Malware Analysis Report

2024-11-15 06:34

Sample ID 240613-eczeeatbnf
Target 33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d
SHA256 33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d

Threat Level: Shows suspicious behavior

The file 33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Loads dropped DLL

Reads user/profile data of web browsers

Deletes itself

Drops startup file

Executes dropped EXE

Enumerates connected drives

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Runs net.exe

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 03:48

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 03:48

Reported

2024-06-13 03:50

Platform

win7-20240220-en

Max time kernel

149s

Max time network

119s

Command Line

C:\Windows\Explorer.EXE

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\VideoLAN\VLC\locale\hr\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RIPPLE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\sr\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ca\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\fa\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\cy\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Annotations\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\Accessories\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\META-INF\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\bs\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\spu\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Triedit\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\META-INF\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Office14\MSOHTMED.EXE C:\Windows\Logo1_.exe N/A
File created C:\Program Files\MSBuild\Microsoft\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\as_IN\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\fr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Javascripts\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\bin\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\servertool.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\sl\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\audio_filter\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\demux\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\Help\en_US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Google\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows NT\TableTextService\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\Chess\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\Dll.dll C:\Windows\Logo1_.exe N/A
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2908 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe C:\Windows\SysWOW64\net.exe
PID 2908 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe C:\Windows\SysWOW64\net.exe
PID 2908 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe C:\Windows\SysWOW64\net.exe
PID 2908 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe C:\Windows\SysWOW64\net.exe
PID 1840 wrote to memory of 2584 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1840 wrote to memory of 2584 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1840 wrote to memory of 2584 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1840 wrote to memory of 2584 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2908 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe C:\Windows\SysWOW64\cmd.exe
PID 2908 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe C:\Windows\SysWOW64\cmd.exe
PID 2908 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe C:\Windows\SysWOW64\cmd.exe
PID 2908 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe C:\Windows\SysWOW64\cmd.exe
PID 2908 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe C:\Windows\Logo1_.exe
PID 2908 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe C:\Windows\Logo1_.exe
PID 2908 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe C:\Windows\Logo1_.exe
PID 2908 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe C:\Windows\Logo1_.exe
PID 2692 wrote to memory of 2792 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2692 wrote to memory of 2792 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2692 wrote to memory of 2792 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2692 wrote to memory of 2792 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2792 wrote to memory of 2688 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2792 wrote to memory of 2688 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2792 wrote to memory of 2688 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2792 wrote to memory of 2688 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2660 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe
PID 2660 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe
PID 2660 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe
PID 2660 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe
PID 2692 wrote to memory of 2564 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2692 wrote to memory of 2564 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2692 wrote to memory of 2564 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2692 wrote to memory of 2564 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2564 wrote to memory of 2392 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2564 wrote to memory of 2392 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2564 wrote to memory of 2392 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2564 wrote to memory of 2392 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2692 wrote to memory of 1100 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 2692 wrote to memory of 1100 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe

"C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a197A.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe

"C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

N/A

Files

memory/2908-0-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a197A.bat

MD5 dcf1204f5c7c389d36f540546dd4c685
SHA1 c02a81e72eb17e9fe240eead404a55c0ab9ac4bc
SHA256 0427f893074f785d745f0416db1599e1faccd870168b70cb9a1dba11f3412ced
SHA512 62c3607243ecf684d07a96357f7be7393f082623da449efed0b46d77ac33453f7a9eab1dd4c0fb0e27e4bbb2edfa9883ca0f3f5966df83c4d20df7b6c12f5114

memory/2908-12-0x0000000000230000-0x0000000000270000-memory.dmp

C:\Windows\Logo1_.exe

MD5 94cd6d8f19aa605f6272e77718e921cc
SHA1 e3a27adc311ba10d769eec7d49c4fcd31d5cc8d3
SHA256 e4b85b1edd03642cf845907985a60ace501a481804fc68d4862e6c119d3fbc18
SHA512 4bc4bf143cc1810ac59b481fe7553e7a34531daa8d32494868e2a9c506d8862ed3a9b590b592b457f1df62627186b9d4c8d773eff6adc0f4b62865fb47a072bb

memory/2692-19-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2908-18-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe.exe

MD5 50f289df0c19484e970849aac4e6f977
SHA1 3dc77c8830836ab844975eb002149b66da2e10be
SHA256 b9b179b305c5268ad428b6ae59de10b4fe99cf0199bbc89b7017181905e97305
SHA512 877d852ea1062b90e2fd2f3c4dc7d05d9697e9a9b2929c830a770b62741f6a11e06de73275eb871113f11143faf1cb40d99f7c247862ffb778d26833ed5d7e38

memory/1100-31-0x00000000025C0000-0x00000000025C1000-memory.dmp

memory/2692-34-0x0000000000400000-0x0000000000440000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-2721934792-624042501-2768869379-1000\_desktop.ini

MD5 4f2460b507685f7d7bfe6393f335f1c9
SHA1 378d42f114b1515872e58de6662373af31ab8c7b
SHA256 47a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42
SHA512 75dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 89a73460685a8ec8c28faa6831606709
SHA1 97b9556d1cfb15410d3cc325b7d98969baa64621
SHA256 a31c974ecfc6088a80b1494d4d670eb7d68702d46cbcca0b9c6d3ca5f6332d1d
SHA512 f5ab38639c051c177cada9aa101c22d96ee1109a508d228d5cfdb3ccde2224f422c48eb0ccb60740cbd9cad8fc089340a3fa5cab84a2d1793400940ce4fb59e9

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 5264aab343fc1f53c29d1065346d0010
SHA1 db43bc0b28b4ada0c5635db50fd0b64410ab76ad
SHA256 d33d56847b353c8207a43aa01cc75527328ebf4bba669e90e29266d1b6fb57dd
SHA512 bb4ba1f7c5cae56cef564dd99f1a1fd3e2c656f8004f689a22ea641d886cbb3a19dde3dce5be4cf8cee4ce190170fd8c5390cb9c7c40ae54109559685119a958

memory/2692-3322-0x0000000000400000-0x0000000000440000-memory.dmp

memory/2692-4145-0x0000000000400000-0x0000000000440000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 03:48

Reported

2024-06-13 03:50

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

52s

Command Line

C:\Windows\Explorer.EXE

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jre-1.8\bin\rmid.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\tr-tr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account-select\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Defender\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sv-se\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\eu-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\DataModel\Resources\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ja-jp\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Internet Explorer\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Updates\Download\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\br\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ru\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\nb-no\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\tr-tr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ar-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jjs.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\Document Themes 16\Theme Colors\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\it\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\zh_TW\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account-select\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-gb\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ne\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\it-it\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\en-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\en-gb\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ja-jp\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\Updates\Download\PackageFiles\C4DB1FF2-9CF3-498E-B7AA-765DC7D448F8\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\kab\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\video_chroma\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\it-it\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Media Player\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\cs-cz\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\ja-jp\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Configuration\Registration\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\LISTS\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\af\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ast\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sl-si\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\zh-cn\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\de-de\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft SQL Server\130\Shared\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\Diagnostics\Simple\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\Dll.dll C:\Windows\Logo1_.exe N/A
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 408 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe C:\Windows\SysWOW64\net.exe
PID 408 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe C:\Windows\SysWOW64\net.exe
PID 408 wrote to memory of 996 N/A C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe C:\Windows\SysWOW64\net.exe
PID 996 wrote to memory of 3724 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 996 wrote to memory of 3724 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 996 wrote to memory of 3724 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 408 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe C:\Windows\SysWOW64\cmd.exe
PID 408 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe C:\Windows\SysWOW64\cmd.exe
PID 408 wrote to memory of 1288 N/A C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe C:\Windows\SysWOW64\cmd.exe
PID 408 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe C:\Windows\Logo1_.exe
PID 408 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe C:\Windows\Logo1_.exe
PID 408 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe C:\Windows\Logo1_.exe
PID 216 wrote to memory of 60 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 216 wrote to memory of 60 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 216 wrote to memory of 60 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1288 wrote to memory of 2392 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe
PID 1288 wrote to memory of 2392 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe
PID 60 wrote to memory of 4828 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 60 wrote to memory of 4828 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 60 wrote to memory of 4828 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 216 wrote to memory of 2108 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 216 wrote to memory of 2108 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 216 wrote to memory of 2108 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2108 wrote to memory of 2276 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2108 wrote to memory of 2276 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2108 wrote to memory of 2276 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 216 wrote to memory of 3428 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 216 wrote to memory of 3428 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe

"C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3F5B.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe

"C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

Files

memory/408-0-0x0000000000400000-0x0000000000440000-memory.dmp

memory/408-10-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Windows\Logo1_.exe

MD5 94cd6d8f19aa605f6272e77718e921cc
SHA1 e3a27adc311ba10d769eec7d49c4fcd31d5cc8d3
SHA256 e4b85b1edd03642cf845907985a60ace501a481804fc68d4862e6c119d3fbc18
SHA512 4bc4bf143cc1810ac59b481fe7553e7a34531daa8d32494868e2a9c506d8862ed3a9b590b592b457f1df62627186b9d4c8d773eff6adc0f4b62865fb47a072bb

memory/216-11-0x0000000000400000-0x0000000000440000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a3F5B.bat

MD5 c1850cba5607a2f91e3197554c5b3df4
SHA1 2121146aba88894bb785f51b660d964bf5c8a930
SHA256 c14c4340a524546e89a207abc58ba6cca0ee460c0ee39b7d8c3b3d09f97df3a8
SHA512 25dd94bf2c68bc2178d57ba859a47f69272c6cfef07cf09c2ea643c2556447c39e1ffa943cf2c9796842da2b63135e0fda99f96d168aaa2abacf2103cec431e5

C:\Users\Admin\AppData\Local\Temp\33df5ef4d464a58ed56bd8ad49cbd8c615b8e1c8f749d4d7d26e5c6e169b199d.exe.exe

MD5 50f289df0c19484e970849aac4e6f977
SHA1 3dc77c8830836ab844975eb002149b66da2e10be
SHA256 b9b179b305c5268ad428b6ae59de10b4fe99cf0199bbc89b7017181905e97305
SHA512 877d852ea1062b90e2fd2f3c4dc7d05d9697e9a9b2929c830a770b62741f6a11e06de73275eb871113f11143faf1cb40d99f7c247862ffb778d26833ed5d7e38

memory/216-18-0x0000000000400000-0x0000000000440000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-2804150937-2146708401-419095071-1000\_desktop.ini

MD5 4f2460b507685f7d7bfe6393f335f1c9
SHA1 378d42f114b1515872e58de6662373af31ab8c7b
SHA256 47a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42
SHA512 75dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb

C:\Program Files\7-Zip\7z.exe

MD5 ba4c49b7bc2b5f6ec78dec7acc679d17
SHA1 1a32f575ced41a4fd8b7ca8c987c9d1e1c00b036
SHA256 3bfe4f70173faf12dafe08bcabf4e8287caea7040a400b4abcc9cb4c833ca3ca
SHA512 64c6f6c05fae9ba45ba27e315ed147028e45f231c53743fb6aeea7a1089f80898ef8611ada983667583a1ec061237614f8b0d1726043f7f6576b264084671b9e

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 89a73460685a8ec8c28faa6831606709
SHA1 97b9556d1cfb15410d3cc325b7d98969baa64621
SHA256 a31c974ecfc6088a80b1494d4d670eb7d68702d46cbcca0b9c6d3ca5f6332d1d
SHA512 f5ab38639c051c177cada9aa101c22d96ee1109a508d228d5cfdb3ccde2224f422c48eb0ccb60740cbd9cad8fc089340a3fa5cab84a2d1793400940ce4fb59e9

memory/216-5220-0x0000000000400000-0x0000000000440000-memory.dmp

C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

MD5 11e0853d537d2721ecc655c1fc527e91
SHA1 c8e23d103e93073ba7c93374878ae9a9f926c944
SHA256 f168cda7cfa0f4f1d8dc26f615772410afe41b43fbc3da3cfe2c249b1eadca30
SHA512 3e5af85789e480d355053e9ded02108ae53136aec795d5d37faf1d5426275f7f3729e5583b0a95b3434d5b4452c7382405c0f8bc94e8a65275335c62268e0ee2

memory/216-8742-0x0000000000400000-0x0000000000440000-memory.dmp