952 wrote to memory of 2460 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2952 wrote to memory of 2460 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2952 wrote to memory of 2460 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2460 wrote to memory of 2476 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2460 wrote to memory of 2476 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2460 wrote to memory of 2476 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2460 wrote to memory of 2476 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2952 wrote to memory of 1204 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 2952 wrote to memory of 1204 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe

"C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a1B6D.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe

"C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

N/A

Files

memory/2388-0-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a1B6D.bat

MD5 9bbd687b85428eb557281ccc8b8d3686
SHA1 6b4b93cbd1d58851362b0918eeeee7e176408aa1
SHA256 96ae8b360bde283c658cd11332f439b8a38c4da152718c6a689f2d2cd9e784d7
SHA512 3a2fa3b6d33b2004503ff97e6032fb95a27ddb4280bac9207c857646331261209a69cd19d6f235106e40985874a0ccc83dd5ffc23d03c5f47f1a99cdf3e0b8cf

C:\Windows\Logo1_.exe

MD5 9f85e7536d590c9790216db83cd4226e
SHA1 4ba479e9e327319c546916f382b5dda9b0217973
SHA256 6ce51f68013320d84f843b0d21c772d7fe1316ae74987e719dbd96ad59fa2273
SHA512 1ae9fc776270b6d45834dfc7c6648832df68a1016ae4456153e3fb7524cd190431fc2828dc7933ee2ccd9eac7a08c11e7697a3dcbbcde96d76335b1b08f292ea

memory/2388-17-0x0000000000230000-0x000000000026D000-memory.dmp

memory/2388-19-0x0000000000400000-0x000000000043D000-memory.dmp

memory/2388-16-0x0000000000230000-0x000000000026D000-memory.dmp

memory/2952-20-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5.exe.exe

MD5 9a1dd1d96481d61934dcc2d568971d06
SHA1 f136ef9bf8bd2fc753292fb5b7cf173a22675fb3
SHA256 8cebb25e240db3b6986fcaed6bc0b900fa09dad763a56fb71273529266c5c525
SHA512 7ac1581f8a29e778ba1a1220670796c47fa5b838417f8f635e2cb1998a01515cff3ee57045dacb78a8ec70d43754b970743aba600379fe6d9481958d32d8a5aa

memory/1204-29-0x0000000002E20000-0x0000000002E21000-memory.dmp

memory/2952-33-0x0000000000400000-0x000000000043D000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-2721934792-624042501-2768869379-1000\_desktop.ini

MD5 4f2460b507685f7d7bfe6393f335f1c9
SHA1 378d42f114b1515872e58de6662373af31ab8c7b
SHA256 47a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42
SHA512 75dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 21f41242248811873c1451b1bbf0abbb
SHA1 85fe06af630b6d5b26f4e2686483cd2b21f21238
SHA256 5ead7b2db6bd91ffa233801881641df6c7fc35e7c1f1606ebb0293780e909ab1
SHA512 a8729dbc757312b7dbbcf975a3b395b2f7e0e7844110ea4d544d02a699bb6a90f9786273f26a9efc52b56ede0c2c7ee2a6ab19262c528f6a69eab4a5b3af6768

memory/2952-2978-0x0000000000400000-0x000000000043D000-memory.dmp

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 7b714d463f7db900d5b6e757778a8ab8
SHA1 2cfc0e9f54236af8e10b0bfa551d87a20982b733
SHA256 c995370836939a29853611830ca08d437286d4f45603edce88f36aa1f99a0d97
SHA512 e8fe8823b5b7f282c24c964cbf4f248b7562259a13410bf95997288727f9bfc6ea51c4aa40182b649a2235bafc02062e0c57f4f62876b5174395071a8d68f9bb

memory/2952-4145-0x0000000000400000-0x000000000043D000-memory.dmp