Malware Analysis Report

2025-03-15 05:42

Sample ID 240510-pjcjbsdh8v
Target fe9bd5f481874d97739aac9b0f532536dceaaed68df87046fdf693d0c8328477
SHA256 fe9bd5f481874d97739aac9b0f532536dceaaed68df87046fdf693d0c8328477
Tags
aspackv2
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

fe9bd5f481874d97739aac9b0f532536dceaaed68df87046fdf693d0c8328477

Threat Level: Shows suspicious behavior

The file fe9bd5f481874d97739aac9b0f532536dceaaed68df87046fdf693d0c8328477 was found to be: Shows suspicious behavior.

Malicious Activity Summary

aspackv2

ASPack v2.12-2.42

Loads dropped DLL

Deletes itself

Executes dropped EXE

Enumerates connected drives

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-10 12:21

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-10 12:21

Reported

2024-05-10 12:23

Platform

win7-20240508-en

Max time kernel

149s

Max time network

118s

Command Line

C:\Windows\Explorer.EXE

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Defender\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ESEN\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveDocumentReview\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Discussion\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\core\locale\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ie\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk15\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre7\lib\cmm\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\SystemV\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\d3d11\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\or_IN\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Google\CrashReports\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Servers\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Americana\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\el\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\playlist\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\hr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\GrayCheck\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\access_output\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.rcp.product_5.5.0.165303\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\images\cursors\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\Help\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\mn\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\nn\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\ink\HWRCustomization\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\fe9bd5f481874d97739aac9b0f532536dceaaed68df87046fdf693d0c8328477.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\fe9bd5f481874d97739aac9b0f532536dceaaed68df87046fdf693d0c8328477.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\vDll.dll C:\Windows\Logo1_.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1704 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\fe9bd5f481874d97739aac9b0f532536dceaaed68df87046fdf693d0c8328477.exe C:\Windows\SysWOW64\cmd.exe
PID 1704 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\fe9bd5f481874d97739aac9b0f532536dceaaed68df87046fdf693d0c8328477.exe C:\Windows\SysWOW64\cmd.exe
PID 1704 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\fe9bd5f481874d97739aac9b0f532536dceaaed68df87046fdf693d0c8328477.exe C:\Windows\SysWOW64\cmd.exe
PID 1704 wrote to memory of 2896 N/A C:\Users\Admin\AppData\Local\Temp\fe9bd5f481874d97739aac9b0f532536dceaaed68df87046fdf693d0c8328477.exe C:\Windows\SysWOW64\cmd.exe
PID 1704 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\fe9bd5f481874d97739aac9b0f532536dceaaed68df87046fdf693d0c8328477.exe C:\Windows\Logo1_.exe
PID 1704 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\fe9bd5f481874d97739aac9b0f532536dceaaed68df87046fdf693d0c8328477.exe C:\Windows\Logo1_.exe
PID 1704 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\fe9bd5f481874d97739aac9b0f532536dceaaed68df87046fdf693d0c8328477.exe C:\Windows\Logo1_.exe
PID 1704 wrote to memory of 2732 N/A C:\Users\Admin\AppData\Local\Temp\fe9bd5f481874d97739aac9b0f532536dceaaed68df87046fdf693d0c8328477.exe C:\Windows\Logo1_.exe
PID 2732 wrote to memory of 2716 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2732 wrote to memory of 2716 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2732 wrote to memory of 2716 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2732 wrote to memory of 2716 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2896 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\fe9bd5f481874d97739aac9b0f532536dceaaed68df87046fdf693d0c8328477.exe
PID 2896 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\fe9bd5f481874d97739aac9b0f532536dceaaed68df87046fdf693d0c8328477.exe
PID 2896 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\fe9bd5f481874d97739aac9b0f532536dceaaed68df87046fdf693d0c8328477.exe
PID 2896 wrote to memory of 2644 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\fe9bd5f481874d97739aac9b0f532536dceaaed68df87046fdf693d0c8328477.exe
PID 2716 wrote to memory of 2652 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2716 wrote to memory of 2652 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2716 wrote to memory of 2652 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2716 wrote to memory of 2652 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2732 wrote to memory of 1208 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 2732 wrote to memory of 1208 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\fe9bd5f481874d97739aac9b0f532536dceaaed68df87046fdf693d0c8328477.exe

"C:\Users\Admin\AppData\Local\Temp\fe9bd5f481874d97739aac9b0f532536dceaaed68df87046fdf693d0c8328477.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a1B00.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\fe9bd5f481874d97739aac9b0f532536dceaaed68df87046fdf693d0c8328477.exe

"C:\Users\Admin\AppData\Local\Temp\fe9bd5f481874d97739aac9b0f532536dceaaed68df87046fdf693d0c8328477.exe"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

N/A

Files

memory/1704-0-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a1B00.bat

MD5 1e6de988a35ff067be2e40f30893fe10
SHA1 2fc8f0305e681f85b8abe40607c232a05601ceb4
SHA256 4c5df8a3b4957d1b2009daf7a2355e20cdcbcb3218b9b2fae10046a7c4869b41
SHA512 bdac9d8165610954fe12cd7523a30e82988e4506067ce516a7000e5022212f31386aca94c2cdb82ba92aae99a2ab6c2c442cf2a1a2158007a0ebd0f6dfdc9a6e

memory/1704-16-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2732-18-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\Logo1_.exe

MD5 3c07fcf28cfc55eda6316b61767a0bd8
SHA1 780cd29c6647029cada8ded0e958214095379928
SHA256 b3be87549d1a0ab431df3c4cfd63b45ef8eb88dc1d0f33a483c0926130858817
SHA512 0bfcf6bfedc1224730dcec9c1717b8b7b3c8d17c48001c6331d4d45e10354bcdddedcd45d377b046db57df1dacf6c3f41f58f0868ab55102b47307e1a9e1f920

C:\Users\Admin\AppData\Local\Temp\fe9bd5f481874d97739aac9b0f532536dceaaed68df87046fdf693d0c8328477.exe.exe

MD5 c1b29586ebe8c3fd4c327cdb66d76590
SHA1 518cb3a7edf803fbd0e8ea80198d2927e4e1e611
SHA256 533dd3ccc2a4f1d9779a2c91711930b135d52d97d1750db98433b4144b11ce9d
SHA512 dd7fa188ee2ce9236043098bbf12879a87f8c7f183849e391b4939992d2dd5ac710223095dd5bbcb6dab800ca554d320bf0cedf52c72d057cac6021d66c28bd8

memory/2896-27-0x0000000002390000-0x000000000256E000-memory.dmp

memory/2644-29-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/2644-30-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/1208-32-0x0000000002E00000-0x0000000002E01000-memory.dmp

memory/2732-34-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2644-35-0x0000000000400000-0x00000000005DE000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-2737914667-933161113-3798636211-1000\_desktop.ini

MD5 4d28283e4d415600ffc2f8fda6d8c91e
SHA1 053dcb8d5d84b75459bc82d8740ee4684d680016
SHA256 b855effeaf01610130d3f38de35bc7f98bfc6643d98d4198af18534f048e8df7
SHA512 73a758cd5e5ac48d62dd89719be604214895e0cc9a10ff7464a6cf9161a37fd27d15dd2d2565f18198b381ac6442bcb36f38614df7b1176061a83616517a7edb

memory/2732-42-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2644-43-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/2644-44-0x00000000003E0000-0x00000000003E1000-memory.dmp

memory/2732-53-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2732-99-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2732-107-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2732-845-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2732-1887-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2732-2196-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 c454ec124e6e637c56ba553e5fadccd5
SHA1 abe2fca74be2095dbbbf0719f1c023c4ee103149
SHA256 86edcfdaad5beff444681d67531bbc0a0a0637e993fbedf886fa6be679fa8354
SHA512 5f339dd49c49b4342e1c105141b362d32bfcd3956deb141bc68865a19a0cbf4412097882a18366324b8430e90a820ff8eb729a3d24599e0aed184c0eb865108c

memory/2732-3349-0x0000000000400000-0x0000000000434000-memory.dmp

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 f9fc019eacb573ec828d2d9ff6a48318
SHA1 b91958dc8d178b6eeb35e829bab84d0fb12c2280
SHA256 bf9ba3df2bad76d15f4efe42c0c59f37b9454907958892df8ab996552658934e
SHA512 998ba7bc7cdd5df3e1acfda6f4f92ec9d27732e1e182177dff310f3c918f3be99626a3526bebdff5bb7eb980640434baf56e0f08bfd125168c0a9e37e7239305

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-10 12:21

Reported

2024-05-10 12:23

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

97s

Command Line

C:\Windows\Explorer.EXE

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fr-FR\View3d\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-black\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_x64__8wekyb3d8bbwe\XboxIdp.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\pt-br\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\he-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Resources\Fonts\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\Visualizations\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\sd\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Content\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\hr-hr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_2019.716.2316.0_neutral_~_8wekyb3d8bbwe\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\tr-tr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ja-jp\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\WidevineCdm\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\7-Zip\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\ssvagent.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\da-dk\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\da-dk\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ar-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\uk-UA\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Cortana.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\zh-cn\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Internet Explorer\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sk-sk\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ro-ro\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\pl-pl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\nl-nl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\da-dk\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\Assets\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\he-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\pt-br\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\orbd.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_neutral_split.scale-100_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\legal\jdk\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fr-ma\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ko-kr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Advertising.Xaml_10.1808.3.0_x64__8wekyb3d8bbwe\Microsoft.Advertising\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\sv-se\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_split.scale-125_8wekyb3d8bbwe\Win10\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\Microsoft.Wallet.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_neutral_split.scale-100_8wekyb3d8bbwe\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\he-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\hu-hu\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\vDll.dll C:\Windows\Logo1_.exe N/A
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\fe9bd5f481874d97739aac9b0f532536dceaaed68df87046fdf693d0c8328477.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\fe9bd5f481874d97739aac9b0f532536dceaaed68df87046fdf693d0c8328477.exe N/A

Runs net.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3632 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\fe9bd5f481874d97739aac9b0f532536dceaaed68df87046fdf693d0c8328477.exe C:\Windows\SysWOW64\cmd.exe
PID 3632 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\fe9bd5f481874d97739aac9b0f532536dceaaed68df87046fdf693d0c8328477.exe C:\Windows\SysWOW64\cmd.exe
PID 3632 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\fe9bd5f481874d97739aac9b0f532536dceaaed68df87046fdf693d0c8328477.exe C:\Windows\SysWOW64\cmd.exe
PID 3632 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\fe9bd5f481874d97739aac9b0f532536dceaaed68df87046fdf693d0c8328477.exe C:\Windows\Logo1_.exe
PID 3632 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\fe9bd5f481874d97739aac9b0f532536dceaaed68df87046fdf693d0c8328477.exe C:\Windows\Logo1_.exe
PID 3632 wrote to memory of 3152 N/A C:\Users\Admin\AppData\Local\Temp\fe9bd5f481874d97739aac9b0f532536dceaaed68df87046fdf693d0c8328477.exe C:\Windows\Logo1_.exe
PID 3152 wrote to memory of 2824 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3152 wrote to memory of 2824 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3152 wrote to memory of 2824 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2824 wrote to memory of 3980 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2824 wrote to memory of 3980 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2824 wrote to memory of 3980 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 684 wrote to memory of 924 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\fe9bd5f481874d97739aac9b0f532536dceaaed68df87046fdf693d0c8328477.exe
PID 684 wrote to memory of 924 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\fe9bd5f481874d97739aac9b0f532536dceaaed68df87046fdf693d0c8328477.exe
PID 684 wrote to memory of 924 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\fe9bd5f481874d97739aac9b0f532536dceaaed68df87046fdf693d0c8328477.exe
PID 3152 wrote to memory of 3436 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 3152 wrote to memory of 3436 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\fe9bd5f481874d97739aac9b0f532536dceaaed68df87046fdf693d0c8328477.exe

"C:\Users\Admin\AppData\Local\Temp\fe9bd5f481874d97739aac9b0f532536dceaaed68df87046fdf693d0c8328477.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6002.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\fe9bd5f481874d97739aac9b0f532536dceaaed68df87046fdf693d0c8328477.exe

"C:\Users\Admin\AppData\Local\Temp\fe9bd5f481874d97739aac9b0f532536dceaaed68df87046fdf693d0c8328477.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.75:443 www.bing.com tcp
NL 23.62.61.75:443 www.bing.com tcp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 75.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 142.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

memory/3632-0-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\rundl132.exe

MD5 3c07fcf28cfc55eda6316b61767a0bd8
SHA1 780cd29c6647029cada8ded0e958214095379928
SHA256 b3be87549d1a0ab431df3c4cfd63b45ef8eb88dc1d0f33a483c0926130858817
SHA512 0bfcf6bfedc1224730dcec9c1717b8b7b3c8d17c48001c6331d4d45e10354bcdddedcd45d377b046db57df1dacf6c3f41f58f0868ab55102b47307e1a9e1f920

memory/3632-8-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3152-13-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a6002.bat

MD5 05113b17355b9b7bf02d2706208d47b1
SHA1 1d7be5972b3fe3750c7e6b729e6d29dc2065c66e
SHA256 54c4c7300798a9dc1cea665c49a6229fff83c7da876f54b19bfc5a46d99132b8
SHA512 669b25d23de27ea06ab58461038491fb84fae9b43e5e72edd4367ea1dea09a72fd59c3f9d3933cc29a94851ba358406c6cafa4fa4f0125aee016e887ee812b66

C:\Users\Admin\AppData\Local\Temp\fe9bd5f481874d97739aac9b0f532536dceaaed68df87046fdf693d0c8328477.exe.exe

MD5 c1b29586ebe8c3fd4c327cdb66d76590
SHA1 518cb3a7edf803fbd0e8ea80198d2927e4e1e611
SHA256 533dd3ccc2a4f1d9779a2c91711930b135d52d97d1750db98433b4144b11ce9d
SHA512 dd7fa188ee2ce9236043098bbf12879a87f8c7f183849e391b4939992d2dd5ac710223095dd5bbcb6dab800ca554d320bf0cedf52c72d057cac6021d66c28bd8

memory/924-19-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/924-20-0x0000000002960000-0x0000000002961000-memory.dmp

memory/3152-22-0x0000000000400000-0x0000000000434000-memory.dmp

memory/924-23-0x0000000000400000-0x00000000005DE000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-3558294865-3673844354-2255444939-1000\_desktop.ini

MD5 4d28283e4d415600ffc2f8fda6d8c91e
SHA1 053dcb8d5d84b75459bc82d8740ee4684d680016
SHA256 b855effeaf01610130d3f38de35bc7f98bfc6643d98d4198af18534f048e8df7
SHA512 73a758cd5e5ac48d62dd89719be604214895e0cc9a10ff7464a6cf9161a37fd27d15dd2d2565f18198b381ac6442bcb36f38614df7b1176061a83616517a7edb

memory/3152-30-0x0000000000400000-0x0000000000434000-memory.dmp

memory/924-31-0x0000000000400000-0x00000000005DE000-memory.dmp

memory/924-32-0x0000000002960000-0x0000000002961000-memory.dmp

memory/3152-39-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3152-45-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Program Files\7-Zip\7z.exe

MD5 cccd2a9cb54b8e432799e52152eefbba
SHA1 6789bed72ace8ee1ecfeaf29548c042fc527d82e
SHA256 33ece59e33f7722a34a3559f79124de797831fc48096a3ba06fd8a0845c2843e
SHA512 9b99cb66bb74dc5b59409b3cd078d4f9261b4f6466b41eb4f3971318ce380879d6066004b144e3271b1c7c89d2d06c7bdb3c3656cd2257947827cef0ce87227b

memory/3152-82-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3152-1243-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 c454ec124e6e637c56ba553e5fadccd5
SHA1 abe2fca74be2095dbbbf0719f1c023c4ee103149
SHA256 86edcfdaad5beff444681d67531bbc0a0a0637e993fbedf886fa6be679fa8354
SHA512 5f339dd49c49b4342e1c105141b362d32bfcd3956deb141bc68865a19a0cbf4412097882a18366324b8430e90a820ff8eb729a3d24599e0aed184c0eb865108c

memory/3152-4810-0x0000000000400000-0x0000000000434000-memory.dmp

C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

MD5 d82ffc872aed7c85cf936dcdcc2e6372
SHA1 50ca56cb4a429ce1532afaa2732f61833fc2b54f
SHA256 a487733710d946abff1a93a23ae6bbafd6c0800bc78e4d5e3cac36e2a14ddace
SHA512 0b0031418275c6be01f7757111058cd5bd3e5f4862e0631e2e28c5e7ffbb271446abdc2a88a7953ae55112799bc4a051becc2b14491e0d1760e336498665cc8b

memory/3152-5251-0x0000000000400000-0x0000000000434000-memory.dmp