Malware Analysis Report

2024-11-30 04:19

Sample ID 240613-a2wmla1emj
Target a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae
SHA256 a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae

Threat Level: Shows suspicious behavior

The file a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Drops startup file

Deletes itself

Loads dropped DLL

Enumerates connected drives

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Runs net.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 00:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 00:43

Reported

2024-06-13 00:45

Platform

win7-20240508-en

Max time kernel

150s

Max time network

120s

Command Line

C:\Windows\Explorer.EXE

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\update_tracking\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\da\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ro\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\SpiderSolitaire\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\sm\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\LICLUA.EXE C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\PublicAssemblies\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Full\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ms\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\DEEPBLUE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre7\lib\images\cursors\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\d3d9\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Triedit\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Uninstall Information\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\orbd.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre7\lib\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\1033\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Media Player\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\ENU\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\it\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\CLIPART\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows NT\Accessories\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\More Games\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\tt\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Media Player\WMPSideShowGadget.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\meta\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\Dll.dll C:\Windows\Logo1_.exe N/A
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1276 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae.exe C:\Windows\SysWOW64\net.exe
PID 1276 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae.exe C:\Windows\SysWOW64\net.exe
PID 1276 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae.exe C:\Windows\SysWOW64\net.exe
PID 1276 wrote to memory of 1176 N/A C:\Users\Admin\AppData\Local\Temp\a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae.exe C:\Windows\SysWOW64\net.exe
PID 1176 wrote to memory of 2160 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1176 wrote to memory of 2160 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1176 wrote to memory of 2160 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1176 wrote to memory of 2160 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1276 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae.exe C:\Windows\SysWOW64\cmd.exe
PID 1276 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae.exe C:\Windows\SysWOW64\cmd.exe
PID 1276 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae.exe C:\Windows\SysWOW64\cmd.exe
PID 1276 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae.exe C:\Windows\SysWOW64\cmd.exe
PID 1276 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae.exe C:\Windows\Logo1_.exe
PID 1276 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae.exe C:\Windows\Logo1_.exe
PID 1276 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae.exe C:\Windows\Logo1_.exe
PID 1276 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae.exe C:\Windows\Logo1_.exe
PID 3040 wrote to memory of 2680 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3040 wrote to memory of 2680 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3040 wrote to memory of 2680 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3040 wrote to memory of 2680 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2680 wrote to memory of 3028 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2680 wrote to memory of 3028 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2680 wrote to memory of 3028 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2680 wrote to memory of 3028 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3040 wrote to memory of 2780 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3040 wrote to memory of 2780 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3040 wrote to memory of 2780 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3040 wrote to memory of 2780 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2780 wrote to memory of 2600 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2780 wrote to memory of 2600 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2780 wrote to memory of 2600 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2780 wrote to memory of 2600 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3040 wrote to memory of 1184 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 3040 wrote to memory of 1184 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae.exe

"C:\Users\Admin\AppData\Local\Temp\a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a1333.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae.exe

"C:\Users\Admin\AppData\Local\Temp\a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

N/A

Files

memory/1276-0-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a1333.bat

MD5 c06860d3a0b970710161e427090c4889
SHA1 03d1fb749c2d0139326634a17699b6c7bf2cd7fd
SHA256 a2b5322e28039674f26121283700671e3e0fa2a4012ed4535002eeb4d8e94342
SHA512 be748529500ac6d7d7d1ec2f06f9b7e25a1f9b0d08f285ad16ffe2161a1dbee1415137d42075d509a4818a5e079e9321adc091945e8ab004e5fe6515a2875cfd

memory/1276-17-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Windows\Logo1_.exe

MD5 9f85e7536d590c9790216db83cd4226e
SHA1 4ba479e9e327319c546916f382b5dda9b0217973
SHA256 6ce51f68013320d84f843b0d21c772d7fe1316ae74987e719dbd96ad59fa2273
SHA512 1ae9fc776270b6d45834dfc7c6648832df68a1016ae4456153e3fb7524cd190431fc2828dc7933ee2ccd9eac7a08c11e7697a3dcbbcde96d76335b1b08f292ea

memory/3040-19-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae.exe.exe

MD5 ba18e99b3e17adb5b029eaebc457dd89
SHA1 ec0458f3c00d35b323f08d4e1cc2e72899429c38
SHA256 f5ee36de8edf9be2ac2752b219cfdcb7ca1677071b8e116cb876306e9f1b6628
SHA512 1f41929e6f5b555b60c411c7810cbf14e3af26100df5ac4533ec3739a278c1b925687284660efb4868e3741305098e2737836229efc9fe46c97a6057c10e677c

memory/1184-27-0x00000000024C0000-0x00000000024C1000-memory.dmp

memory/3040-31-0x0000000000400000-0x000000000043D000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-3691908287-3775019229-3534252667-1000\_desktop.ini

MD5 4f2460b507685f7d7bfe6393f335f1c9
SHA1 378d42f114b1515872e58de6662373af31ab8c7b
SHA256 47a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42
SHA512 75dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 21f41242248811873c1451b1bbf0abbb
SHA1 85fe06af630b6d5b26f4e2686483cd2b21f21238
SHA256 5ead7b2db6bd91ffa233801881641df6c7fc35e7c1f1606ebb0293780e909ab1
SHA512 a8729dbc757312b7dbbcf975a3b395b2f7e0e7844110ea4d544d02a699bb6a90f9786273f26a9efc52b56ede0c2c7ee2a6ab19262c528f6a69eab4a5b3af6768

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 7b714d463f7db900d5b6e757778a8ab8
SHA1 2cfc0e9f54236af8e10b0bfa551d87a20982b733
SHA256 c995370836939a29853611830ca08d437286d4f45603edce88f36aa1f99a0d97
SHA512 e8fe8823b5b7f282c24c964cbf4f248b7562259a13410bf95997288727f9bfc6ea51c4aa40182b649a2235bafc02062e0c57f4f62876b5174395071a8d68f9bb

memory/3040-3342-0x0000000000400000-0x000000000043D000-memory.dmp

memory/3040-4173-0x0000000000400000-0x000000000043D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 00:43

Reported

2024-06-13 00:45

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

C:\Windows\Explorer.EXE

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ms\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\pl-pl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\firefox.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ps\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\is\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\lv\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-gb\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\ktab.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\legal\jdk\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Shared Gadgets\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-ma\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ko-kr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\hr-hr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\cs\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sl-sl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-ma\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\en-gb\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Notifications\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Browser\WCChromeExtn\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\zh-tw\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\hu-hu\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Defender\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\en-gb\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\tr-tr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\eu-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\brx\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\skins\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\hr-hr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Internet Explorer\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\javapackager.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TEXTCONV\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ru-ru\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-fr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hu-hu\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ca-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\Integration\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\de\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Defender\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Configuration\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\nl-nl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\libs\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fr-ma\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\hu-hu\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ka\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ko-kr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Photo Viewer\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ar-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ro-ro\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\Dll.dll C:\Windows\Logo1_.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4788 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae.exe C:\Windows\SysWOW64\net.exe
PID 4788 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae.exe C:\Windows\SysWOW64\net.exe
PID 4788 wrote to memory of 932 N/A C:\Users\Admin\AppData\Local\Temp\a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae.exe C:\Windows\SysWOW64\net.exe
PID 932 wrote to memory of 100 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 932 wrote to memory of 100 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 932 wrote to memory of 100 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4788 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae.exe C:\Windows\SysWOW64\cmd.exe
PID 4788 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae.exe C:\Windows\SysWOW64\cmd.exe
PID 4788 wrote to memory of 1368 N/A C:\Users\Admin\AppData\Local\Temp\a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae.exe C:\Windows\SysWOW64\cmd.exe
PID 4788 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae.exe C:\Windows\Logo1_.exe
PID 4788 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae.exe C:\Windows\Logo1_.exe
PID 4788 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Local\Temp\a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae.exe C:\Windows\Logo1_.exe
PID 2092 wrote to memory of 1396 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2092 wrote to memory of 1396 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2092 wrote to memory of 1396 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1396 wrote to memory of 2512 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1396 wrote to memory of 2512 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1396 wrote to memory of 2512 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2092 wrote to memory of 2764 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2092 wrote to memory of 2764 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2092 wrote to memory of 2764 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2764 wrote to memory of 2800 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2764 wrote to memory of 2800 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2764 wrote to memory of 2800 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2092 wrote to memory of 3460 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 2092 wrote to memory of 3460 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae.exe

"C:\Users\Admin\AppData\Local\Temp\a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5AC2.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae.exe

"C:\Users\Admin\AppData\Local\Temp\a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

Files

memory/4788-0-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Windows\Logo1_.exe

MD5 9f85e7536d590c9790216db83cd4226e
SHA1 4ba479e9e327319c546916f382b5dda9b0217973
SHA256 6ce51f68013320d84f843b0d21c772d7fe1316ae74987e719dbd96ad59fa2273
SHA512 1ae9fc776270b6d45834dfc7c6648832df68a1016ae4456153e3fb7524cd190431fc2828dc7933ee2ccd9eac7a08c11e7697a3dcbbcde96d76335b1b08f292ea

memory/4788-10-0x0000000000400000-0x000000000043D000-memory.dmp

memory/2092-11-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a5AC2.bat

MD5 a69ab04c54456eae78b2632374fa076a
SHA1 d4b34b05699a9fdefd6eb5fc1dfb578e2aebda14
SHA256 dd42752e0d99b54c503705460094c140eb6a06bca6e6645de50338a9aac40545
SHA512 f9c75ef665ad90e94e83922f679ccba8ee3e0a97ed18d2b64630f334b630753486ebca05c8256858788bac1708466a3af8e6e9301202d32cb647c3e328510c6d

C:\Users\Admin\AppData\Local\Temp\a1827551d132d8fcf82a851cf408f635c92c0b6c151e309b9f0c16c01d6119ae.exe.exe

MD5 ba18e99b3e17adb5b029eaebc457dd89
SHA1 ec0458f3c00d35b323f08d4e1cc2e72899429c38
SHA256 f5ee36de8edf9be2ac2752b219cfdcb7ca1677071b8e116cb876306e9f1b6628
SHA512 1f41929e6f5b555b60c411c7810cbf14e3af26100df5ac4533ec3739a278c1b925687284660efb4868e3741305098e2737836229efc9fe46c97a6057c10e677c

memory/2092-18-0x0000000000400000-0x000000000043D000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-4124900551-4068476067-3491212533-1000\_desktop.ini

MD5 4f2460b507685f7d7bfe6393f335f1c9
SHA1 378d42f114b1515872e58de6662373af31ab8c7b
SHA256 47a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42
SHA512 75dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb

C:\Program Files\OpenExport.exe

MD5 681f1f697eeb2dc6453226b9c203617c
SHA1 72edef6508bcb55ffd62a6c19992f1255d2a6a9a
SHA256 6d001a0cca4fbf64aafdf60e41458cd0bc96ba82f50da067ce7fa51c57919570
SHA512 6b2460e3e17692297b6ef7d9f537f957e62a0b1235f5575315be8595e3d19dca3dc3b70ec8bed141d1f44c28f7d1d2ede0cf800f4d09dadee250641bfa5a9f1c

memory/2092-2636-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 21f41242248811873c1451b1bbf0abbb
SHA1 85fe06af630b6d5b26f4e2686483cd2b21f21238
SHA256 5ead7b2db6bd91ffa233801881641df6c7fc35e7c1f1606ebb0293780e909ab1
SHA512 a8729dbc757312b7dbbcf975a3b395b2f7e0e7844110ea4d544d02a699bb6a90f9786273f26a9efc52b56ede0c2c7ee2a6ab19262c528f6a69eab4a5b3af6768

C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

MD5 1ad09ab121869e9bedf81b1e82331d05
SHA1 21270e52207071b7d304acb7d776c9abba38c15c
SHA256 834cd914a6bc7c3eadf3b23bacc01433aa6a32411ab547d958604a1c434518b7
SHA512 4b1f28d726ec031fd0350a21ea7091087ae2688818716f7add7524fdf06a07d5937a4aa53c6029d2fab093714b1b48b8032927b56e2c207158946f6c71e6646b

memory/2092-8688-0x0000000000400000-0x000000000043D000-memory.dmp