Malware Analysis Report

2024-11-30 04:19

Sample ID 240613-a2zz1s1emn
Target ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8
SHA256 ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8

Threat Level: Shows suspicious behavior

The file ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8 was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Loads dropped DLL

Reads user/profile data of web browsers

Deletes itself

Drops startup file

Executes dropped EXE

Enumerates connected drives

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Runs net.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 00:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 00:43

Reported

2024-06-13 00:45

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

158s

Command Line

C:\Windows\Explorer.EXE

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sl-sl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fr-fr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Source Engine\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\hr-hr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\en-gb\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\cmm\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sk-sk\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\es-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-tw\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Internet Explorer\uk-UA\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\es-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\fr-fr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Defender\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\NETWORK\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\text_renderer\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fr-ma\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\nb-no\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\he-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\Common AppData\Microsoft\OFFICE\Heartbeat\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\uk-ua\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\da-dk\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ko-kr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\de-de\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-gb\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sl-si\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\en-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\audio_output\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\tr-tr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\zh-tw\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\root\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\LanguageNames2\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\zh-cn\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\hy\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ko-kr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-cn\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\loc\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\pt-br\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fr-fr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\es-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\sl-si\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\hr-hr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\hu-hu\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\en_US\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Dll.dll C:\Windows\Logo1_.exe N/A
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2012 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe C:\Windows\SysWOW64\net.exe
PID 2012 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe C:\Windows\SysWOW64\net.exe
PID 2012 wrote to memory of 3224 N/A C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe C:\Windows\SysWOW64\net.exe
PID 3224 wrote to memory of 1808 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3224 wrote to memory of 1808 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3224 wrote to memory of 1808 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2012 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe C:\Windows\SysWOW64\cmd.exe
PID 2012 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe C:\Windows\SysWOW64\cmd.exe
PID 2012 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe C:\Windows\SysWOW64\cmd.exe
PID 2012 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe C:\Windows\Logo1_.exe
PID 2012 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe C:\Windows\Logo1_.exe
PID 2012 wrote to memory of 4716 N/A C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe C:\Windows\Logo1_.exe
PID 4716 wrote to memory of 3652 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4716 wrote to memory of 3652 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4716 wrote to memory of 3652 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3652 wrote to memory of 1948 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3652 wrote to memory of 1948 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3652 wrote to memory of 1948 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 528 wrote to memory of 4524 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe
PID 528 wrote to memory of 4524 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe
PID 4716 wrote to memory of 3884 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4716 wrote to memory of 3884 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4716 wrote to memory of 3884 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3884 wrote to memory of 2984 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3884 wrote to memory of 2984 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3884 wrote to memory of 2984 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4716 wrote to memory of 3436 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 4716 wrote to memory of 3436 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe

"C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a418D.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe

"C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

Files

memory/2012-0-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Windows\Logo1_.exe

MD5 9f85e7536d590c9790216db83cd4226e
SHA1 4ba479e9e327319c546916f382b5dda9b0217973
SHA256 6ce51f68013320d84f843b0d21c772d7fe1316ae74987e719dbd96ad59fa2273
SHA512 1ae9fc776270b6d45834dfc7c6648832df68a1016ae4456153e3fb7524cd190431fc2828dc7933ee2ccd9eac7a08c11e7697a3dcbbcde96d76335b1b08f292ea

memory/2012-10-0x0000000000400000-0x000000000043D000-memory.dmp

memory/4716-11-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a418D.bat

MD5 c81fc9e537b8d437405c73564cc2722f
SHA1 483c7a98fda4004b58a6cffca0518f40fbd0181a
SHA256 2dcbf957daf6e95f617ca86ec7657dd8e6faedc1ad70172901d6bfaf2bb7beff
SHA512 93b0e1d11f6e3b21ebe63358c346ff87e6cc5a8985e39635e8b850bd3ad45635f89a35f80c1a266f2484e78c86cbf55b3716b3377ca0ce2edbbed226032bb2bc

C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe.exe

MD5 5fbd45261a2de3bb42f489e825a9a935
SHA1 ff388f6e9efe651ec62c4152c1739783e7899293
SHA256 9e63701598199d5c47217e23b44d0e3ec5d53f5419166b1b6c68a7e9e8fc47a4
SHA512 7f22b1995a07016adb342c551454d602bfbe511525139aee8581b62116608e9e278fd81c26382f1333c7eccded4474196e73c093bb5cbf8e8f203e865024c058

memory/4716-18-0x0000000000400000-0x000000000043D000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-2804150937-2146708401-419095071-1000\_desktop.ini

MD5 4f2460b507685f7d7bfe6393f335f1c9
SHA1 378d42f114b1515872e58de6662373af31ab8c7b
SHA256 47a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42
SHA512 75dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb

C:\Program Files\7-Zip\7z.exe

MD5 84077a87183a7cb06546028816b7904f
SHA1 192f2e65f048c44d212d089814d6cbfda79c75d0
SHA256 465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5
SHA512 9f9b0136a70cd24a540c3825694885334eb1e1dadf5e192bafdf2280befbef8c9746efa14e7d3059807a9a0ae64215eb41301dc4410411715e48917b81f8d2f4

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 21f41242248811873c1451b1bbf0abbb
SHA1 85fe06af630b6d5b26f4e2686483cd2b21f21238
SHA256 5ead7b2db6bd91ffa233801881641df6c7fc35e7c1f1606ebb0293780e909ab1
SHA512 a8729dbc757312b7dbbcf975a3b395b2f7e0e7844110ea4d544d02a699bb6a90f9786273f26a9efc52b56ede0c2c7ee2a6ab19262c528f6a69eab4a5b3af6768

memory/4716-5128-0x0000000000400000-0x000000000043D000-memory.dmp

C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

MD5 1ad09ab121869e9bedf81b1e82331d05
SHA1 21270e52207071b7d304acb7d776c9abba38c15c
SHA256 834cd914a6bc7c3eadf3b23bacc01433aa6a32411ab547d958604a1c434518b7
SHA512 4b1f28d726ec031fd0350a21ea7091087ae2688818716f7add7524fdf06a07d5937a4aa53c6029d2fab093714b1b48b8032927b56e2c207158946f6c71e6646b

memory/4716-8740-0x0000000000400000-0x000000000043D000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 00:43

Reported

2024-06-13 00:45

Platform

win7-20240508-en

Max time kernel

149s

Max time network

124s

Command Line

C:\Windows\Explorer.EXE

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\am_ET\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\tr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\javaw.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ms\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\tr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\DVD Maker\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\si\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Portable Devices\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SPRING\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\Minesweeper\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\da\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\sl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\or_IN\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\control\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\INDUST\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\server\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\zu\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_chroma\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Help\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Triedit\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Internet Explorer\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\am_ET\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ml\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\ink\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Media Player\Network Sharing\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\eo\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ky\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\misc\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LAYERS\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\lt\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ms\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\Dll.dll C:\Windows\Logo1_.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2372 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe C:\Windows\SysWOW64\net.exe
PID 2372 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe C:\Windows\SysWOW64\net.exe
PID 2372 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe C:\Windows\SysWOW64\net.exe
PID 2372 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe C:\Windows\SysWOW64\net.exe
PID 2472 wrote to memory of 2604 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2472 wrote to memory of 2604 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2472 wrote to memory of 2604 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2472 wrote to memory of 2604 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2372 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe C:\Windows\SysWOW64\cmd.exe
PID 2372 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe C:\Windows\SysWOW64\cmd.exe
PID 2372 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe C:\Windows\SysWOW64\cmd.exe
PID 2372 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe C:\Windows\SysWOW64\cmd.exe
PID 2372 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe C:\Windows\Logo1_.exe
PID 2372 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe C:\Windows\Logo1_.exe
PID 2372 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe C:\Windows\Logo1_.exe
PID 2372 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe C:\Windows\Logo1_.exe
PID 2628 wrote to memory of 2800 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2628 wrote to memory of 2800 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2628 wrote to memory of 2800 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2628 wrote to memory of 2800 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2800 wrote to memory of 2672 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2800 wrote to memory of 2672 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2800 wrote to memory of 2672 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2800 wrote to memory of 2672 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2344 wrote to memory of 2528 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe
PID 2344 wrote to memory of 2528 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe
PID 2344 wrote to memory of 2528 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe
PID 2344 wrote to memory of 2528 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe
PID 2628 wrote to memory of 2608 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2628 wrote to memory of 2608 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2628 wrote to memory of 2608 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2628 wrote to memory of 2608 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2608 wrote to memory of 2656 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2608 wrote to memory of 2656 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2608 wrote to memory of 2656 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2608 wrote to memory of 2656 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2628 wrote to memory of 1204 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 2628 wrote to memory of 1204 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe

"C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a2B83.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe

"C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

N/A

Files

memory/2372-0-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a2B83.bat

MD5 bc33bb9eb1f918a2f41110bf556fec3d
SHA1 f04be44751a7d825bf03b0fd0556118c8a0ce9c3
SHA256 98b120f2b7297fc7907c6ba29edefcc7b2d1f5946462fb7497fd1b5e38e7c6bc
SHA512 f9c050a294f2c1f0d4011bd619414de573d9970c6c135d75f794a4a8f27026b73aa1d465793c2339cc6ea4bc475d996e0524b021044fdb973a50f6a7bdfd0047

memory/2372-15-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Windows\Logo1_.exe

MD5 9f85e7536d590c9790216db83cd4226e
SHA1 4ba479e9e327319c546916f382b5dda9b0217973
SHA256 6ce51f68013320d84f843b0d21c772d7fe1316ae74987e719dbd96ad59fa2273
SHA512 1ae9fc776270b6d45834dfc7c6648832df68a1016ae4456153e3fb7524cd190431fc2828dc7933ee2ccd9eac7a08c11e7697a3dcbbcde96d76335b1b08f292ea

memory/2628-17-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ae20f345f9a5903c752fd03818286e5dd0a34b7cc4b631c0ed21cdd3e33060a8.exe.exe

MD5 5fbd45261a2de3bb42f489e825a9a935
SHA1 ff388f6e9efe651ec62c4152c1739783e7899293
SHA256 9e63701598199d5c47217e23b44d0e3ec5d53f5419166b1b6c68a7e9e8fc47a4
SHA512 7f22b1995a07016adb342c551454d602bfbe511525139aee8581b62116608e9e278fd81c26382f1333c7eccded4474196e73c093bb5cbf8e8f203e865024c058

memory/1204-26-0x0000000002ED0000-0x0000000002ED1000-memory.dmp

memory/2628-29-0x0000000000400000-0x000000000043D000-memory.dmp

memory/2372-30-0x0000000000400000-0x000000000043D000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-268080393-3149932598-1824759070-1000\_desktop.ini

MD5 4f2460b507685f7d7bfe6393f335f1c9
SHA1 378d42f114b1515872e58de6662373af31ab8c7b
SHA256 47a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42
SHA512 75dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 21f41242248811873c1451b1bbf0abbb
SHA1 85fe06af630b6d5b26f4e2686483cd2b21f21238
SHA256 5ead7b2db6bd91ffa233801881641df6c7fc35e7c1f1606ebb0293780e909ab1
SHA512 a8729dbc757312b7dbbcf975a3b395b2f7e0e7844110ea4d544d02a699bb6a90f9786273f26a9efc52b56ede0c2c7ee2a6ab19262c528f6a69eab4a5b3af6768

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 7b714d463f7db900d5b6e757778a8ab8
SHA1 2cfc0e9f54236af8e10b0bfa551d87a20982b733
SHA256 c995370836939a29853611830ca08d437286d4f45603edce88f36aa1f99a0d97
SHA512 e8fe8823b5b7f282c24c964cbf4f248b7562259a13410bf95997288727f9bfc6ea51c4aa40182b649a2235bafc02062e0c57f4f62876b5174395071a8d68f9bb

memory/2628-3345-0x0000000000400000-0x000000000043D000-memory.dmp

memory/2628-4170-0x0000000000400000-0x000000000043D000-memory.dmp