Malware Analysis Report

2024-11-15 06:34

Sample ID 240613-ecd4gatbme
Target 3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca
SHA256 3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca

Threat Level: Shows suspicious behavior

The file 3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Deletes itself

Reads user/profile data of web browsers

Drops startup file

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 03:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 03:47

Reported

2024-06-13 03:49

Platform

win7-20231129-en

Max time kernel

149s

Max time network

121s

Command Line

C:\Windows\Explorer.EXE

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Push\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\.data\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\Help\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Google\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\SpiderSolitaire\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\mk\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access_output\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Triedit\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\cy\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\include\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\META-INF\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Defender\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\lib\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Journal\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Antarctica\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ESEN\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Journal\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.console_5.5.0.165303\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\oc\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\text_renderer\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Internet Explorer\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Europe\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ml\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Defender\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Media Player\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Shatter\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\locale\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\visualization\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Minesweeper\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\Dll.dll C:\Windows\Logo1_.exe N/A
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1988 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe C:\Windows\SysWOW64\net.exe
PID 1988 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe C:\Windows\SysWOW64\net.exe
PID 1988 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe C:\Windows\SysWOW64\net.exe
PID 1988 wrote to memory of 1960 N/A C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe C:\Windows\SysWOW64\net.exe
PID 1960 wrote to memory of 2616 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1960 wrote to memory of 2616 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1960 wrote to memory of 2616 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1960 wrote to memory of 2616 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1988 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 3048 N/A C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe C:\Windows\SysWOW64\cmd.exe
PID 1988 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe C:\Windows\Logo1_.exe
PID 1988 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe C:\Windows\Logo1_.exe
PID 1988 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe C:\Windows\Logo1_.exe
PID 1988 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe C:\Windows\Logo1_.exe
PID 1428 wrote to memory of 2648 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1428 wrote to memory of 2648 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1428 wrote to memory of 2648 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1428 wrote to memory of 2648 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3048 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe
PID 3048 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe
PID 3048 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe
PID 3048 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe
PID 2648 wrote to memory of 2592 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2648 wrote to memory of 2592 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2648 wrote to memory of 2592 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2648 wrote to memory of 2592 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1428 wrote to memory of 2688 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1428 wrote to memory of 2688 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1428 wrote to memory of 2688 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1428 wrote to memory of 2688 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2688 wrote to memory of 3024 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2688 wrote to memory of 3024 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2688 wrote to memory of 3024 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2688 wrote to memory of 3024 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1428 wrote to memory of 1260 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 1428 wrote to memory of 1260 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe

"C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a1268.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe

"C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

N/A

Files

memory/1988-0-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a1268.bat

MD5 e529484e92d1b2da96d42b0a9f6c7a33
SHA1 4fc3ade30150f36d9bc39fc240793175cc49fdc5
SHA256 7aa1de0379b429bbc4554c7686ccb979aaedf8af62963f9027660c9fa916b331
SHA512 50090e6affca4716c7f6f27cca39894a9f1687aab9f8056c18297bd3dc3dc6dd1c1a0fbb079c9d7b81697d6e8f5f0b9abeaac7c1192353e234655a828bac822f

C:\Windows\Logo1_.exe

MD5 94cd6d8f19aa605f6272e77718e921cc
SHA1 e3a27adc311ba10d769eec7d49c4fcd31d5cc8d3
SHA256 e4b85b1edd03642cf845907985a60ace501a481804fc68d4862e6c119d3fbc18
SHA512 4bc4bf143cc1810ac59b481fe7553e7a34531daa8d32494868e2a9c506d8862ed3a9b590b592b457f1df62627186b9d4c8d773eff6adc0f4b62865fb47a072bb

memory/1428-18-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1988-17-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe.exe

MD5 9a1dd1d96481d61934dcc2d568971d06
SHA1 f136ef9bf8bd2fc753292fb5b7cf173a22675fb3
SHA256 8cebb25e240db3b6986fcaed6bc0b900fa09dad763a56fb71273529266c5c525
SHA512 7ac1581f8a29e778ba1a1220670796c47fa5b838417f8f635e2cb1998a01515cff3ee57045dacb78a8ec70d43754b970743aba600379fe6d9481958d32d8a5aa

memory/1260-27-0x00000000025C0000-0x00000000025C1000-memory.dmp

memory/1428-31-0x0000000000400000-0x0000000000440000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-3627615824-4061627003-3019543961-1000\_desktop.ini

MD5 4f2460b507685f7d7bfe6393f335f1c9
SHA1 378d42f114b1515872e58de6662373af31ab8c7b
SHA256 47a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42
SHA512 75dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 89a73460685a8ec8c28faa6831606709
SHA1 97b9556d1cfb15410d3cc325b7d98969baa64621
SHA256 a31c974ecfc6088a80b1494d4d670eb7d68702d46cbcca0b9c6d3ca5f6332d1d
SHA512 f5ab38639c051c177cada9aa101c22d96ee1109a508d228d5cfdb3ccde2224f422c48eb0ccb60740cbd9cad8fc089340a3fa5cab84a2d1793400940ce4fb59e9

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 5264aab343fc1f53c29d1065346d0010
SHA1 db43bc0b28b4ada0c5635db50fd0b64410ab76ad
SHA256 d33d56847b353c8207a43aa01cc75527328ebf4bba669e90e29266d1b6fb57dd
SHA512 bb4ba1f7c5cae56cef564dd99f1a1fd3e2c656f8004f689a22ea641d886cbb3a19dde3dce5be4cf8cee4ce190170fd8c5390cb9c7c40ae54109559685119a958

memory/1428-3318-0x0000000000400000-0x0000000000440000-memory.dmp

memory/1428-4123-0x0000000000400000-0x0000000000440000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 03:47

Reported

2024-06-13 03:49

Platform

win10v2004-20240611-en

Max time kernel

149s

Max time network

150s

Command Line

C:\Windows\Explorer.EXE

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ENES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ko-kr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\ja-jp\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\Diagnostics\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\zh-tw\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\pt-br\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\it-it\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft Office\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\id\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ru-ru\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ml\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\zh-cn\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\fi-fi\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre8\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BOLDSTRI\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Mozilla Firefox\gmp-clearkey\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example1.Diagnostics\Diagnostics\Simple\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Internet Explorer\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\loc\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\DEB9FBB1-50E5-41DF-8D08-3B25BEA0591B\root\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ca-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\tr-tr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\hu\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\es-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\sk-sk\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\dotnet.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\extensions\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ar-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\fr-fr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sl-sl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\de-de\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\cs-cz\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ro-ro\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Multimedia Platform\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\sm\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ar-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ko-kr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sv-se\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\pl-pl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\es\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\legal\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account-select\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\hu-hu\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\nl-nl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\ko-kr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\tnameserv.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\nb-no\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ru-ru\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\ja-jp\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\MLModels\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\ECLIPSE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\hrtfs\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\Dll.dll C:\Windows\Logo1_.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4016 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe C:\Windows\SysWOW64\net.exe
PID 4016 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe C:\Windows\SysWOW64\net.exe
PID 4016 wrote to memory of 1508 N/A C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe C:\Windows\SysWOW64\net.exe
PID 1508 wrote to memory of 3824 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1508 wrote to memory of 3824 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1508 wrote to memory of 3824 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4016 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe C:\Windows\SysWOW64\cmd.exe
PID 4016 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe C:\Windows\SysWOW64\cmd.exe
PID 4016 wrote to memory of 3104 N/A C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe C:\Windows\SysWOW64\cmd.exe
PID 4016 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe C:\Windows\Logo1_.exe
PID 4016 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe C:\Windows\Logo1_.exe
PID 4016 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe C:\Windows\Logo1_.exe
PID 2812 wrote to memory of 2800 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2812 wrote to memory of 2800 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2812 wrote to memory of 2800 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3104 wrote to memory of 2320 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe
PID 3104 wrote to memory of 2320 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe
PID 2800 wrote to memory of 1040 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2800 wrote to memory of 1040 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2800 wrote to memory of 1040 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2812 wrote to memory of 4600 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2812 wrote to memory of 4600 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2812 wrote to memory of 4600 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4600 wrote to memory of 3192 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4600 wrote to memory of 3192 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4600 wrote to memory of 3192 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2812 wrote to memory of 3424 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 2812 wrote to memory of 3424 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe

"C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3D86.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe

"C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/4016-0-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\Logo1_.exe

MD5 94cd6d8f19aa605f6272e77718e921cc
SHA1 e3a27adc311ba10d769eec7d49c4fcd31d5cc8d3
SHA256 e4b85b1edd03642cf845907985a60ace501a481804fc68d4862e6c119d3fbc18
SHA512 4bc4bf143cc1810ac59b481fe7553e7a34531daa8d32494868e2a9c506d8862ed3a9b590b592b457f1df62627186b9d4c8d773eff6adc0f4b62865fb47a072bb

memory/4016-10-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2812-11-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a3D86.bat

MD5 04714edab26e97c4a777afa037925c9f
SHA1 43b2b8980503dc8ece868bea333352a240e53f06
SHA256 b46d28b2fbc026986d385f7f91d509e57a2cde8bc3ac43da0e119b069a690e47
SHA512 1b13479c6fb3cb937b2e3aee650b0ece0d92393c97e83b74edf742b824f006cbfaaba7034e8b87a0661fbe7ef8cfd88c6379b671b7a533c3e243e2ae2f47413b

C:\Users\Admin\AppData\Local\Temp\3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca.exe.exe

MD5 9a1dd1d96481d61934dcc2d568971d06
SHA1 f136ef9bf8bd2fc753292fb5b7cf173a22675fb3
SHA256 8cebb25e240db3b6986fcaed6bc0b900fa09dad763a56fb71273529266c5c525
SHA512 7ac1581f8a29e778ba1a1220670796c47fa5b838417f8f635e2cb1998a01515cff3ee57045dacb78a8ec70d43754b970743aba600379fe6d9481958d32d8a5aa

memory/2812-18-0x0000000000400000-0x0000000000440000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-2447855248-390457009-3660902674-1000\_desktop.ini

MD5 4f2460b507685f7d7bfe6393f335f1c9
SHA1 378d42f114b1515872e58de6662373af31ab8c7b
SHA256 47a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42
SHA512 75dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb

C:\Program Files\7-Zip\7z.exe

MD5 ba4c49b7bc2b5f6ec78dec7acc679d17
SHA1 1a32f575ced41a4fd8b7ca8c987c9d1e1c00b036
SHA256 3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca
SHA512 64c6f6c05fae9ba45ba27e315ed147028e45f231c53743fb6aeea7a1089f80898ef8611ada983667583a1ec061237614f8b0d1726043f7f6576b264084671b9e

memory/2812-3014-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 89a73460685a8ec8c28faa6831606709
SHA1 97b9556d1cfb15410d3cc325b7d98969baa64621
SHA256 a31c974ecfc6088a80b1494d4d670eb7d68702d46cbcca0b9c6d3ca5f6332d1d
SHA512 f5ab38639c051c177cada9aa101c22d96ee1109a508d228d5cfdb3ccde2224f422c48eb0ccb60740cbd9cad8fc089340a3fa5cab84a2d1793400940ce4fb59e9

C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

MD5 11e0853d537d2721ecc655c1fc527e91
SHA1 c8e23d103e93073ba7c93374878ae9a9f926c944
SHA256 f168cda7cfa0f4f1d8dc26f615772410afe41b43fbc3da3cfe2c249b1eadca30
SHA512 3e5af85789e480d355053e9ded02108ae53136aec795d5d37faf1d5426275f7f3729e5583b0a95b3434d5b4452c7382405c0f8bc94e8a65275335c62268e0ee2

memory/2812-8693-0x0000000000400000-0x0000000000440000-memory.dmp