Malware Analysis Report

2024-11-30 04:19

Sample ID 240613-a2wbts1elr
Target de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c
SHA256 de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c

Threat Level: Shows suspicious behavior

The file de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Deletes itself

Executes dropped EXE

Reads user/profile data of web browsers

Drops startup file

Loads dropped DLL

Enumerates connected drives

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Runs net.exe

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 00:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 00:42

Reported

2024-06-13 00:45

Platform

win7-20240611-en

Max time kernel

150s

Max time network

120s

Command Line

C:\Windows\Explorer.EXE

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Common Files\microsoft shared\VSTO\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\DVD Maker\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ast\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Filters\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\WSS\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\eo\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\mn\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Install\{9DE7027D-B8EC-4BBC-9990-0AF535C09D17}\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Internet Explorer\iexplore.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\kn\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Mail\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CASCADE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\dialogs\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\mai\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Esl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Stationery\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\More Games\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Media Player\Visualizations\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\wmpconfig.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\en_GB\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SKY\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ku_IQ\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\Services\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ach\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\co\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\eu\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\Dll.dll C:\Windows\Logo1_.exe N/A
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2160 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe C:\Windows\SysWOW64\net.exe
PID 2160 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe C:\Windows\SysWOW64\net.exe
PID 2160 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe C:\Windows\SysWOW64\net.exe
PID 2160 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe C:\Windows\SysWOW64\net.exe
PID 2008 wrote to memory of 2088 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2008 wrote to memory of 2088 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2008 wrote to memory of 2088 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2008 wrote to memory of 2088 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2160 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe C:\Windows\SysWOW64\cmd.exe
PID 2160 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe C:\Windows\SysWOW64\cmd.exe
PID 2160 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe C:\Windows\SysWOW64\cmd.exe
PID 2160 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe C:\Windows\SysWOW64\cmd.exe
PID 2160 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe C:\Windows\Logo1_.exe
PID 2160 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe C:\Windows\Logo1_.exe
PID 2160 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe C:\Windows\Logo1_.exe
PID 2160 wrote to memory of 1412 N/A C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe C:\Windows\Logo1_.exe
PID 1412 wrote to memory of 2668 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1412 wrote to memory of 2668 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1412 wrote to memory of 2668 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1412 wrote to memory of 2668 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2836 wrote to memory of 2732 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe
PID 2836 wrote to memory of 2732 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe
PID 2836 wrote to memory of 2732 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe
PID 2836 wrote to memory of 2732 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe
PID 2668 wrote to memory of 2716 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2668 wrote to memory of 2716 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2668 wrote to memory of 2716 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2668 wrote to memory of 2716 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1412 wrote to memory of 2808 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1412 wrote to memory of 2808 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1412 wrote to memory of 2808 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1412 wrote to memory of 2808 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2808 wrote to memory of 2964 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2808 wrote to memory of 2964 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2808 wrote to memory of 2964 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2808 wrote to memory of 2964 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1412 wrote to memory of 1204 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 1412 wrote to memory of 1204 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe

"C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a1239.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe

"C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

N/A

Files

memory/2160-0-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a1239.bat

MD5 8eee6baedd0e259c9a7888bde5149548
SHA1 29e4026b94d3e686cd7e3980ec39ad232e4e378c
SHA256 42002de2f23dd82141924777e3fdcdee2111326e216b726aea959fa1704729e6
SHA512 fa7f43e938b82e53ce9ac869c2188bafb45cff2ec05dcfb6e61ded6ee401c76b8113286a74873ff156593403797093722371c5ec5a082161c5c2cbb6cc8ca8de

C:\Windows\Logo1_.exe

MD5 9f85e7536d590c9790216db83cd4226e
SHA1 4ba479e9e327319c546916f382b5dda9b0217973
SHA256 6ce51f68013320d84f843b0d21c772d7fe1316ae74987e719dbd96ad59fa2273
SHA512 1ae9fc776270b6d45834dfc7c6648832df68a1016ae4456153e3fb7524cd190431fc2828dc7933ee2ccd9eac7a08c11e7697a3dcbbcde96d76335b1b08f292ea

memory/2160-16-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1412-18-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe.exe

MD5 2e0d056ad62b6ef87a091003714fd512
SHA1 73150bddb5671c36413d9fbc94a668f132a2edc5
SHA256 cb83f04591cc1d602e650dd5c12f4470cf21b04328477bd6a52081f37c04bd7c
SHA512 b8e920f8b7547aec6f5771e3e6119b01157e5e36a92c67142b0d73ffe0d501d933581e1fc752e5bba9ce819e3897be9c146bebfc0018e91318b0c99d188a2580

memory/1204-27-0x0000000002E50000-0x0000000002E51000-memory.dmp

memory/1412-31-0x0000000000400000-0x000000000043D000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-1340930862-1405011213-2821322012-1000\_desktop.ini

MD5 4f2460b507685f7d7bfe6393f335f1c9
SHA1 378d42f114b1515872e58de6662373af31ab8c7b
SHA256 47a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42
SHA512 75dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 21f41242248811873c1451b1bbf0abbb
SHA1 85fe06af630b6d5b26f4e2686483cd2b21f21238
SHA256 5ead7b2db6bd91ffa233801881641df6c7fc35e7c1f1606ebb0293780e909ab1
SHA512 a8729dbc757312b7dbbcf975a3b395b2f7e0e7844110ea4d544d02a699bb6a90f9786273f26a9efc52b56ede0c2c7ee2a6ab19262c528f6a69eab4a5b3af6768

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 7b714d463f7db900d5b6e757778a8ab8
SHA1 2cfc0e9f54236af8e10b0bfa551d87a20982b733
SHA256 c995370836939a29853611830ca08d437286d4f45603edce88f36aa1f99a0d97
SHA512 e8fe8823b5b7f282c24c964cbf4f248b7562259a13410bf95997288727f9bfc6ea51c4aa40182b649a2235bafc02062e0c57f4f62876b5174395071a8d68f9bb

memory/1412-3342-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1412-4155-0x0000000000400000-0x000000000043D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 00:42

Reported

2024-06-13 00:45

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

C:\Windows\Explorer.EXE

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Java\jre-1.8\lib\images\cursors\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\EQUATION\eqnedt32.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-ma\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ar-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-cn\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\images\themes\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\zh-cn\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ca-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Java\Java Update\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\dark\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\root\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\nb-no\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.187.37\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\PAPYRUS\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\gui\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\ja\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows NT\Accessories\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Internet Explorer\ieinstal.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\1033\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Media Player\wmpconfig.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\nl-nl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ca-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\es-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\plugins\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\zh-cn\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\de-de\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\fr-ma\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\cs-cz\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\tr-tr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\bg\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\locales\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Portal\1033\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Analysis Services\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\eu-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\SIGNUP\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Security\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hr-hr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\nl-nl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\nb-no\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ko-kr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\ext\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\Dll.dll C:\Windows\Logo1_.exe N/A
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3704 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe C:\Windows\SysWOW64\net.exe
PID 3704 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe C:\Windows\SysWOW64\net.exe
PID 3704 wrote to memory of 1396 N/A C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe C:\Windows\SysWOW64\net.exe
PID 1396 wrote to memory of 3420 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1396 wrote to memory of 3420 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1396 wrote to memory of 3420 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3704 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe C:\Windows\SysWOW64\cmd.exe
PID 3704 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe C:\Windows\SysWOW64\cmd.exe
PID 3704 wrote to memory of 3472 N/A C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe C:\Windows\SysWOW64\cmd.exe
PID 3704 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe C:\Windows\Logo1_.exe
PID 3704 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe C:\Windows\Logo1_.exe
PID 3704 wrote to memory of 1488 N/A C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe C:\Windows\Logo1_.exe
PID 3472 wrote to memory of 712 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe
PID 3472 wrote to memory of 712 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe
PID 1488 wrote to memory of 1340 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1488 wrote to memory of 1340 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1488 wrote to memory of 1340 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1340 wrote to memory of 4100 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1340 wrote to memory of 4100 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1340 wrote to memory of 4100 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1488 wrote to memory of 660 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1488 wrote to memory of 660 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1488 wrote to memory of 660 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 660 wrote to memory of 4488 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 660 wrote to memory of 4488 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 660 wrote to memory of 4488 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1488 wrote to memory of 3508 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 1488 wrote to memory of 3508 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe

"C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8E36.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe

"C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

Files

memory/3704-0-0x0000000000400000-0x000000000043D000-memory.dmp

memory/3704-10-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1488-11-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Windows\Logo1_.exe

MD5 9f85e7536d590c9790216db83cd4226e
SHA1 4ba479e9e327319c546916f382b5dda9b0217973
SHA256 6ce51f68013320d84f843b0d21c772d7fe1316ae74987e719dbd96ad59fa2273
SHA512 1ae9fc776270b6d45834dfc7c6648832df68a1016ae4456153e3fb7524cd190431fc2828dc7933ee2ccd9eac7a08c11e7697a3dcbbcde96d76335b1b08f292ea

C:\Users\Admin\AppData\Local\Temp\$$a8E36.bat

MD5 1fa1d8ddb6cd34310bb683580e50e2dc
SHA1 af9b1631685c95fefcde5ae92d7a995aa632581e
SHA256 d847dd6836ef059b73cd85ea3816f6f0f87ec55285f72769d8ac7017f5d819e4
SHA512 01c83a3ce7bb0db87934b6418878cc1b549feacec1348c40caf537adf628ab17a66286436d11f729c5c55727424763ca72c0477de1dd37ca660ac3a6f354376a

C:\Users\Admin\AppData\Local\Temp\de8c9a16ca6d4629aefaa4e82531812199a31c463b77ca0beb6f06e0f9b5c59c.exe.exe

MD5 2e0d056ad62b6ef87a091003714fd512
SHA1 73150bddb5671c36413d9fbc94a668f132a2edc5
SHA256 cb83f04591cc1d602e650dd5c12f4470cf21b04328477bd6a52081f37c04bd7c
SHA512 b8e920f8b7547aec6f5771e3e6119b01157e5e36a92c67142b0d73ffe0d501d933581e1fc752e5bba9ce819e3897be9c146bebfc0018e91318b0c99d188a2580

memory/1488-18-0x0000000000400000-0x000000000043D000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-4124900551-4068476067-3491212533-1000\_desktop.ini

MD5 4f2460b507685f7d7bfe6393f335f1c9
SHA1 378d42f114b1515872e58de6662373af31ab8c7b
SHA256 47a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42
SHA512 75dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb

C:\Program Files\7-Zip\7z.exe

MD5 84077a87183a7cb06546028816b7904f
SHA1 192f2e65f048c44d212d089814d6cbfda79c75d0
SHA256 465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5
SHA512 9f9b0136a70cd24a540c3825694885334eb1e1dadf5e192bafdf2280befbef8c9746efa14e7d3059807a9a0ae64215eb41301dc4410411715e48917b81f8d2f4

memory/1488-4773-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 21f41242248811873c1451b1bbf0abbb
SHA1 85fe06af630b6d5b26f4e2686483cd2b21f21238
SHA256 5ead7b2db6bd91ffa233801881641df6c7fc35e7c1f1606ebb0293780e909ab1
SHA512 a8729dbc757312b7dbbcf975a3b395b2f7e0e7844110ea4d544d02a699bb6a90f9786273f26a9efc52b56ede0c2c7ee2a6ab19262c528f6a69eab4a5b3af6768

C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

MD5 1ad09ab121869e9bedf81b1e82331d05
SHA1 21270e52207071b7d304acb7d776c9abba38c15c
SHA256 834cd914a6bc7c3eadf3b23bacc01433aa6a32411ab547d958604a1c434518b7
SHA512 4b1f28d726ec031fd0350a21ea7091087ae2688818716f7add7524fdf06a07d5937a4aa53c6029d2fab093714b1b48b8032927b56e2c207158946f6c71e6646b

memory/1488-8686-0x0000000000400000-0x000000000043D000-memory.dmp