Malware Analysis Report

2025-01-17 22:26

Sample ID 240603-qtlqesgb21
Target c84158e9f0581534d231159812de7d0900060f8527f7ac15e2354c3d5762d025
SHA256 c84158e9f0581534d231159812de7d0900060f8527f7ac15e2354c3d5762d025
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

c84158e9f0581534d231159812de7d0900060f8527f7ac15e2354c3d5762d025

Threat Level: Shows suspicious behavior

The file c84158e9f0581534d231159812de7d0900060f8527f7ac15e2354c3d5762d025 was found to be: Shows suspicious behavior.

Malicious Activity Summary


Executes dropped EXE

Deletes itself

Loads dropped DLL

Enumerates connected drives

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 13:33

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 13:33

Reported

2024-06-03 13:35

Platform

win7-20240221-en

Max time kernel

149s

Max time network

120s

Command Line

C:\Windows\Explorer.EXE

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Microsoft Office\Office14\PROOF\1033\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\zu\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\ink\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Triedit\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\defaults\pref\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\3082\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\images\cursors\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\Solitaire.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\sidebar.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Sort\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\jfr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\te\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\logger\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolBMPs\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\km\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Defender\MSASCui.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\DESIGNER\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\d3d11\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RADIAL\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\META-INF\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ar\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\c84158e9f0581534d231159812de7d0900060f8527f7ac15e2354c3d5762d025.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\vDll.dll C:\Windows\Logo1_.exe N/A
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\c84158e9f0581534d231159812de7d0900060f8527f7ac15e2354c3d5762d025.exe N/A

Enumerates physical storage devices

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2084 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\c84158e9f0581534d231159812de7d0900060f8527f7ac15e2354c3d5762d025.exe C:\Windows\SysWOW64\cmd.exe
PID 2084 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\c84158e9f0581534d231159812de7d0900060f8527f7ac15e2354c3d5762d025.exe C:\Windows\SysWOW64\cmd.exe
PID 2084 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\c84158e9f0581534d231159812de7d0900060f8527f7ac15e2354c3d5762d025.exe C:\Windows\SysWOW64\cmd.exe
PID 2084 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\c84158e9f0581534d231159812de7d0900060f8527f7ac15e2354c3d5762d025.exe C:\Windows\SysWOW64\cmd.exe
PID 2084 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\c84158e9f0581534d231159812de7d0900060f8527f7ac15e2354c3d5762d025.exe C:\Windows\Logo1_.exe
PID 2084 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\c84158e9f0581534d231159812de7d0900060f8527f7ac15e2354c3d5762d025.exe C:\Windows\Logo1_.exe
PID 2084 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\c84158e9f0581534d231159812de7d0900060f8527f7ac15e2354c3d5762d025.exe C:\Windows\Logo1_.exe
PID 2084 wrote to memory of 3000 N/A C:\Users\Admin\AppData\Local\Temp\c84158e9f0581534d231159812de7d0900060f8527f7ac15e2354c3d5762d025.exe C:\Windows\Logo1_.exe
PID 3000 wrote to memory of 2656 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3000 wrote to memory of 2656 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3000 wrote to memory of 2656 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3000 wrote to memory of 2656 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2596 wrote to memory of 2824 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\c84158e9f0581534d231159812de7d0900060f8527f7ac15e2354c3d5762d025.exe
PID 2596 wrote to memory of 2824 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\c84158e9f0581534d231159812de7d0900060f8527f7ac15e2354c3d5762d025.exe
PID 2596 wrote to memory of 2824 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\c84158e9f0581534d231159812de7d0900060f8527f7ac15e2354c3d5762d025.exe
PID 2596 wrote to memory of 2824 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\c84158e9f0581534d231159812de7d0900060f8527f7ac15e2354c3d5762d025.exe
PID 2656 wrote to memory of 2000 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2656 wrote to memory of 2000 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2656 wrote to memory of 2000 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2656 wrote to memory of 2000 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3000 wrote to memory of 1104 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 3000 wrote to memory of 1104 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\c84158e9f0581534d231159812de7d0900060f8527f7ac15e2354c3d5762d025.exe

"C:\Users\Admin\AppData\Local\Temp\c84158e9f0581534d231159812de7d0900060f8527f7ac15e2354c3d5762d025.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a54E.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\c84158e9f0581534d231159812de7d0900060f8527f7ac15e2354c3d5762d025.exe

"C:\Users\Admin\AppData\Local\Temp\c84158e9f0581534d231159812de7d0900060f8527f7ac15e2354c3d5762d025.exe"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

N/A

Files

memory/2084-0-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a54E.bat

MD5 6456cfcf83cec17cb1cb85159216b9cf
SHA1 ca60b425bd414fc932e371dbc7b1a58f552d459c
SHA256 1745ce339fb8f06abc1800dbe6ce7d7679d0348cc950d99b5846ba1e90d9b677
SHA512 c6ad717d26de958ac3825a6fc1f34423053a2c9e6fbbfa89f651af4555ca91613b6b95d310082fbf79425a25f7b0f2db6c87d49e6aea82d2e897ef8d60b7533e

memory/2084-12-0x00000000002B0000-0x00000000002E4000-memory.dmp

C:\Windows\Logo1_.exe

MD5 4298e0c223e6572693e5a6b29279c1da
SHA1 5bd4c027c9433de22fec622bb7b13b863cee8de4
SHA256 bfe4186213f6d4cc116612e337bbe7a4c713d4cd02155dd649b31bf93476bd43
SHA512 d5df016ba3a3bcee7370ddd2aca1518fdde68dd681a17c45c8f7cf25a780be5903d49cf03410accfd8d176ce1653d9a49eb0544f5d0d1d091aa2d99fc8186ec1

memory/2084-18-0x00000000002B0000-0x00000000002E4000-memory.dmp

memory/2084-17-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\rundl132.exe

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\c84158e9f0581534d231159812de7d0900060f8527f7ac15e2354c3d5762d025.exe.exe

MD5 c9f853de1e78fc0dedfed88e35f127f8
SHA1 36da03865c8337aab2f4bfac4b2195554e84a0e4
SHA256 2ad0dedcda48a899960f06b90b0fb9d08c83fef416f616ce359340fce4886eb4
SHA512 c1ace7f8e72af4929d4e1804882889b4e6e8cc60b616680412695ef259bc2ccd61d6040d92ef31f3a8a214e55ca66c0468823074b330fd1dd32428e0a5eb71f9

memory/1104-34-0x0000000002D60000-0x0000000002D61000-memory.dmp

memory/3000-36-0x0000000000400000-0x0000000000434000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-3452737119-3959686427-228443150-1000\_desktop.ini

MD5 a6f28952c332969f9e6d9f7d1a449737
SHA1 31c0826adb63cc03162fb9e88781f4b50da8f11b
SHA256 d9d875805581110dafdfb2ceb34c5e60f50fe720963f9813c287e4845248d208
SHA512 8187572ee8fbb9a42af34a3444be3a4309c5a798e7b1f27fce5b28b7168b72d015b1c10e611ccd3a9361af2aaeab831d2734017f77adff341c3fdb876c296eac

memory/3000-43-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3000-49-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3000-95-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3000-101-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3000-600-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3000-1855-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3000-2058-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 fa03025a5356ec12c1be2bf6f554120d
SHA1 2bcdaa6bbce818a1d260c4293a07b5076a104e56
SHA256 8906bb45077aeebb6eaca93bccaa133623f3b5e9dcc0b50dc4c6edcc3ea1571a
SHA512 c78ac5d658231ba4dfb54941dfd3fb6e0752d6ec6215743679d1274bd16f5e283dca110f63db3955c23091d2de3f75c2fc5b6630e0be36ea37a16eb81b8716b0

memory/3000-3317-0x0000000000400000-0x0000000000434000-memory.dmp

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 4cfdb20b04aa239d6f9e83084d5d0a77
SHA1 f22863e04cc1fd4435f785993ede165bd8245ac6
SHA256 30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9
SHA512 35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 13:33

Reported

2024-06-03 13:35

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

128s

Command Line

C:\Windows\Explorer.EXE

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-200_8wekyb3d8bbwe\Assets\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\es-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\tr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsAlarms_2019.807.41.0_neutral_~_8wekyb3d8bbwe\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.UI\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ko-kr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\de\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-white\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\Fonts\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\sv\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\root\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\BHO\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\ResiliencyLinks\Notifications\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\rhp\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\pl-pl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Security\BrowserCore\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\WhatsNew.Store.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\SpeechToTextOverlay64-Retail.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account-select\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\zh-tw\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\uk-ua\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\cmm\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\or_IN\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_chroma\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_neutral_~_8wekyb3d8bbwe\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-black\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ja-jp\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\sl-si\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\pt-br\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\root\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_~_kzf8qxf38zg5c\microsoft.system.package.metadata\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ro-ro\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\sr-latn-cs\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\en-gb\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\MEIPreload\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxAccounts.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\nl-nl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\ink\uk-UA\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ml\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\mk-MK\View3d\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-white\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-gb\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\en-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\EBWebView\x64\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\CortanaApp.ViewElements\Assets\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\pl-pl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\c84158e9f0581534d231159812de7d0900060f8527f7ac15e2354c3d5762d025.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\c84158e9f0581534d231159812de7d0900060f8527f7ac15e2354c3d5762d025.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\vDll.dll C:\Windows\Logo1_.exe N/A

Enumerates physical storage devices

Runs net.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1792 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\c84158e9f0581534d231159812de7d0900060f8527f7ac15e2354c3d5762d025.exe C:\Windows\SysWOW64\cmd.exe
PID 1792 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\c84158e9f0581534d231159812de7d0900060f8527f7ac15e2354c3d5762d025.exe C:\Windows\SysWOW64\cmd.exe
PID 1792 wrote to memory of 728 N/A C:\Users\Admin\AppData\Local\Temp\c84158e9f0581534d231159812de7d0900060f8527f7ac15e2354c3d5762d025.exe C:\Windows\SysWOW64\cmd.exe
PID 1792 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\c84158e9f0581534d231159812de7d0900060f8527f7ac15e2354c3d5762d025.exe C:\Windows\Logo1_.exe
PID 1792 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\c84158e9f0581534d231159812de7d0900060f8527f7ac15e2354c3d5762d025.exe C:\Windows\Logo1_.exe
PID 1792 wrote to memory of 4376 N/A C:\Users\Admin\AppData\Local\Temp\c84158e9f0581534d231159812de7d0900060f8527f7ac15e2354c3d5762d025.exe C:\Windows\Logo1_.exe
PID 4376 wrote to memory of 708 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4376 wrote to memory of 708 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4376 wrote to memory of 708 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 708 wrote to memory of 1028 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 708 wrote to memory of 1028 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 708 wrote to memory of 1028 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 728 wrote to memory of 3516 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\c84158e9f0581534d231159812de7d0900060f8527f7ac15e2354c3d5762d025.exe
PID 728 wrote to memory of 3516 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\c84158e9f0581534d231159812de7d0900060f8527f7ac15e2354c3d5762d025.exe
PID 728 wrote to memory of 3516 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\c84158e9f0581534d231159812de7d0900060f8527f7ac15e2354c3d5762d025.exe
PID 4376 wrote to memory of 3520 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 4376 wrote to memory of 3520 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\c84158e9f0581534d231159812de7d0900060f8527f7ac15e2354c3d5762d025.exe

"C:\Users\Admin\AppData\Local\Temp\c84158e9f0581534d231159812de7d0900060f8527f7ac15e2354c3d5762d025.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aEEC5.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\c84158e9f0581534d231159812de7d0900060f8527f7ac15e2354c3d5762d025.exe

"C:\Users\Admin\AppData\Local\Temp\c84158e9f0581534d231159812de7d0900060f8527f7ac15e2354c3d5762d025.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4036,i,10373433614523925616,13586256558317053467,262144 --variations-seed-version --mojo-platform-channel-handle=4008 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 152.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 27.173.189.20.in-addr.arpa udp

Files

memory/1792-0-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1792-10-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4376-13-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\rundl132.exe

MD5 4298e0c223e6572693e5a6b29279c1da
SHA1 5bd4c027c9433de22fec622bb7b13b863cee8de4
SHA256 bfe4186213f6d4cc116612e337bbe7a4c713d4cd02155dd649b31bf93476bd43
SHA512 d5df016ba3a3bcee7370ddd2aca1518fdde68dd681a17c45c8f7cf25a780be5903d49cf03410accfd8d176ce1653d9a49eb0544f5d0d1d091aa2d99fc8186ec1

C:\Users\Admin\AppData\Local\Temp\$$aEEC5.bat

MD5 a13c891dde0cc2447d1f7557fef25745
SHA1 2c001db91e185a6f62aa96ab01adbcc631605bfa
SHA256 67c5183549e9e03ad786e137df4ed334a76569e66af8a0d895a002ab9dade204
SHA512 3eb7f6d8946b8ca3c867c6823016e4a1f36dd91a5be187215d20edc89b11789a192962eda6f8e3b8c2daa13aa3d6dfc548b4120eb5c973c3e630068848cbf194

C:\Users\Admin\AppData\Local\Temp\c84158e9f0581534d231159812de7d0900060f8527f7ac15e2354c3d5762d025.exe.exe

MD5 c9f853de1e78fc0dedfed88e35f127f8
SHA1 36da03865c8337aab2f4bfac4b2195554e84a0e4
SHA256 2ad0dedcda48a899960f06b90b0fb9d08c83fef416f616ce359340fce4886eb4
SHA512 c1ace7f8e72af4929d4e1804882889b4e6e8cc60b616680412695ef259bc2ccd61d6040d92ef31f3a8a214e55ca66c0468823074b330fd1dd32428e0a5eb71f9

memory/4376-24-0x0000000000400000-0x0000000000434000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-1181767204-2009306918-3718769404-1000\_desktop.ini

MD5 a6f28952c332969f9e6d9f7d1a449737
SHA1 31c0826adb63cc03162fb9e88781f4b50da8f11b
SHA256 d9d875805581110dafdfb2ceb34c5e60f50fe720963f9813c287e4845248d208
SHA512 8187572ee8fbb9a42af34a3444be3a4309c5a798e7b1f27fce5b28b7168b72d015b1c10e611ccd3a9361af2aaeab831d2734017f77adff341c3fdb876c296eac

memory/4376-31-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4376-37-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4376-41-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Program Files\7-Zip\7z.exe

MD5 cdd1e1f44869a40a61f093b2806f23d3
SHA1 9856dd59b196a7d2100abee9edbd10c85423783f
SHA256 0f71dbf0dc35e50d076d2989bb16406ee436bbb1a8cdb051df58bd515fd230fa
SHA512 efaad454eef1d53e3ec8c885914fceebd30503c4791dbe32f0aa64f97ada2c207fab228d6e20142ba793cc76bcfc7ed591fc2c25c03872a2798550e07510fb40

memory/4376-1241-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 fa03025a5356ec12c1be2bf6f554120d
SHA1 2bcdaa6bbce818a1d260c4293a07b5076a104e56
SHA256 8906bb45077aeebb6eaca93bccaa133623f3b5e9dcc0b50dc4c6edcc3ea1571a
SHA512 c78ac5d658231ba4dfb54941dfd3fb6e0752d6ec6215743679d1274bd16f5e283dca110f63db3955c23091d2de3f75c2fc5b6630e0be36ea37a16eb81b8716b0

memory/4376-4881-0x0000000000400000-0x0000000000434000-memory.dmp

C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

MD5 2500f702e2b9632127c14e4eaae5d424
SHA1 8726fef12958265214eeb58001c995629834b13a
SHA256 82e5b0001f025ca3b8409c98e4fb06c119c68de1e4ef60a156360cb4ef61d19c
SHA512 f420c62fa1f6897f51dd7a0f0e910fb54ad14d51973a2d4840eeea0448c860bf83493fb1c07be65f731efc39e19f8a99886c8cfd058cee482fe52d255a33a55c

memory/4376-5326-0x0000000000400000-0x0000000000434000-memory.dmp