Malware Analysis Report

2024-11-30 04:23

Sample ID 240613-a2yrysxenb
Target 61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95
SHA256 61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95

Threat Level: Shows suspicious behavior

The file 61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95 was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Deletes itself

Reads user/profile data of web browsers

Drops startup file

Loads dropped DLL

Executes dropped EXE

Enumerates connected drives

Drops file in Program Files directory

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Runs net.exe

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 00:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 00:43

Reported

2024-06-13 00:45

Platform

win7-20240611-en

Max time kernel

150s

Max time network

121s

Command Line

C:\Windows\Explorer.EXE

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\Mahjong\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Mail\wab.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\Updater6\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre7\bin\plugin2\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\updater.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\oc\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\tt\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\intf\modules\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Help\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\dtplugin\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\ink\1.0\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUECALM\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VC\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft.NET\RedistList\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECHO\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\IRIS\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\Contracts\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\DVD Maker\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\or_IN\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\hr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\kn\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Triedit\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Uninstall Information\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\Accessories\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Dll.dll C:\Windows\Logo1_.exe N/A
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A

Enumerates physical storage devices

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2736 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe C:\Windows\SysWOW64\net.exe
PID 2736 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe C:\Windows\SysWOW64\net.exe
PID 2736 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe C:\Windows\SysWOW64\net.exe
PID 2736 wrote to memory of 1120 N/A C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe C:\Windows\SysWOW64\net.exe
PID 1120 wrote to memory of 2428 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1120 wrote to memory of 2428 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1120 wrote to memory of 2428 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1120 wrote to memory of 2428 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2736 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe C:\Windows\SysWOW64\cmd.exe
PID 2736 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe C:\Windows\Logo1_.exe
PID 2736 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe C:\Windows\Logo1_.exe
PID 2736 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe C:\Windows\Logo1_.exe
PID 2736 wrote to memory of 2552 N/A C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe C:\Windows\Logo1_.exe
PID 2552 wrote to memory of 2616 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2552 wrote to memory of 2616 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2552 wrote to memory of 2616 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2552 wrote to memory of 2616 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2616 wrote to memory of 2816 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2616 wrote to memory of 2816 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2616 wrote to memory of 2816 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2616 wrote to memory of 2816 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2800 wrote to memory of 2812 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe
PID 2800 wrote to memory of 2812 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe
PID 2800 wrote to memory of 2812 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe
PID 2800 wrote to memory of 2812 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe
PID 2552 wrote to memory of 2640 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2552 wrote to memory of 2640 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2552 wrote to memory of 2640 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2552 wrote to memory of 2640 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2640 wrote to memory of 2180 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2640 wrote to memory of 2180 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2640 wrote to memory of 2180 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2640 wrote to memory of 2180 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2552 wrote to memory of 1128 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 2552 wrote to memory of 1128 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe

"C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a24B0.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe

"C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

N/A

Files

memory/2736-0-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a24B0.bat

MD5 dc9ee8defea82ff4003ca3f706b6ec48
SHA1 6301e7e02450ed0630f771bcded2a95b045c55aa
SHA256 43ae64d30001dce0541bc9f57bdaf4236684b4b85a565c5b21932da11c00972a
SHA512 51d2452fd3aec336b8b1d98c27c9af8c51f16c79e236b7f9b1bd90c38ee1d710ccff08fb63003fc5f73ceb06bc15a33ce5fc88ab0bfdc5b709a41aa9f39cecf5

memory/2736-17-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Windows\Logo1_.exe

MD5 9f85e7536d590c9790216db83cd4226e
SHA1 4ba479e9e327319c546916f382b5dda9b0217973
SHA256 6ce51f68013320d84f843b0d21c772d7fe1316ae74987e719dbd96ad59fa2273
SHA512 1ae9fc776270b6d45834dfc7c6648832df68a1016ae4456153e3fb7524cd190431fc2828dc7933ee2ccd9eac7a08c11e7697a3dcbbcde96d76335b1b08f292ea

memory/2552-19-0x0000000000400000-0x000000000043D000-memory.dmp

memory/2736-18-0x00000000002F0000-0x000000000032D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe.exe

MD5 30ac0b832d75598fb3ec37b6f2a8c86a
SHA1 6f47dbfd6ff36df7ba581a4cef024da527dc3046
SHA256 1ea0839c8dc95ad2c060af7d042c40c0daed58ce8e4524c0fba12fd73e4afb74
SHA512 505870601a4389b7ed2c8fecf85835adfd2944cbc10801f74bc4e08f5a0d6ecc9a52052fc37e216304cd1655129021862294a698ed36b3b43d428698f7263057

memory/1128-29-0x0000000002E30000-0x0000000002E31000-memory.dmp

memory/2552-32-0x0000000000400000-0x000000000043D000-memory.dmp

memory/2736-34-0x00000000002F0000-0x000000000032D000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-1340930862-1405011213-2821322012-1000\_desktop.ini

MD5 4f2460b507685f7d7bfe6393f335f1c9
SHA1 378d42f114b1515872e58de6662373af31ab8c7b
SHA256 47a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42
SHA512 75dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 21f41242248811873c1451b1bbf0abbb
SHA1 85fe06af630b6d5b26f4e2686483cd2b21f21238
SHA256 5ead7b2db6bd91ffa233801881641df6c7fc35e7c1f1606ebb0293780e909ab1
SHA512 a8729dbc757312b7dbbcf975a3b395b2f7e0e7844110ea4d544d02a699bb6a90f9786273f26a9efc52b56ede0c2c7ee2a6ab19262c528f6a69eab4a5b3af6768

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 7b714d463f7db900d5b6e757778a8ab8
SHA1 2cfc0e9f54236af8e10b0bfa551d87a20982b733
SHA256 c995370836939a29853611830ca08d437286d4f45603edce88f36aa1f99a0d97
SHA512 e8fe8823b5b7f282c24c964cbf4f248b7562259a13410bf95997288727f9bfc6ea51c4aa40182b649a2235bafc02062e0c57f4f62876b5174395071a8d68f9bb

memory/2552-3345-0x0000000000400000-0x000000000043D000-memory.dmp

memory/2552-4155-0x0000000000400000-0x000000000043D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 00:43

Reported

2024-06-13 00:45

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

142s

Command Line

C:\Windows\Explorer.EXE

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Common Files\Oracle\Java\javapath\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Updates\Download\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\en-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\root\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\zh-tw\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\fr-ma\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ro-ro\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\mux\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\nl-nl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ar-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\sl-si\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\themes\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\Comprehensive\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\it-it\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\services_discovery\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\tr-tr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\zh-cn\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\en-gb\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\Portal\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\it-it\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\root\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ru-ru\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\en-gb\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ENFR\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\tr-tr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sl-sl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\nb-no\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\lv\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\da-dk\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Google\Temp\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sl-si\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\de-de\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ar-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\wabmig.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\uk-ua\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\es-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\javacpl.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ru-ru\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\REFINED\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\he-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\fr-ma\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\tr-tr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\zh-tw\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\root\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\pl-pl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\nb-no\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\Dll.dll C:\Windows\Logo1_.exe N/A

Enumerates physical storage devices

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2604 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe C:\Windows\SysWOW64\net.exe
PID 2604 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe C:\Windows\SysWOW64\net.exe
PID 2604 wrote to memory of 4036 N/A C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe C:\Windows\SysWOW64\net.exe
PID 4036 wrote to memory of 4928 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4036 wrote to memory of 4928 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4036 wrote to memory of 4928 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2604 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 4188 N/A C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe C:\Windows\SysWOW64\cmd.exe
PID 2604 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe C:\Windows\Logo1_.exe
PID 2604 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe C:\Windows\Logo1_.exe
PID 2604 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe C:\Windows\Logo1_.exe
PID 1780 wrote to memory of 2664 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1780 wrote to memory of 2664 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1780 wrote to memory of 2664 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4188 wrote to memory of 2904 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe
PID 4188 wrote to memory of 2904 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe
PID 2664 wrote to memory of 3216 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2664 wrote to memory of 3216 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2664 wrote to memory of 3216 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1780 wrote to memory of 4724 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1780 wrote to memory of 4724 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1780 wrote to memory of 4724 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4724 wrote to memory of 2400 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4724 wrote to memory of 2400 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4724 wrote to memory of 2400 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1780 wrote to memory of 3356 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 1780 wrote to memory of 3356 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe

"C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a8D3C.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe

"C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.187:443 www.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 187.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp

Files

memory/2604-0-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Windows\Logo1_.exe

MD5 9f85e7536d590c9790216db83cd4226e
SHA1 4ba479e9e327319c546916f382b5dda9b0217973
SHA256 6ce51f68013320d84f843b0d21c772d7fe1316ae74987e719dbd96ad59fa2273
SHA512 1ae9fc776270b6d45834dfc7c6648832df68a1016ae4456153e3fb7524cd190431fc2828dc7933ee2ccd9eac7a08c11e7697a3dcbbcde96d76335b1b08f292ea

memory/2604-9-0x0000000000400000-0x000000000043D000-memory.dmp

memory/1780-10-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a8D3C.bat

MD5 fb3079a6419cc56dad3817cb5caab7e0
SHA1 79d111605ff1daaa5cc91bf609ac29bb8af49e0a
SHA256 a8ad7760c3a603284412ae82137734b5ab682df5704a4022ceb048e72d5b3bce
SHA512 70a52e90b068a9891a91a1c0510e00dfaeea4ac1d69a113052ddc559434c989a878badf56574dd310629ca173633560306a374c989d3ce900743fee398580548

C:\Users\Admin\AppData\Local\Temp\61d76a2ebdfbb7b3b1dfad011fb9428f0c803b0628a5ae28b2f5cea15a1bda95.exe.exe

MD5 30ac0b832d75598fb3ec37b6f2a8c86a
SHA1 6f47dbfd6ff36df7ba581a4cef024da527dc3046
SHA256 1ea0839c8dc95ad2c060af7d042c40c0daed58ce8e4524c0fba12fd73e4afb74
SHA512 505870601a4389b7ed2c8fecf85835adfd2944cbc10801f74bc4e08f5a0d6ecc9a52052fc37e216304cd1655129021862294a698ed36b3b43d428698f7263057

memory/1780-18-0x0000000000400000-0x000000000043D000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-3169499791-3545231813-3156325206-1000\_desktop.ini

MD5 4f2460b507685f7d7bfe6393f335f1c9
SHA1 378d42f114b1515872e58de6662373af31ab8c7b
SHA256 47a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42
SHA512 75dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb

C:\Program Files\7-Zip\7z.exe

MD5 84077a87183a7cb06546028816b7904f
SHA1 192f2e65f048c44d212d089814d6cbfda79c75d0
SHA256 465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5
SHA512 9f9b0136a70cd24a540c3825694885334eb1e1dadf5e192bafdf2280befbef8c9746efa14e7d3059807a9a0ae64215eb41301dc4410411715e48917b81f8d2f4

memory/1780-2276-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 21f41242248811873c1451b1bbf0abbb
SHA1 85fe06af630b6d5b26f4e2686483cd2b21f21238
SHA256 5ead7b2db6bd91ffa233801881641df6c7fc35e7c1f1606ebb0293780e909ab1
SHA512 a8729dbc757312b7dbbcf975a3b395b2f7e0e7844110ea4d544d02a699bb6a90f9786273f26a9efc52b56ede0c2c7ee2a6ab19262c528f6a69eab4a5b3af6768

C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

MD5 1ad09ab121869e9bedf81b1e82331d05
SHA1 21270e52207071b7d304acb7d776c9abba38c15c
SHA256 834cd914a6bc7c3eadf3b23bacc01433aa6a32411ab547d958604a1c434518b7
SHA512 4b1f28d726ec031fd0350a21ea7091087ae2688818716f7add7524fdf06a07d5937a4aa53c6029d2fab093714b1b48b8032927b56e2c207158946f6c71e6646b

memory/1780-8747-0x0000000000400000-0x000000000043D000-memory.dmp