Malware Analysis Report

2025-01-22 12:22

Sample ID 240518-j8qvcsbd78
Target 9fd5e3555ea7a4b2d604ac0ad6ec0bffb17fdce7f14d9bb15d18041823a4ec91
SHA256 9fd5e3555ea7a4b2d604ac0ad6ec0bffb17fdce7f14d9bb15d18041823a4ec91
Tags
aspackv2
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

9fd5e3555ea7a4b2d604ac0ad6ec0bffb17fdce7f14d9bb15d18041823a4ec91

Threat Level: Shows suspicious behavior

The file 9fd5e3555ea7a4b2d604ac0ad6ec0bffb17fdce7f14d9bb15d18041823a4ec91 was found to be: Shows suspicious behavior.

Malicious Activity Summary

aspackv2

ASPack v2.12-2.42

Deletes itself

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Runs net.exe

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-18 08:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-18 08:20

Reported

2024-05-18 08:23

Platform

win7-20240508-en

Max time kernel

150s

Max time network

119s

Command Line

C:\Windows\Explorer.EXE

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft Office\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\requests\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Internet Explorer\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Journal\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Photo Viewer\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OneNote\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\fy\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\tr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Google\CrashReports\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\locale\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Defender\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ar\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\IDTemplates\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\LEVEL\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\PROOF\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\SAMPLES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Wordconv.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows NT\TableTextService\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\da\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\brx\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\am_ET\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\lv\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\af\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Journal\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\9fd5e3555ea7a4b2d604ac0ad6ec0bffb17fdce7f14d9bb15d18041823a4ec91.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\9fd5e3555ea7a4b2d604ac0ad6ec0bffb17fdce7f14d9bb15d18041823a4ec91.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\vDll.dll C:\Windows\Logo1_.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2008 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\9fd5e3555ea7a4b2d604ac0ad6ec0bffb17fdce7f14d9bb15d18041823a4ec91.exe C:\Windows\SysWOW64\cmd.exe
PID 2008 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\9fd5e3555ea7a4b2d604ac0ad6ec0bffb17fdce7f14d9bb15d18041823a4ec91.exe C:\Windows\SysWOW64\cmd.exe
PID 2008 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\9fd5e3555ea7a4b2d604ac0ad6ec0bffb17fdce7f14d9bb15d18041823a4ec91.exe C:\Windows\SysWOW64\cmd.exe
PID 2008 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\9fd5e3555ea7a4b2d604ac0ad6ec0bffb17fdce7f14d9bb15d18041823a4ec91.exe C:\Windows\SysWOW64\cmd.exe
PID 2008 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\9fd5e3555ea7a4b2d604ac0ad6ec0bffb17fdce7f14d9bb15d18041823a4ec91.exe C:\Windows\Logo1_.exe
PID 2008 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\9fd5e3555ea7a4b2d604ac0ad6ec0bffb17fdce7f14d9bb15d18041823a4ec91.exe C:\Windows\Logo1_.exe
PID 2008 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\9fd5e3555ea7a4b2d604ac0ad6ec0bffb17fdce7f14d9bb15d18041823a4ec91.exe C:\Windows\Logo1_.exe
PID 2008 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\9fd5e3555ea7a4b2d604ac0ad6ec0bffb17fdce7f14d9bb15d18041823a4ec91.exe C:\Windows\Logo1_.exe
PID 3060 wrote to memory of 2608 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3060 wrote to memory of 2608 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3060 wrote to memory of 2608 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3060 wrote to memory of 2608 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2608 wrote to memory of 2656 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2608 wrote to memory of 2656 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2608 wrote to memory of 2656 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2608 wrote to memory of 2656 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3028 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\9fd5e3555ea7a4b2d604ac0ad6ec0bffb17fdce7f14d9bb15d18041823a4ec91.exe
PID 3028 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\9fd5e3555ea7a4b2d604ac0ad6ec0bffb17fdce7f14d9bb15d18041823a4ec91.exe
PID 3028 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\9fd5e3555ea7a4b2d604ac0ad6ec0bffb17fdce7f14d9bb15d18041823a4ec91.exe
PID 3028 wrote to memory of 2636 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\9fd5e3555ea7a4b2d604ac0ad6ec0bffb17fdce7f14d9bb15d18041823a4ec91.exe
PID 3060 wrote to memory of 1136 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 3060 wrote to memory of 1136 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\9fd5e3555ea7a4b2d604ac0ad6ec0bffb17fdce7f14d9bb15d18041823a4ec91.exe

"C:\Users\Admin\AppData\Local\Temp\9fd5e3555ea7a4b2d604ac0ad6ec0bffb17fdce7f14d9bb15d18041823a4ec91.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$aF3D.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\9fd5e3555ea7a4b2d604ac0ad6ec0bffb17fdce7f14d9bb15d18041823a4ec91.exe

"C:\Users\Admin\AppData\Local\Temp\9fd5e3555ea7a4b2d604ac0ad6ec0bffb17fdce7f14d9bb15d18041823a4ec91.exe"

Network

N/A

Files

memory/2008-0-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$aF3D.bat

MD5 c320b22e49923dc2bb44b6a72e03c1a9
SHA1 a9a01b39ddf2aece71293dab238857275fefcbb9
SHA256 67a4680e325f0f520a2f6ef1dff7a21e89254fd5928d1b7d6e1b87ae82492206
SHA512 fb87c9626d2b07e74a57c0b6e5c5659e7b27d1a637667d27f12165b3be63c380060aab9671f211dbc1488a18486bfe9be828c05f5fbd642d34126d0175aa379d

memory/2008-12-0x0000000000220000-0x0000000000254000-memory.dmp

C:\Windows\rundl132.exe

MD5 dea14af0f9be51fe72d08ec742a4cf0e
SHA1 716bc3363f0ec0da43a440bd069fad84084c0d2b
SHA256 5de83cf690c9e6f161d5897b1a29fe7a4c57a0ecee64e0150ae4114bff88e39e
SHA512 0b428f4fffca17146288f04f7d9197a022afef63cd081ff2146ea02c3db8583ab63193056a7d410cfdd48fb43dc177b7286cd77a25a81ad309ed22415b05a911

memory/2008-18-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2008-17-0x0000000000220000-0x0000000000254000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\9fd5e3555ea7a4b2d604ac0ad6ec0bffb17fdce7f14d9bb15d18041823a4ec91.exe.exe

MD5 6211f2cc1e8c6643116424e39fddc3ba
SHA1 26881aa57c818068c821bba98628f456711baa5a
SHA256 fcae6af423de10636532acc61734e26c1ffb0c52d507a794f6554878517eac98
SHA512 13755d92c6d45a51e40c334fe3913c33ed2e85527afea8db36c0fde0a2d00078959b95dcf7686d0dd0e5ab87a1ccbabb872722176e5986272569953f7df54d6a

memory/3028-28-0x0000000002300000-0x00000000023DB000-memory.dmp

memory/2636-31-0x0000000000400000-0x00000000004DB000-memory.dmp

memory/2636-32-0x00000000003A0000-0x00000000003A1000-memory.dmp

memory/1136-34-0x0000000002520000-0x0000000002521000-memory.dmp

memory/3060-36-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2636-37-0x0000000000400000-0x00000000004DB000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-2737914667-933161113-3798636211-1000\_desktop.ini

MD5 1d8a3f28a10f9f8be912b9aa0d257c6f
SHA1 358ca1e31914fb991e009c945a40796cf465bb50
SHA256 3887316b3cbbf3fa224813b5883e0ee043c8422d4f72d4ebdf0ae8a195b40d3e
SHA512 b1ec3f07af4abcdc007ab43a9e685419176d74a6856df9be9085f5bc33178b91b30fc44667fd083d2aa818483b4ea216920fa479ebb277325c7b1e5d7a8caec1

memory/3060-44-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3028-46-0x0000000002300000-0x00000000023DB000-memory.dmp

memory/2636-47-0x00000000003A0000-0x00000000003A1000-memory.dmp

memory/3060-56-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3060-102-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3060-110-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3060-888-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3060-1890-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3060-2361-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 533ce215a7c274602dc456ca375cef93
SHA1 76c502d7c45eca3fd96f6b04eb850e751bc785dd
SHA256 d70c9f73bbeed5cbc0df4a4d14bae68789f84d8092281337d2919322b288ce9c
SHA512 09d9dee36c48567921de4b7c31c4a822d5f9ed5e0b1cb0330031b320f40b5ba9b15e89dc37d52561094642c0ff16c14d32e81ed5b1dac06150fefbbd6f3365bf

memory/3060-3352-0x0000000000400000-0x0000000000434000-memory.dmp

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 4cfdb20b04aa239d6f9e83084d5d0a77
SHA1 f22863e04cc1fd4435f785993ede165bd8245ac6
SHA256 30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9
SHA512 35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-18 08:20

Reported

2024-05-18 08:23

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

102s

Command Line

C:\Windows\Explorer.EXE

Signatures

ASPack v2.12-2.42

aspackv2
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\images\themes\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\pt-br\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ru-ru\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Internet Explorer\uk-UA\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\oc\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-black\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sl-SI\View3d\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ko-kr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\plugins\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\it-it\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ku_IQ\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\de-de\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\themes\dark\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ar-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\HostSideAdapters\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\misc\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.DesktopAppInstaller_1.0.30251.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-white\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sl-sl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\it-it\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\110.0.5481.104\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\legal\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\Annotations\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\Assets\ThankYou\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\root\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugins\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\110.0.5481.104\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ku_IQ\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-black\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\cef\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\images\themeless\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\home-view\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Images\contrast-standard\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\zh-cn\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\zh-tw\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\nb-no\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Install\{878BCDD2-1ABC-4948-8DA1-C8645DF0F833}\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ko\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\eu-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\nl-nl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Defender\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\en-gb\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Mozilla Firefox\uninstall\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_2019.716.2316.0_neutral_~_8wekyb3d8bbwe\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fr-fr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\root\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\de-de\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\text_renderer\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Images\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\loc_archives\en-gb\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\da-dk\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\9fd5e3555ea7a4b2d604ac0ad6ec0bffb17fdce7f14d9bb15d18041823a4ec91.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\9fd5e3555ea7a4b2d604ac0ad6ec0bffb17fdce7f14d9bb15d18041823a4ec91.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\vDll.dll C:\Windows\Logo1_.exe N/A

Runs net.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1380 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\9fd5e3555ea7a4b2d604ac0ad6ec0bffb17fdce7f14d9bb15d18041823a4ec91.exe C:\Windows\SysWOW64\cmd.exe
PID 1380 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\9fd5e3555ea7a4b2d604ac0ad6ec0bffb17fdce7f14d9bb15d18041823a4ec91.exe C:\Windows\SysWOW64\cmd.exe
PID 1380 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\9fd5e3555ea7a4b2d604ac0ad6ec0bffb17fdce7f14d9bb15d18041823a4ec91.exe C:\Windows\SysWOW64\cmd.exe
PID 1380 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\9fd5e3555ea7a4b2d604ac0ad6ec0bffb17fdce7f14d9bb15d18041823a4ec91.exe C:\Windows\Logo1_.exe
PID 1380 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\9fd5e3555ea7a4b2d604ac0ad6ec0bffb17fdce7f14d9bb15d18041823a4ec91.exe C:\Windows\Logo1_.exe
PID 1380 wrote to memory of 4808 N/A C:\Users\Admin\AppData\Local\Temp\9fd5e3555ea7a4b2d604ac0ad6ec0bffb17fdce7f14d9bb15d18041823a4ec91.exe C:\Windows\Logo1_.exe
PID 4808 wrote to memory of 4208 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4808 wrote to memory of 4208 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4808 wrote to memory of 4208 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4208 wrote to memory of 1688 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4208 wrote to memory of 1688 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4208 wrote to memory of 1688 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3384 wrote to memory of 1080 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\9fd5e3555ea7a4b2d604ac0ad6ec0bffb17fdce7f14d9bb15d18041823a4ec91.exe
PID 3384 wrote to memory of 1080 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\9fd5e3555ea7a4b2d604ac0ad6ec0bffb17fdce7f14d9bb15d18041823a4ec91.exe
PID 3384 wrote to memory of 1080 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\9fd5e3555ea7a4b2d604ac0ad6ec0bffb17fdce7f14d9bb15d18041823a4ec91.exe
PID 4808 wrote to memory of 3412 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 4808 wrote to memory of 3412 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\9fd5e3555ea7a4b2d604ac0ad6ec0bffb17fdce7f14d9bb15d18041823a4ec91.exe

"C:\Users\Admin\AppData\Local\Temp\9fd5e3555ea7a4b2d604ac0ad6ec0bffb17fdce7f14d9bb15d18041823a4ec91.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6551.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\9fd5e3555ea7a4b2d604ac0ad6ec0bffb17fdce7f14d9bb15d18041823a4ec91.exe

"C:\Users\Admin\AppData\Local\Temp\9fd5e3555ea7a4b2d604ac0ad6ec0bffb17fdce7f14d9bb15d18041823a4ec91.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp

Files

memory/1380-0-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1380-9-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\Logo1_.exe

MD5 dea14af0f9be51fe72d08ec742a4cf0e
SHA1 716bc3363f0ec0da43a440bd069fad84084c0d2b
SHA256 5de83cf690c9e6f161d5897b1a29fe7a4c57a0ecee64e0150ae4114bff88e39e
SHA512 0b428f4fffca17146288f04f7d9197a022afef63cd081ff2146ea02c3db8583ab63193056a7d410cfdd48fb43dc177b7286cd77a25a81ad309ed22415b05a911

memory/4808-10-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a6551.bat

MD5 878b791756e9484994b7d26264264cd9
SHA1 b279aa981603cac4de904308e082b544d1f467ca
SHA256 4739d718cb76658bdb13eba30e54e328042f5940236304b5ea15c46e83b9181a
SHA512 bf0fa76c33b5fdf37062674fb852c5363b6bc8ad3559ab649f9bba4f2b25e8a45e0307c55daf250d5887830d059a26352fcd5d3213b96adec06084384f96d135

C:\Users\Admin\AppData\Local\Temp\9fd5e3555ea7a4b2d604ac0ad6ec0bffb17fdce7f14d9bb15d18041823a4ec91.exe.exe

MD5 6211f2cc1e8c6643116424e39fddc3ba
SHA1 26881aa57c818068c821bba98628f456711baa5a
SHA256 fcae6af423de10636532acc61734e26c1ffb0c52d507a794f6554878517eac98
SHA512 13755d92c6d45a51e40c334fe3913c33ed2e85527afea8db36c0fde0a2d00078959b95dcf7686d0dd0e5ab87a1ccbabb872722176e5986272569953f7df54d6a

memory/1080-19-0x0000000000400000-0x00000000004DB000-memory.dmp

memory/1080-20-0x00000000009E0000-0x00000000009E1000-memory.dmp

memory/4808-22-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1080-23-0x0000000000400000-0x00000000004DB000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-4124900551-4068476067-3491212533-1000\_desktop.ini

MD5 1d8a3f28a10f9f8be912b9aa0d257c6f
SHA1 358ca1e31914fb991e009c945a40796cf465bb50
SHA256 3887316b3cbbf3fa224813b5883e0ee043c8422d4f72d4ebdf0ae8a195b40d3e
SHA512 b1ec3f07af4abcdc007ab43a9e685419176d74a6856df9be9085f5bc33178b91b30fc44667fd083d2aa818483b4ea216920fa479ebb277325c7b1e5d7a8caec1

memory/4808-30-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1080-32-0x00000000009E0000-0x00000000009E1000-memory.dmp

memory/4808-39-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4808-45-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Program Files\7-Zip\7z.exe

MD5 599172594ccbf7e52eacdada5ebeba64
SHA1 c13df28c9018a4af1fef272905fdaf96e3fe9107
SHA256 e58452e488e9d795720c9cc87014bde55ce227aa5f1462d96191486073ae9b67
SHA512 a267f13e81362817d0914204a0a3d60e214725b6d2b2a5f0d63a3c48af33e47a73443188c182dcbdba0a9d5f75e797565a9dc72306c9217328807e93d6887626

memory/4808-62-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4808-1243-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 533ce215a7c274602dc456ca375cef93
SHA1 76c502d7c45eca3fd96f6b04eb850e751bc785dd
SHA256 d70c9f73bbeed5cbc0df4a4d14bae68789f84d8092281337d2919322b288ce9c
SHA512 09d9dee36c48567921de4b7c31c4a822d5f9ed5e0b1cb0330031b320f40b5ba9b15e89dc37d52561094642c0ff16c14d32e81ed5b1dac06150fefbbd6f3365bf

memory/4808-4810-0x0000000000400000-0x0000000000434000-memory.dmp

C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

MD5 2500f702e2b9632127c14e4eaae5d424
SHA1 8726fef12958265214eeb58001c995629834b13a
SHA256 82e5b0001f025ca3b8409c98e4fb06c119c68de1e4ef60a156360cb4ef61d19c
SHA512 f420c62fa1f6897f51dd7a0f0e910fb54ad14d51973a2d4840eeea0448c860bf83493fb1c07be65f731efc39e19f8a99886c8cfd058cee482fe52d255a33a55c

memory/4808-5251-0x0000000000400000-0x0000000000434000-memory.dmp