Malware Analysis Report

2024-11-30 04:19

Sample ID 240613-a2zz1s1emp
Target b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931
SHA256 b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931

Threat Level: Shows suspicious behavior

The file b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931 was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Drops startup file

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Enumerates connected drives

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Runs net.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 00:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 00:43

Reported

2024-06-13 00:45

Platform

win7-20240508-en

Max time kernel

149s

Max time network

127s

Command Line

C:\Windows\Explorer.EXE

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Uninstall Information\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\spu\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\FreeCell\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\eu\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\fr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\Chess\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Media Player\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Help\en_US\Adobe Reader\9.0\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\he\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\id\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\Updater6\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Defender\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\1028\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VBA\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\km\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\visualization\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Uninstall Information\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Minesweeper\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\chkrzm.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Defender\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Install\{7ADE9966-696F-4996-9E1A-1D7786573DA1}\chrome_installer.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ca@valencia\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\Mahjong\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Mail\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office14\1033\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Internet Explorer\SIGNUP\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\Mahjong\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Media Player\Media Renderer\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\Help\en_US\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\Dll.dll C:\Windows\Logo1_.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2408 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe C:\Windows\SysWOW64\net.exe
PID 2408 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe C:\Windows\SysWOW64\net.exe
PID 2408 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe C:\Windows\SysWOW64\net.exe
PID 2408 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe C:\Windows\SysWOW64\net.exe
PID 2260 wrote to memory of 808 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2260 wrote to memory of 808 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2260 wrote to memory of 808 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2260 wrote to memory of 808 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2408 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe C:\Windows\SysWOW64\cmd.exe
PID 2408 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe C:\Windows\SysWOW64\cmd.exe
PID 2408 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe C:\Windows\SysWOW64\cmd.exe
PID 2408 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe C:\Windows\SysWOW64\cmd.exe
PID 2408 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe C:\Windows\Logo1_.exe
PID 2408 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe C:\Windows\Logo1_.exe
PID 2408 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe C:\Windows\Logo1_.exe
PID 2408 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe C:\Windows\Logo1_.exe
PID 2300 wrote to memory of 2756 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2300 wrote to memory of 2756 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2300 wrote to memory of 2756 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2300 wrote to memory of 2756 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2756 wrote to memory of 2380 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2756 wrote to memory of 2380 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2756 wrote to memory of 2380 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2756 wrote to memory of 2380 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2664 wrote to memory of 2672 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe
PID 2664 wrote to memory of 2672 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe
PID 2664 wrote to memory of 2672 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe
PID 2664 wrote to memory of 2672 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe
PID 2300 wrote to memory of 2592 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2300 wrote to memory of 2592 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2300 wrote to memory of 2592 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2300 wrote to memory of 2592 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2592 wrote to memory of 2872 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2592 wrote to memory of 2872 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2592 wrote to memory of 2872 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2592 wrote to memory of 2872 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2300 wrote to memory of 1196 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 2300 wrote to memory of 1196 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe

"C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a2A4B.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe

"C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

N/A

Files

memory/2408-0-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a2A4B.bat

MD5 542e48d94ec2e1edefa270ad9b0feac4
SHA1 23512027d0eef5583e4d773840b7376d033f77d2
SHA256 73a198e94afa8dac811dab591bb88de8c344ac2031ec3d65f2fa50a31cd272b8
SHA512 093ce63dc2a23ea5969c1bc987fc623e174d82d9bcdcbb180a60b1db2f8a04e3e7426e9de4309f8dc88065c35aad0f973073a11f3f6940bd267ebec1a0429d6f

C:\Windows\Logo1_.exe

MD5 9f85e7536d590c9790216db83cd4226e
SHA1 4ba479e9e327319c546916f382b5dda9b0217973
SHA256 6ce51f68013320d84f843b0d21c772d7fe1316ae74987e719dbd96ad59fa2273
SHA512 1ae9fc776270b6d45834dfc7c6648832df68a1016ae4456153e3fb7524cd190431fc2828dc7933ee2ccd9eac7a08c11e7697a3dcbbcde96d76335b1b08f292ea

memory/2300-18-0x0000000000400000-0x000000000043D000-memory.dmp

memory/2408-17-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe.exe

MD5 9f498971cbe636662f3d210747d619e1
SHA1 44b8e2732fa1e2f204fc70eaa1cb406616250085
SHA256 8adf6748981c3e7b62f5dbca992be6675574fffbce7673743f2d7fe787d56a41
SHA512 b73083c2f7b028d2946cb8f7b4fe2289fedaa4175364a2aac37db0aeff4602aede772ccc9eba7e6dcfcb7276e52604ca45d8021952201b5834485b48bca3dc93

memory/1196-27-0x0000000003050000-0x0000000003051000-memory.dmp

memory/2300-31-0x0000000000400000-0x000000000043D000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-268080393-3149932598-1824759070-1000\_desktop.ini

MD5 4f2460b507685f7d7bfe6393f335f1c9
SHA1 378d42f114b1515872e58de6662373af31ab8c7b
SHA256 47a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42
SHA512 75dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 21f41242248811873c1451b1bbf0abbb
SHA1 85fe06af630b6d5b26f4e2686483cd2b21f21238
SHA256 5ead7b2db6bd91ffa233801881641df6c7fc35e7c1f1606ebb0293780e909ab1
SHA512 a8729dbc757312b7dbbcf975a3b395b2f7e0e7844110ea4d544d02a699bb6a90f9786273f26a9efc52b56ede0c2c7ee2a6ab19262c528f6a69eab4a5b3af6768

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 7b714d463f7db900d5b6e757778a8ab8
SHA1 2cfc0e9f54236af8e10b0bfa551d87a20982b733
SHA256 c995370836939a29853611830ca08d437286d4f45603edce88f36aa1f99a0d97
SHA512 e8fe8823b5b7f282c24c964cbf4f248b7562259a13410bf95997288727f9bfc6ea51c4aa40182b649a2235bafc02062e0c57f4f62876b5174395071a8d68f9bb

memory/2300-3342-0x0000000000400000-0x000000000043D000-memory.dmp

memory/2300-4172-0x0000000000400000-0x000000000043D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 00:43

Reported

2024-06-13 00:45

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

150s

Command Line

C:\Windows\Explorer.EXE

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\eu-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\da-dk\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\jquery.ui.touch-punch\0.2.2\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\cs-cz\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\uk\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\nb-no\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\win_x64\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\fi\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\PMP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STUDIO\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\filecompare.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\en-gb\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft.NET\ADOMD.NET\130\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\el\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ko-kr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\pt-br\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\themes\dark\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\de-de\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CASCADE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\sr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\audio_filter\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\hu-hu\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\zh-tw\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\plugins\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\uk-UA\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EDGE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\pl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ta\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\en\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\sv-se\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateComRegisterShell64.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ca-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ja-jp\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\pl-pl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\de-de\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\es-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\tr-tr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\pt-BR\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\Office16\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fi-fi\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\hr-hr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ca-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\themes\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\cs-cz\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sk-sk\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\PublicAssemblies\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\pack200.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsPowerShell\Configuration\Schema\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\fi-fi\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\root\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\Dll.dll C:\Windows\Logo1_.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1372 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe C:\Windows\SysWOW64\net.exe
PID 1372 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe C:\Windows\SysWOW64\net.exe
PID 1372 wrote to memory of 1796 N/A C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe C:\Windows\SysWOW64\net.exe
PID 1796 wrote to memory of 784 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1796 wrote to memory of 784 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1796 wrote to memory of 784 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1372 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe C:\Windows\SysWOW64\cmd.exe
PID 1372 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe C:\Windows\SysWOW64\cmd.exe
PID 1372 wrote to memory of 3176 N/A C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe C:\Windows\SysWOW64\cmd.exe
PID 1372 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe C:\Windows\Logo1_.exe
PID 1372 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe C:\Windows\Logo1_.exe
PID 1372 wrote to memory of 3276 N/A C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe C:\Windows\Logo1_.exe
PID 3276 wrote to memory of 3244 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3276 wrote to memory of 3244 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3276 wrote to memory of 3244 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3176 wrote to memory of 5244 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe
PID 3176 wrote to memory of 5244 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe
PID 3244 wrote to memory of 2868 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3244 wrote to memory of 2868 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3244 wrote to memory of 2868 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3276 wrote to memory of 844 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3276 wrote to memory of 844 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3276 wrote to memory of 844 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 844 wrote to memory of 3968 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 844 wrote to memory of 3968 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 844 wrote to memory of 3968 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3276 wrote to memory of 3548 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 3276 wrote to memory of 3548 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe

"C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3F99.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe

"C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

Country Destination Domain Proto
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/1372-0-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Windows\Logo1_.exe

MD5 9f85e7536d590c9790216db83cd4226e
SHA1 4ba479e9e327319c546916f382b5dda9b0217973
SHA256 6ce51f68013320d84f843b0d21c772d7fe1316ae74987e719dbd96ad59fa2273
SHA512 1ae9fc776270b6d45834dfc7c6648832df68a1016ae4456153e3fb7524cd190431fc2828dc7933ee2ccd9eac7a08c11e7697a3dcbbcde96d76335b1b08f292ea

memory/1372-9-0x0000000000400000-0x000000000043D000-memory.dmp

memory/3276-11-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a3F99.bat

MD5 f946932de3e213535444e7241d59a779
SHA1 2dcdf04ae498bd0d3870562715fe7d4db7800813
SHA256 74b0ffaa73065014b8180473ca3400edea01e5abf91da86d5356df9a993c3718
SHA512 307ca7bdab2c105a926d0157758164446240f35e93edcdec6bfadc1fc312653801bcc133630426e080b0d9da6cc48447f8147114771e199a9cefb926e8a99111

C:\Users\Admin\AppData\Local\Temp\b065d84e7666f2d245e620126465274e17aa94baa626ec4fc1d7cd21d6413931.exe.exe

MD5 9f498971cbe636662f3d210747d619e1
SHA1 44b8e2732fa1e2f204fc70eaa1cb406616250085
SHA256 8adf6748981c3e7b62f5dbca992be6675574fffbce7673743f2d7fe787d56a41
SHA512 b73083c2f7b028d2946cb8f7b4fe2289fedaa4175364a2aac37db0aeff4602aede772ccc9eba7e6dcfcb7276e52604ca45d8021952201b5834485b48bca3dc93

memory/3276-18-0x0000000000400000-0x000000000043D000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-2447855248-390457009-3660902674-1000\_desktop.ini

MD5 4f2460b507685f7d7bfe6393f335f1c9
SHA1 378d42f114b1515872e58de6662373af31ab8c7b
SHA256 47a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42
SHA512 75dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb

C:\Program Files\7-Zip\7z.exe

MD5 84077a87183a7cb06546028816b7904f
SHA1 192f2e65f048c44d212d089814d6cbfda79c75d0
SHA256 465180cf8ae7851bd9f0d9d3802cf252edefefb1846c1322bfab4a9bf7138ed5
SHA512 9f9b0136a70cd24a540c3825694885334eb1e1dadf5e192bafdf2280befbef8c9746efa14e7d3059807a9a0ae64215eb41301dc4410411715e48917b81f8d2f4

memory/3276-2708-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 21f41242248811873c1451b1bbf0abbb
SHA1 85fe06af630b6d5b26f4e2686483cd2b21f21238
SHA256 5ead7b2db6bd91ffa233801881641df6c7fc35e7c1f1606ebb0293780e909ab1
SHA512 a8729dbc757312b7dbbcf975a3b395b2f7e0e7844110ea4d544d02a699bb6a90f9786273f26a9efc52b56ede0c2c7ee2a6ab19262c528f6a69eab4a5b3af6768

C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

MD5 1ad09ab121869e9bedf81b1e82331d05
SHA1 21270e52207071b7d304acb7d776c9abba38c15c
SHA256 834cd914a6bc7c3eadf3b23bacc01433aa6a32411ab547d958604a1c434518b7
SHA512 4b1f28d726ec031fd0350a21ea7091087ae2688818716f7add7524fdf06a07d5937a4aa53c6029d2fab093714b1b48b8032927b56e2c207158946f6c71e6646b

memory/3276-8690-0x0000000000400000-0x000000000043D000-memory.dmp