Malware Analysis Report

2024-11-15 06:34

Sample ID 240613-ec4zwstbnh
Target 17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4
SHA256 17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4

Threat Level: Shows suspicious behavior

The file 17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4 was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Deletes itself

Loads dropped DLL

Reads user/profile data of web browsers

Drops startup file

Executes dropped EXE

Enumerates connected drives

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 03:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 03:48

Reported

2024-06-13 03:51

Platform

win7-20240419-en

Max time kernel

150s

Max time network

121s

Command Line

C:\Windows\Explorer.EXE

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jre7\lib\jfr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\modules\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\Solitaire\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ja\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Journal\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VC\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre7\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RIPPLE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\More Games\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Stacking\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\cgg\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Internet Explorer\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Photo Viewer\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Internet Explorer\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Internet Explorer\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Defender\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Full\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\hi\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\ImagingDevices.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\setup_wm.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\orbd.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\fur\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\sv\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\Dll.dll C:\Windows\Logo1_.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1996 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe C:\Windows\SysWOW64\net.exe
PID 1996 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe C:\Windows\SysWOW64\net.exe
PID 1996 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe C:\Windows\SysWOW64\net.exe
PID 1996 wrote to memory of 2240 N/A C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe C:\Windows\SysWOW64\net.exe
PID 2240 wrote to memory of 1924 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2240 wrote to memory of 1924 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2240 wrote to memory of 1924 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2240 wrote to memory of 1924 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1996 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe C:\Windows\SysWOW64\cmd.exe
PID 1996 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe C:\Windows\SysWOW64\cmd.exe
PID 1996 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe C:\Windows\SysWOW64\cmd.exe
PID 1996 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe C:\Windows\SysWOW64\cmd.exe
PID 1996 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe C:\Windows\Logo1_.exe
PID 1996 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe C:\Windows\Logo1_.exe
PID 1996 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe C:\Windows\Logo1_.exe
PID 1996 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe C:\Windows\Logo1_.exe
PID 2588 wrote to memory of 2720 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe
PID 2588 wrote to memory of 2720 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe
PID 2588 wrote to memory of 2720 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe
PID 2588 wrote to memory of 2720 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe
PID 2292 wrote to memory of 2700 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2292 wrote to memory of 2700 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2292 wrote to memory of 2700 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2292 wrote to memory of 2700 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2700 wrote to memory of 2628 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2700 wrote to memory of 2628 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2700 wrote to memory of 2628 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2700 wrote to memory of 2628 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2292 wrote to memory of 2692 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2292 wrote to memory of 2692 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2292 wrote to memory of 2692 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2292 wrote to memory of 2692 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2692 wrote to memory of 2536 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2692 wrote to memory of 2536 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2692 wrote to memory of 2536 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2692 wrote to memory of 2536 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2292 wrote to memory of 1192 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 2292 wrote to memory of 1192 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe

"C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a1F05.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe

"C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

N/A

Files

memory/1996-0-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a1F05.bat

MD5 e12d46f2c0a4ad5066dd17009071754e
SHA1 a1ab03ac46c06d4886aacd4a439720a3028da43b
SHA256 71fe1f1b000dbe397e16426d0c8d8dec0d0dce66c23e390ca0e07bb8e5e8d111
SHA512 c1f9317e11e8665a398a77756c28b9c504c878aed77cb89ff467e488b0b4a0025036abfd4b157a63276f4c29ca5c1c1662c8662c1df70c47c5a67a94ce609159

memory/1996-16-0x0000000000440000-0x0000000000480000-memory.dmp

memory/1996-18-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\Logo1_.exe

MD5 94cd6d8f19aa605f6272e77718e921cc
SHA1 e3a27adc311ba10d769eec7d49c4fcd31d5cc8d3
SHA256 e4b85b1edd03642cf845907985a60ace501a481804fc68d4862e6c119d3fbc18
SHA512 4bc4bf143cc1810ac59b481fe7553e7a34531daa8d32494868e2a9c506d8862ed3a9b590b592b457f1df62627186b9d4c8d773eff6adc0f4b62865fb47a072bb

memory/2292-19-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe.exe

MD5 9f498971cbe636662f3d210747d619e1
SHA1 44b8e2732fa1e2f204fc70eaa1cb406616250085
SHA256 8adf6748981c3e7b62f5dbca992be6675574fffbce7673743f2d7fe787d56a41
SHA512 b73083c2f7b028d2946cb8f7b4fe2289fedaa4175364a2aac37db0aeff4602aede772ccc9eba7e6dcfcb7276e52604ca45d8021952201b5834485b48bca3dc93

memory/1192-28-0x0000000002CE0000-0x0000000002CE1000-memory.dmp

memory/2292-32-0x0000000000400000-0x0000000000440000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-481678230-3773327859-3495911762-1000\_desktop.ini

MD5 4f2460b507685f7d7bfe6393f335f1c9
SHA1 378d42f114b1515872e58de6662373af31ab8c7b
SHA256 47a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42
SHA512 75dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 89a73460685a8ec8c28faa6831606709
SHA1 97b9556d1cfb15410d3cc325b7d98969baa64621
SHA256 a31c974ecfc6088a80b1494d4d670eb7d68702d46cbcca0b9c6d3ca5f6332d1d
SHA512 f5ab38639c051c177cada9aa101c22d96ee1109a508d228d5cfdb3ccde2224f422c48eb0ccb60740cbd9cad8fc089340a3fa5cab84a2d1793400940ce4fb59e9

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 5264aab343fc1f53c29d1065346d0010
SHA1 db43bc0b28b4ada0c5635db50fd0b64410ab76ad
SHA256 d33d56847b353c8207a43aa01cc75527328ebf4bba669e90e29266d1b6fb57dd
SHA512 bb4ba1f7c5cae56cef564dd99f1a1fd3e2c656f8004f689a22ea641d886cbb3a19dde3dce5be4cf8cee4ce190170fd8c5390cb9c7c40ae54109559685119a958

memory/2292-3344-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2292-4177-0x0000000000400000-0x0000000000440000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 03:48

Reported

2024-06-13 03:51

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

96s

Command Line

C:\Windows\Explorer.EXE

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\he-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\de-de\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\my\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ro-ro\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Media Player\wmpshare.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\he-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\es-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\nl-nl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\fr-fr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\fr-ma\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_CA\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\images\themeless\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\hr-hr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ml\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\themes\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sl-sl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\it-it\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\sl-sl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\STUDIO\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\fy\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX86\Microsoft Shared\VBA\VBA6\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\ja\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\zh-cn\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ru-ru\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files-select\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ko\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hu-hu\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ro-ro\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-gb\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ro-ro\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\nl-nl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\pl-pl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\sk\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\pt-br\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\nb-no\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\eu-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ro-ro\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sl-sl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\jfr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\zh-cn\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ru-ru\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\fi-fi\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\images\themes\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ca-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\root\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Uninstall Information\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sl-si\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\Dll.dll C:\Windows\Logo1_.exe N/A
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4192 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe C:\Windows\SysWOW64\net.exe
PID 4192 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe C:\Windows\SysWOW64\net.exe
PID 4192 wrote to memory of 3252 N/A C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe C:\Windows\SysWOW64\net.exe
PID 3252 wrote to memory of 3148 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3252 wrote to memory of 3148 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3252 wrote to memory of 3148 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4192 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe C:\Windows\SysWOW64\cmd.exe
PID 4192 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe C:\Windows\SysWOW64\cmd.exe
PID 4192 wrote to memory of 4880 N/A C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe C:\Windows\SysWOW64\cmd.exe
PID 4192 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe C:\Windows\Logo1_.exe
PID 4192 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe C:\Windows\Logo1_.exe
PID 4192 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe C:\Windows\Logo1_.exe
PID 4880 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe
PID 4880 wrote to memory of 2624 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe
PID 3868 wrote to memory of 4028 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3868 wrote to memory of 4028 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3868 wrote to memory of 4028 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4028 wrote to memory of 3664 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4028 wrote to memory of 3664 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4028 wrote to memory of 3664 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3868 wrote to memory of 2636 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3868 wrote to memory of 2636 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3868 wrote to memory of 2636 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2636 wrote to memory of 4916 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2636 wrote to memory of 4916 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2636 wrote to memory of 4916 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3868 wrote to memory of 3468 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 3868 wrote to memory of 3468 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe

"C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3827.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe

"C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/4192-0-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\Logo1_.exe

MD5 94cd6d8f19aa605f6272e77718e921cc
SHA1 e3a27adc311ba10d769eec7d49c4fcd31d5cc8d3
SHA256 e4b85b1edd03642cf845907985a60ace501a481804fc68d4862e6c119d3fbc18
SHA512 4bc4bf143cc1810ac59b481fe7553e7a34531daa8d32494868e2a9c506d8862ed3a9b590b592b457f1df62627186b9d4c8d773eff6adc0f4b62865fb47a072bb

memory/4192-9-0x0000000000400000-0x0000000000440000-memory.dmp

memory/3868-11-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a3827.bat

MD5 ab8b6e742bc80a18b558deaefaa9cc1e
SHA1 42a33a65106e18505855c6aae50920e5512624f0
SHA256 51aee962954838ab0ccc99a3a9ea9b874faead6d63f579cb5f0b30c2ce6fcae0
SHA512 07cded79157868f314509268e02b01a332c62eec500a327b6d07e80d6219692a8b69579d32864cf52de99bed78488f4e37b542423fe70debb3491a86672479d1

C:\Users\Admin\AppData\Local\Temp\17c09a3810d4e09dba5eabe52afd22928414057de463f43561e9f3f772fd55a4.exe.exe

MD5 9f498971cbe636662f3d210747d619e1
SHA1 44b8e2732fa1e2f204fc70eaa1cb406616250085
SHA256 8adf6748981c3e7b62f5dbca992be6675574fffbce7673743f2d7fe787d56a41
SHA512 b73083c2f7b028d2946cb8f7b4fe2289fedaa4175364a2aac37db0aeff4602aede772ccc9eba7e6dcfcb7276e52604ca45d8021952201b5834485b48bca3dc93

memory/3868-18-0x0000000000400000-0x0000000000440000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-2080292272-204036150-2159171770-1000\_desktop.ini

MD5 4f2460b507685f7d7bfe6393f335f1c9
SHA1 378d42f114b1515872e58de6662373af31ab8c7b
SHA256 47a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42
SHA512 75dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb

C:\Program Files\7-Zip\7z.exe

MD5 ba4c49b7bc2b5f6ec78dec7acc679d17
SHA1 1a32f575ced41a4fd8b7ca8c987c9d1e1c00b036
SHA256 3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca
SHA512 64c6f6c05fae9ba45ba27e315ed147028e45f231c53743fb6aeea7a1089f80898ef8611ada983667583a1ec061237614f8b0d1726043f7f6576b264084671b9e

memory/3868-2858-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 89a73460685a8ec8c28faa6831606709
SHA1 97b9556d1cfb15410d3cc325b7d98969baa64621
SHA256 a31c974ecfc6088a80b1494d4d670eb7d68702d46cbcca0b9c6d3ca5f6332d1d
SHA512 f5ab38639c051c177cada9aa101c22d96ee1109a508d228d5cfdb3ccde2224f422c48eb0ccb60740cbd9cad8fc089340a3fa5cab84a2d1793400940ce4fb59e9

C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

MD5 11e0853d537d2721ecc655c1fc527e91
SHA1 c8e23d103e93073ba7c93374878ae9a9f926c944
SHA256 f168cda7cfa0f4f1d8dc26f615772410afe41b43fbc3da3cfe2c249b1eadca30
SHA512 3e5af85789e480d355053e9ded02108ae53136aec795d5d37faf1d5426275f7f3729e5583b0a95b3434d5b4452c7382405c0f8bc94e8a65275335c62268e0ee2

memory/3868-8692-0x0000000000400000-0x0000000000440000-memory.dmp