Malware Analysis Report

2025-08-10 21:27

Sample ID 240525-axt8zagd3z
Target dcae0255b8a638f19b0faf5d417ff7ae2c2a0b3b4131341242d3c10468b950e2
SHA256 dcae0255b8a638f19b0faf5d417ff7ae2c2a0b3b4131341242d3c10468b950e2
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

dcae0255b8a638f19b0faf5d417ff7ae2c2a0b3b4131341242d3c10468b950e2

Threat Level: Shows suspicious behavior

The file dcae0255b8a638f19b0faf5d417ff7ae2c2a0b3b4131341242d3c10468b950e2 was found to be: Shows suspicious behavior.

Malicious Activity Summary


Deletes itself

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Runs net.exe

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-25 00:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-25 00:35

Reported

2024-05-25 00:38

Platform

win7-20240419-en

Max time kernel

150s

Max time network

118s

Command Line

C:\Windows\Explorer.EXE

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\appletviewer.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Internet Explorer\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Slate\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\SystemV\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\Mahjong\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\te\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Defender\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\AccessWeb\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\Australia\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\INDUST\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\access_output\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Oarpmany.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_extractor\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\1033\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre7\bin\plugin2\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Pacific\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ONENOTE.EXE C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\etc\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STUDIO\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Defender\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OfficeSoftwareProtectionPlatform\OSPPREARM.EXE C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\dcae0255b8a638f19b0faf5d417ff7ae2c2a0b3b4131341242d3c10468b950e2.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\dcae0255b8a638f19b0faf5d417ff7ae2c2a0b3b4131341242d3c10468b950e2.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\vDll.dll C:\Windows\Logo1_.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1680 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\dcae0255b8a638f19b0faf5d417ff7ae2c2a0b3b4131341242d3c10468b950e2.exe C:\Windows\SysWOW64\cmd.exe
PID 1680 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\dcae0255b8a638f19b0faf5d417ff7ae2c2a0b3b4131341242d3c10468b950e2.exe C:\Windows\SysWOW64\cmd.exe
PID 1680 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\dcae0255b8a638f19b0faf5d417ff7ae2c2a0b3b4131341242d3c10468b950e2.exe C:\Windows\SysWOW64\cmd.exe
PID 1680 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Local\Temp\dcae0255b8a638f19b0faf5d417ff7ae2c2a0b3b4131341242d3c10468b950e2.exe C:\Windows\SysWOW64\cmd.exe
PID 1680 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\dcae0255b8a638f19b0faf5d417ff7ae2c2a0b3b4131341242d3c10468b950e2.exe C:\Windows\Logo1_.exe
PID 1680 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\dcae0255b8a638f19b0faf5d417ff7ae2c2a0b3b4131341242d3c10468b950e2.exe C:\Windows\Logo1_.exe
PID 1680 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\dcae0255b8a638f19b0faf5d417ff7ae2c2a0b3b4131341242d3c10468b950e2.exe C:\Windows\Logo1_.exe
PID 1680 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\dcae0255b8a638f19b0faf5d417ff7ae2c2a0b3b4131341242d3c10468b950e2.exe C:\Windows\Logo1_.exe
PID 2912 wrote to memory of 2716 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2912 wrote to memory of 2716 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2912 wrote to memory of 2716 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2912 wrote to memory of 2716 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2228 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\dcae0255b8a638f19b0faf5d417ff7ae2c2a0b3b4131341242d3c10468b950e2.exe
PID 2228 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\dcae0255b8a638f19b0faf5d417ff7ae2c2a0b3b4131341242d3c10468b950e2.exe
PID 2228 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\dcae0255b8a638f19b0faf5d417ff7ae2c2a0b3b4131341242d3c10468b950e2.exe
PID 2228 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\dcae0255b8a638f19b0faf5d417ff7ae2c2a0b3b4131341242d3c10468b950e2.exe
PID 2716 wrote to memory of 2772 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2716 wrote to memory of 2772 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2716 wrote to memory of 2772 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2716 wrote to memory of 2772 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2912 wrote to memory of 1192 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 2912 wrote to memory of 1192 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\dcae0255b8a638f19b0faf5d417ff7ae2c2a0b3b4131341242d3c10468b950e2.exe

"C:\Users\Admin\AppData\Local\Temp\dcae0255b8a638f19b0faf5d417ff7ae2c2a0b3b4131341242d3c10468b950e2.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a57D.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\dcae0255b8a638f19b0faf5d417ff7ae2c2a0b3b4131341242d3c10468b950e2.exe

"C:\Users\Admin\AppData\Local\Temp\dcae0255b8a638f19b0faf5d417ff7ae2c2a0b3b4131341242d3c10468b950e2.exe"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

N/A

Files

memory/1680-0-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a57D.bat

MD5 4ac03ffc3b868ae4e7a742c94d23804c
SHA1 8b93477c34d80066cf4afb941c6478dabab604a9
SHA256 29807d1b4a4642cd9182282c606cce0ba41f72f672f8ab16fd5283013effe40b
SHA512 60ee85298ec1af9db1357c30c08c0c14ddc9979ab9a91404381bbe1e52a01888fbfc33bb5cd47d4e2090aefacdbf656235c59ac7331564c305609f34bfc86c6c

C:\Windows\Logo1_.exe

MD5 2b90d375fad4e39663e1c00356e9206b
SHA1 5c84c40605f4af4185647e0a68aafed0ebbdc393
SHA256 623973fd332abcafc9944af01d2fe114d0293a00cc29a67300cde94769b337cf
SHA512 7c9491cf52bdea6936bb7b2e30562941ca26a41587e5fdd05e02d17e37b773ebf0856092b3030ae31da2ce43196682e96873c0c9adfc8525903b11bf36e4806f

memory/2912-18-0x0000000000400000-0x0000000000435000-memory.dmp

memory/1680-16-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dcae0255b8a638f19b0faf5d417ff7ae2c2a0b3b4131341242d3c10468b950e2.exe.exe

MD5 e133c2d85cff4edd7fe8e8f0f8be6cdb
SHA1 b8269209ebb6fe44bc50dab35f97b0ae244701b4
SHA256 6c5e7d9c81a409e67c143cd3aed33bddc3967fa4c9ab3b98560b7d3bf57d093d
SHA512 701b7d1c7e154519d77043f7de09d60c1ff76c95f820fc1c9afca19724efb0847d646686053354156fd4e8a9dab1f29a79d3223f939a3ff1b3613770dc8603b1

memory/1192-29-0x0000000002D70000-0x0000000002D71000-memory.dmp

memory/2912-31-0x0000000000400000-0x0000000000435000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-481678230-3773327859-3495911762-1000\_desktop.ini

MD5 7619ead719f9163af9f64f79eeff7c36
SHA1 7b956c82fba1f4a0ea8b09ca2e39d89159e21b75
SHA256 da9af76d7e3938d1bd300436de0d394ef0453f260a69c94905084222eb3fbb45
SHA512 29dd3ef54766931036c2f0d755bb3fc89619e548c95658577930a5a748ac2b2855a9e5ee5601697ebbac8a7d435abd4c9e9e2255b0e455e267e0d95358fa86df

memory/2912-38-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2912-44-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2912-90-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2912-96-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2912-543-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2912-1873-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2912-2070-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 6735a16d04dfac1f92f7ab89c64b071f
SHA1 502eaa755229fc80b186faf533cf827c322bab66
SHA256 3a071105a38c10f7fa17dcc239337e999b57b68f4bd05c168b2548956931383c
SHA512 bfe01bb853f187f68d0fe64da2da4cf1d26c0491eb3183a7c7d5e905a1b1c3db90b84c1cdadb00c7d7f733ef32a9153dfa73de5259d9f1c3d401633145b420a8

memory/2912-3333-0x0000000000400000-0x0000000000435000-memory.dmp

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 88eb1bca8c399bc3f46e99cdde2f047e
SHA1 55fafbceb011e1af2edced978686a90971bd95f2
SHA256 42fd78c05bc240d4ded16ac974f17c336f6ae3a1814d548021c48a942cc30428
SHA512 149d4de0c024e25a13a7bb17471e6f48391d4f26b1c8388672320eed1c255f84219ad7b72bbebc531ae558d5192dd4bb6d0dddd6c65a45300c8e8348a4fb3728

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-25 00:35

Reported

2024-05-25 00:38

Platform

win10v2004-20240226-en

Max time kernel

152s

Max time network

151s

Command Line

C:\Windows\Explorer.EXE

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\LTR\contrast-white\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ar-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\sv-se\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\zh-cn\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\zh_CN\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Microsoft.Msn.Shell\Themes\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\es-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\pt-br\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\fi-fi\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\jfr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Locale\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\AcroForm\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\cs-cz\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\en-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ru-ru\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\nb-no\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ko-kr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\hu-hu\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-fr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\sv-se\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\text_renderer\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\offer_cards\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\TCUI-Toolkit\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\Trust Protection Lists\Mu\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\hr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_output\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\LTR\contrast-white\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-black\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.513.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\en-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\cs\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\packetizer\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\tr-tr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\plugin2\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Assets\LiveTiles\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\uk-ua\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\jsaddins\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_2020.1906.55.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\hr-hr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\pl-pl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_~_8wekyb3d8bbwe\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\he-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\en-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sv-se\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_GB\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Images\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\it-it\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\plugins\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\dcae0255b8a638f19b0faf5d417ff7ae2c2a0b3b4131341242d3c10468b950e2.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\dcae0255b8a638f19b0faf5d417ff7ae2c2a0b3b4131341242d3c10468b950e2.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\vDll.dll C:\Windows\Logo1_.exe N/A

Runs net.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 628 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\dcae0255b8a638f19b0faf5d417ff7ae2c2a0b3b4131341242d3c10468b950e2.exe C:\Windows\SysWOW64\cmd.exe
PID 628 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\dcae0255b8a638f19b0faf5d417ff7ae2c2a0b3b4131341242d3c10468b950e2.exe C:\Windows\SysWOW64\cmd.exe
PID 628 wrote to memory of 1304 N/A C:\Users\Admin\AppData\Local\Temp\dcae0255b8a638f19b0faf5d417ff7ae2c2a0b3b4131341242d3c10468b950e2.exe C:\Windows\SysWOW64\cmd.exe
PID 628 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\dcae0255b8a638f19b0faf5d417ff7ae2c2a0b3b4131341242d3c10468b950e2.exe C:\Windows\Logo1_.exe
PID 628 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\dcae0255b8a638f19b0faf5d417ff7ae2c2a0b3b4131341242d3c10468b950e2.exe C:\Windows\Logo1_.exe
PID 628 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\dcae0255b8a638f19b0faf5d417ff7ae2c2a0b3b4131341242d3c10468b950e2.exe C:\Windows\Logo1_.exe
PID 2992 wrote to memory of 4864 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2992 wrote to memory of 4864 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2992 wrote to memory of 4864 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4864 wrote to memory of 4740 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4864 wrote to memory of 4740 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4864 wrote to memory of 4740 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1304 wrote to memory of 3132 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\dcae0255b8a638f19b0faf5d417ff7ae2c2a0b3b4131341242d3c10468b950e2.exe
PID 1304 wrote to memory of 3132 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\dcae0255b8a638f19b0faf5d417ff7ae2c2a0b3b4131341242d3c10468b950e2.exe
PID 1304 wrote to memory of 3132 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\dcae0255b8a638f19b0faf5d417ff7ae2c2a0b3b4131341242d3c10468b950e2.exe
PID 2992 wrote to memory of 3268 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 2992 wrote to memory of 3268 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\dcae0255b8a638f19b0faf5d417ff7ae2c2a0b3b4131341242d3c10468b950e2.exe

"C:\Users\Admin\AppData\Local\Temp\dcae0255b8a638f19b0faf5d417ff7ae2c2a0b3b4131341242d3c10468b950e2.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aF4C0.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\dcae0255b8a638f19b0faf5d417ff7ae2c2a0b3b4131341242d3c10468b950e2.exe

"C:\Users\Admin\AppData\Local\Temp\dcae0255b8a638f19b0faf5d417ff7ae2c2a0b3b4131341242d3c10468b950e2.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4072 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 67.112.168.52.in-addr.arpa udp

Files

memory/628-0-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\Logo1_.exe

MD5 2b90d375fad4e39663e1c00356e9206b
SHA1 5c84c40605f4af4185647e0a68aafed0ebbdc393
SHA256 623973fd332abcafc9944af01d2fe114d0293a00cc29a67300cde94769b337cf
SHA512 7c9491cf52bdea6936bb7b2e30562941ca26a41587e5fdd05e02d17e37b773ebf0856092b3030ae31da2ce43196682e96873c0c9adfc8525903b11bf36e4806f

memory/2992-9-0x0000000000400000-0x0000000000435000-memory.dmp

memory/628-11-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$aF4C0.bat

MD5 5b48b9faad06525d9632a4e49dbb8ca7
SHA1 750b8c73cc0dadc888c85ba345721767347e881d
SHA256 f86a69b534206aade43edd225dbfd6d5e78cc015ee300a95f3d71bc6584ac301
SHA512 544a422601c1bad4b5e3ad1a275eb16b06d9b26dfeebf167b207e1631bbe41714201f80251feebafb1ba9ea98ae643ee5dde26958be9ff90bac4e2d064828607

C:\Users\Admin\AppData\Local\Temp\dcae0255b8a638f19b0faf5d417ff7ae2c2a0b3b4131341242d3c10468b950e2.exe.exe

MD5 e133c2d85cff4edd7fe8e8f0f8be6cdb
SHA1 b8269209ebb6fe44bc50dab35f97b0ae244701b4
SHA256 6c5e7d9c81a409e67c143cd3aed33bddc3967fa4c9ab3b98560b7d3bf57d093d
SHA512 701b7d1c7e154519d77043f7de09d60c1ff76c95f820fc1c9afca19724efb0847d646686053354156fd4e8a9dab1f29a79d3223f939a3ff1b3613770dc8603b1

memory/2992-20-0x0000000000400000-0x0000000000435000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\_desktop.ini

MD5 7619ead719f9163af9f64f79eeff7c36
SHA1 7b956c82fba1f4a0ea8b09ca2e39d89159e21b75
SHA256 da9af76d7e3938d1bd300436de0d394ef0453f260a69c94905084222eb3fbb45
SHA512 29dd3ef54766931036c2f0d755bb3fc89619e548c95658577930a5a748ac2b2855a9e5ee5601697ebbac8a7d435abd4c9e9e2255b0e455e267e0d95358fa86df

memory/2992-27-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2992-34-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2992-38-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2992-42-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Program Files\7-Zip\7z.exe

MD5 bab747a805ee67f925718f2624d54a11
SHA1 3f6fa0fe958f3a43e38c66014443e0c261f46bcc
SHA256 03078980fff7ce8873b7e46fd8b79c2a86bb0354fc65268eac2aeff6d981e73e
SHA512 65edbfebdfdf27c496f596bac45f63cd4834dbfb171bd2683a15a3d207b489ee65a045a0b78729005b457f551f128f444fba45baa63c8fe8748f422f48431c14

memory/2992-242-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2992-1016-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2992-1183-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2992-2144-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 6735a16d04dfac1f92f7ab89c64b071f
SHA1 502eaa755229fc80b186faf533cf827c322bab66
SHA256 3a071105a38c10f7fa17dcc239337e999b57b68f4bd05c168b2548956931383c
SHA512 bfe01bb853f187f68d0fe64da2da4cf1d26c0491eb3183a7c7d5e905a1b1c3db90b84c1cdadb00c7d7f733ef32a9153dfa73de5259d9f1c3d401633145b420a8