Malware Analysis Report

2024-11-30 04:19

Sample ID 240613-a22tlsxeng
Target 82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238
SHA256 82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238

Threat Level: Shows suspicious behavior

The file 82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238 was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Deletes itself

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Drops startup file

Enumerates connected drives

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 00:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 00:43

Reported

2024-06-13 00:45

Platform

win7-20240508-en

Max time kernel

150s

Max time network

122s

Command Line

C:\Windows\Explorer.EXE

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\wmlaunch.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\DVD Maker\DVDMaker.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\mr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Media Player\wmpenc.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\Minesweeper\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ps\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Triedit\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VGX\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\7-Zip\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Australia\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Media Player\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Spades\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\features\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Argentina\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\bg\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\Chess\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Photo Viewer\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\Dll.dll C:\Windows\Logo1_.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1728 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe C:\Windows\SysWOW64\net.exe
PID 1728 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe C:\Windows\SysWOW64\net.exe
PID 1728 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe C:\Windows\SysWOW64\net.exe
PID 1728 wrote to memory of 2456 N/A C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe C:\Windows\SysWOW64\net.exe
PID 2456 wrote to memory of 2284 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2456 wrote to memory of 2284 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2456 wrote to memory of 2284 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2456 wrote to memory of 2284 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1728 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe C:\Windows\SysWOW64\cmd.exe
PID 1728 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe C:\Windows\SysWOW64\cmd.exe
PID 1728 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe C:\Windows\SysWOW64\cmd.exe
PID 1728 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe C:\Windows\SysWOW64\cmd.exe
PID 1728 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe C:\Windows\Logo1_.exe
PID 1728 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe C:\Windows\Logo1_.exe
PID 1728 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe C:\Windows\Logo1_.exe
PID 1728 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe C:\Windows\Logo1_.exe
PID 2628 wrote to memory of 2796 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2628 wrote to memory of 2796 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2628 wrote to memory of 2796 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2628 wrote to memory of 2796 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2796 wrote to memory of 2760 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2796 wrote to memory of 2760 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2796 wrote to memory of 2760 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2796 wrote to memory of 2760 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2304 wrote to memory of 1996 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe
PID 2304 wrote to memory of 1996 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe
PID 2304 wrote to memory of 1996 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe
PID 2304 wrote to memory of 1996 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe
PID 2304 wrote to memory of 1996 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe
PID 2304 wrote to memory of 1996 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe
PID 2304 wrote to memory of 1996 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe
PID 2628 wrote to memory of 2660 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2628 wrote to memory of 2660 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2628 wrote to memory of 2660 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2628 wrote to memory of 2660 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2660 wrote to memory of 2220 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2660 wrote to memory of 2220 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2660 wrote to memory of 2220 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2660 wrote to memory of 2220 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2628 wrote to memory of 1196 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 2628 wrote to memory of 1196 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe

"C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a208B.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe

"C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

N/A

Files

memory/1728-0-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a208B.bat

MD5 51c7b20a322f41b76e53d199040c02cf
SHA1 86f8c7e528fc35e5794b9496661a1402364780ae
SHA256 08d84796f2212d46c1a41bc8055ac486fa2a1b8148863e4f5038f9a0455140a7
SHA512 a014b6b754d679384ec46d770ef6e806e0ade4b214a1348cf6c7095e9a06b687ee04d5e931a37d3d15b014e5fb37ff8c7541d02a7fda46f56d9e2f78900ea18f

C:\Windows\Logo1_.exe

MD5 cd88e1cdb51bb21341a5ebc4614c2993
SHA1 24311f2925671aa9e269bf3caafeb9e5457f34c2
SHA256 bcbc3bac3b06c68e87b00cc8620ff68b28d1dc38c54ad029d2f86117f38995e7
SHA512 59cceba548a123e446e49b9b34ef8b13fe100ba1c4329f8b16c963248f9b1eda4fa5015cf82cf2cac64f2b471761029808c26b134cd29ba757b232dcd5b76eb7

memory/1728-18-0x0000000000400000-0x000000000043D000-memory.dmp

memory/2628-20-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1728-16-0x0000000000230000-0x000000000026D000-memory.dmp

\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe

MD5 c8e284efba3b50c9216dbe552d24f5b0
SHA1 c76b65dd211e03a2a53f57d87cc90df61b0ab10f
SHA256 66d7811a891b614f7fc174ae5a3ea1d29d1edde50b12fcaf51c0dc5b54a20b4a
SHA512 42db8c59820836fee76ffc877983f72d639d9e30171943ae04d8cd8bcd4ac61730a5e0f4b80a905f4f59c03fa8ba62e1c8f4c1e9095eca65f17a2f122a688ef5

memory/1196-31-0x0000000002560000-0x0000000002561000-memory.dmp

memory/2628-34-0x0000000000400000-0x000000000043D000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-268080393-3149932598-1824759070-1000\_desktop.ini

MD5 4f2460b507685f7d7bfe6393f335f1c9
SHA1 378d42f114b1515872e58de6662373af31ab8c7b
SHA256 47a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42
SHA512 75dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 da30546751d760f44fb7575c89a7bf6c
SHA1 755c9d7ec5a3e1d83a53e47dfb1c08c0fcce724a
SHA256 28e78f117ce45ad8c1cbc1bdafdb851e696a3cd1c2c314ddb1729223ffb6ced5
SHA512 5df079d358474eab0738b20deae1fd22b0bf3c46f5330007efcd2a869e068a9abd4dc7207ccc38955932691a728956b23ce4e3953110c68e27e5c704a5d5f3ff

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 7b714d463f7db900d5b6e757778a8ab8
SHA1 2cfc0e9f54236af8e10b0bfa551d87a20982b733
SHA256 c995370836939a29853611830ca08d437286d4f45603edce88f36aa1f99a0d97
SHA512 e8fe8823b5b7f282c24c964cbf4f248b7562259a13410bf95997288727f9bfc6ea51c4aa40182b649a2235bafc02062e0c57f4f62876b5174395071a8d68f9bb

memory/2628-3345-0x0000000000400000-0x000000000043D000-memory.dmp

memory/2628-4174-0x0000000000400000-0x000000000043D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 00:43

Reported

2024-06-13 00:45

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

156s

Command Line

C:\Windows\Explorer.EXE

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\de-de\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ar-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\hu-hu\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Google\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\COMPASS\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SKY\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\plugins\rhp\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\nb-no\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\hr-hr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ro-ro\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\NETWORK\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\cs-cz\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ja-jp\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\fr-fr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jstatd.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sv-se\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\tr-tr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\de-de\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ja-jp\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\uk\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Network Sharing\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\tr-tr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ca-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\java.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PROFILE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\pt-br\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sl-sl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\es-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\1033\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\meta\art\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-cn\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Skins\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\nl-nl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\uk-ua\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\fr-fr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\zh-tw\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\Triedit\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\swidtag\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\uk-ua\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Configuration\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sl-si\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\security\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\hr-hr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\pl-pl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Configuration\Registration\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\dc-annotations\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\sl-sl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\extensions\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\sv-se\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\es-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\he-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Dll.dll C:\Windows\Logo1_.exe N/A
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 748 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe C:\Windows\SysWOW64\net.exe
PID 748 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe C:\Windows\SysWOW64\net.exe
PID 748 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe C:\Windows\SysWOW64\net.exe
PID 568 wrote to memory of 60 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 568 wrote to memory of 60 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 568 wrote to memory of 60 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 748 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe C:\Windows\SysWOW64\cmd.exe
PID 748 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe C:\Windows\SysWOW64\cmd.exe
PID 748 wrote to memory of 4840 N/A C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe C:\Windows\SysWOW64\cmd.exe
PID 748 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe C:\Windows\Logo1_.exe
PID 748 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe C:\Windows\Logo1_.exe
PID 748 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe C:\Windows\Logo1_.exe
PID 1620 wrote to memory of 3512 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1620 wrote to memory of 3512 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1620 wrote to memory of 3512 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4840 wrote to memory of 4040 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe
PID 4840 wrote to memory of 4040 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe
PID 4840 wrote to memory of 4040 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe
PID 3512 wrote to memory of 1700 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3512 wrote to memory of 1700 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3512 wrote to memory of 1700 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1620 wrote to memory of 392 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1620 wrote to memory of 392 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1620 wrote to memory of 392 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 392 wrote to memory of 3240 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 392 wrote to memory of 3240 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 392 wrote to memory of 3240 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1620 wrote to memory of 3532 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 1620 wrote to memory of 3532 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe

"C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4A76.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe

"C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp

Files

memory/748-0-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Windows\Logo1_.exe

MD5 cd88e1cdb51bb21341a5ebc4614c2993
SHA1 24311f2925671aa9e269bf3caafeb9e5457f34c2
SHA256 bcbc3bac3b06c68e87b00cc8620ff68b28d1dc38c54ad029d2f86117f38995e7
SHA512 59cceba548a123e446e49b9b34ef8b13fe100ba1c4329f8b16c963248f9b1eda4fa5015cf82cf2cac64f2b471761029808c26b134cd29ba757b232dcd5b76eb7

memory/1620-11-0x0000000000400000-0x000000000043D000-memory.dmp

memory/748-10-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a4A76.bat

MD5 c98d562cb716a4e09da283de952bbd12
SHA1 1514a6fd7550fd8e9087fd7855f4813bbf695b5b
SHA256 388e59c5fbfa99d0822f01f6f26133b99f485c7ef818e5f0c6e28a816eea239d
SHA512 30d3dd8ae80bfd9dc0d7eccf69cd20c484cbf20df067cc44eb8eb0868e5171307e1df5293cfee3fdb8b720efe01a1034bb85f99ebcd0008ecf20a7b544079a27

C:\Users\Admin\AppData\Local\Temp\82f7f19b0901f7183a9a2a3734a5d26a7a69866e2e61b3c2d11d804bdb6ab238.exe.exe

MD5 c8e284efba3b50c9216dbe552d24f5b0
SHA1 c76b65dd211e03a2a53f57d87cc90df61b0ab10f
SHA256 66d7811a891b614f7fc174ae5a3ea1d29d1edde50b12fcaf51c0dc5b54a20b4a
SHA512 42db8c59820836fee76ffc877983f72d639d9e30171943ae04d8cd8bcd4ac61730a5e0f4b80a905f4f59c03fa8ba62e1c8f4c1e9095eca65f17a2f122a688ef5

memory/1620-18-0x0000000000400000-0x000000000043D000-memory.dmp

C:\_desktop.ini

MD5 4f2460b507685f7d7bfe6393f335f1c9
SHA1 378d42f114b1515872e58de6662373af31ab8c7b
SHA256 47a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42
SHA512 75dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb

C:\Program Files\7-Zip\7z.exe

MD5 d369fb65a7bea7f167abd442183c4d34
SHA1 f8b98ee3758743a59d69c283bbb3d267c436b761
SHA256 f3ef038fe97fa88da3ad24415d9b9a611b5d904e482ca7da3463f1644b109912
SHA512 7edba551c45378ec1fd5b8bb04ebc54c64ecfd2665633f405632ec69a294d0a8648b4d738ae5eebcd4d743eb9dd70e70e9f5835df1a58c4ff5537071bdb3d956

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 da30546751d760f44fb7575c89a7bf6c
SHA1 755c9d7ec5a3e1d83a53e47dfb1c08c0fcce724a
SHA256 28e78f117ce45ad8c1cbc1bdafdb851e696a3cd1c2c314ddb1729223ffb6ced5
SHA512 5df079d358474eab0738b20deae1fd22b0bf3c46f5330007efcd2a869e068a9abd4dc7207ccc38955932691a728956b23ce4e3953110c68e27e5c704a5d5f3ff

memory/1620-5220-0x0000000000400000-0x000000000043D000-memory.dmp

C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

MD5 1ad09ab121869e9bedf81b1e82331d05
SHA1 21270e52207071b7d304acb7d776c9abba38c15c
SHA256 834cd914a6bc7c3eadf3b23bacc01433aa6a32411ab547d958604a1c434518b7
SHA512 4b1f28d726ec031fd0350a21ea7091087ae2688818716f7add7524fdf06a07d5937a4aa53c6029d2fab093714b1b48b8032927b56e2c207158946f6c71e6646b

memory/1620-8679-0x0000000000400000-0x000000000043D000-memory.dmp