Malware Analysis Report

2024-11-30 04:20

Sample ID 240613-a6rjfa1glj
Target 3e3aca8e34cc40ab388f58b3238bf0d74a6f4d4cb8e7b2067ccb9ff268a5e783
SHA256 3e3aca8e34cc40ab388f58b3238bf0d74a6f4d4cb8e7b2067ccb9ff268a5e783
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

3e3aca8e34cc40ab388f58b3238bf0d74a6f4d4cb8e7b2067ccb9ff268a5e783

Threat Level: Shows suspicious behavior

The file 3e3aca8e34cc40ab388f58b3238bf0d74a6f4d4cb8e7b2067ccb9ff268a5e783 was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Deletes itself

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Enumerates connected drives

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 00:49

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 00:49

Reported

2024-06-13 00:52

Platform

win7-20240221-en

Max time kernel

149s

Max time network

145s

Command Line

C:\Windows\Explorer.EXE

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\VideoLAN\VLC\locale\brx\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Minesweeper\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\requests\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\intf\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Install\{5CF72A45-AD68-472B-BBFF-38A947BD74EE}\chrome_installer.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\hrtfs\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ff\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\North_Dakota\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\java.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Mozilla Firefox\browser\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Basic\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Lime\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\lg\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ast\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Push\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jmap.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\an\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\wmprph.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\modules\locale\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Photo Viewer\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\WORDICON.EXE C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\STS2\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\bn_IN\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\wa\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\3e3aca8e34cc40ab388f58b3238bf0d74a6f4d4cb8e7b2067ccb9ff268a5e783.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\3e3aca8e34cc40ab388f58b3238bf0d74a6f4d4cb8e7b2067ccb9ff268a5e783.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\vDll.dll C:\Windows\Logo1_.exe N/A

Enumerates physical storage devices

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2868 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\3e3aca8e34cc40ab388f58b3238bf0d74a6f4d4cb8e7b2067ccb9ff268a5e783.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\3e3aca8e34cc40ab388f58b3238bf0d74a6f4d4cb8e7b2067ccb9ff268a5e783.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\3e3aca8e34cc40ab388f58b3238bf0d74a6f4d4cb8e7b2067ccb9ff268a5e783.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\3e3aca8e34cc40ab388f58b3238bf0d74a6f4d4cb8e7b2067ccb9ff268a5e783.exe C:\Windows\SysWOW64\cmd.exe
PID 2868 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\3e3aca8e34cc40ab388f58b3238bf0d74a6f4d4cb8e7b2067ccb9ff268a5e783.exe C:\Windows\Logo1_.exe
PID 2868 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\3e3aca8e34cc40ab388f58b3238bf0d74a6f4d4cb8e7b2067ccb9ff268a5e783.exe C:\Windows\Logo1_.exe
PID 2868 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\3e3aca8e34cc40ab388f58b3238bf0d74a6f4d4cb8e7b2067ccb9ff268a5e783.exe C:\Windows\Logo1_.exe
PID 2868 wrote to memory of 2688 N/A C:\Users\Admin\AppData\Local\Temp\3e3aca8e34cc40ab388f58b3238bf0d74a6f4d4cb8e7b2067ccb9ff268a5e783.exe C:\Windows\Logo1_.exe
PID 2688 wrote to memory of 2572 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2688 wrote to memory of 2572 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2688 wrote to memory of 2572 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2688 wrote to memory of 2572 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2572 wrote to memory of 2504 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2572 wrote to memory of 2504 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2572 wrote to memory of 2504 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2572 wrote to memory of 2504 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2564 wrote to memory of 1652 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\3e3aca8e34cc40ab388f58b3238bf0d74a6f4d4cb8e7b2067ccb9ff268a5e783.exe
PID 2564 wrote to memory of 1652 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\3e3aca8e34cc40ab388f58b3238bf0d74a6f4d4cb8e7b2067ccb9ff268a5e783.exe
PID 2564 wrote to memory of 1652 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\3e3aca8e34cc40ab388f58b3238bf0d74a6f4d4cb8e7b2067ccb9ff268a5e783.exe
PID 2564 wrote to memory of 1652 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\3e3aca8e34cc40ab388f58b3238bf0d74a6f4d4cb8e7b2067ccb9ff268a5e783.exe
PID 2688 wrote to memory of 1180 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 2688 wrote to memory of 1180 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\3e3aca8e34cc40ab388f58b3238bf0d74a6f4d4cb8e7b2067ccb9ff268a5e783.exe

"C:\Users\Admin\AppData\Local\Temp\3e3aca8e34cc40ab388f58b3238bf0d74a6f4d4cb8e7b2067ccb9ff268a5e783.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a25F8.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\3e3aca8e34cc40ab388f58b3238bf0d74a6f4d4cb8e7b2067ccb9ff268a5e783.exe

"C:\Users\Admin\AppData\Local\Temp\3e3aca8e34cc40ab388f58b3238bf0d74a6f4d4cb8e7b2067ccb9ff268a5e783.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 sd.360.cn udp
CN 180.163.251.142:80 sd.360.cn tcp
CN 180.163.251.142:80 sd.360.cn tcp
CN 180.163.251.142:80 sd.360.cn tcp
CN 180.163.251.142:80 sd.360.cn tcp
CN 180.163.251.142:80 sd.360.cn tcp
CN 180.163.251.142:80 sd.360.cn tcp
CN 180.163.251.142:80 sd.360.cn tcp

Files

memory/2868-0-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a25F8.bat

MD5 ae778fdfb3f7e0b736c6e00c995b6096
SHA1 5c854a9e054205e60f3190ca049c00bcc167d04e
SHA256 4a75f76ddee5e1cbaac6c22d7157ad25cc28e2650e227c099d81a37210bff98b
SHA512 7662404b6faf90616be22c0fd13a3590bc53a8e5a08e707723344c586e361cfb786c0257ff7f0de32a8f02644342e1d95643a6e5097cd9e8903e5197cde6332e

C:\Windows\rundl132.exe

MD5 f8a976c5aaef6a6fedce55044f4832ea
SHA1 9b9037e1d3ca26d15e843b4cba0fb2bdc8e3c390
SHA256 2b6c93f29d20f9f1491af5b1ae69617f6b2fc9ac59e209ca5505dd404c7488e8
SHA512 c008146ac2e5181a43f319a540fbdac407c0c585231eda3ad82bf135dd8b398015eed7f363798722eecb5e4813421a733975063006993e54316e01f8459cd74e

memory/2688-18-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2868-16-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3e3aca8e34cc40ab388f58b3238bf0d74a6f4d4cb8e7b2067ccb9ff268a5e783.exe.exe

MD5 09063641c4d999c685939ef7cad32a57
SHA1 91114fea2c5e88e9e387e87b2a52243d2048de21
SHA256 9e75f3a8ce0b8c7340e19707eaa7ceb742fd7f3a4d61f5dea61db53792a90957
SHA512 e41885fd98c7ca18a6a102b2aa09d9d6736de906bd1866798ce954768c22de51f89befa531325e74075949e00dd45167a18da5e23960a200fed3395b6d868e15

memory/1180-29-0x0000000002A90000-0x0000000002A91000-memory.dmp

memory/2688-31-0x0000000000400000-0x0000000000435000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-1298544033-3225604241-2703760938-1000\_desktop.ini

MD5 4f2460b507685f7d7bfe6393f335f1c9
SHA1 378d42f114b1515872e58de6662373af31ab8c7b
SHA256 47a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42
SHA512 75dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb

memory/2688-38-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2688-44-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2688-90-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2688-96-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2688-1180-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2688-1849-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 45176869ff4ca97755d08ffb45765b23
SHA1 365bf2c70a10602370bd8d149802927c52164cb6
SHA256 548d006a501826f362a576842cee94d5c94812dbd5e17f709cf3fd071a8ff837
SHA512 f88d8c681e934302d0df4735b0e7b730a26dc5e818c7c0a1d0440c84d1a6658a70a5d7b53845b9dfc776ed383a381b7f76c8c040018e1b6a8d21197d3b0d8569

memory/2688-3308-0x0000000000400000-0x0000000000435000-memory.dmp

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 88eb1bca8c399bc3f46e99cdde2f047e
SHA1 55fafbceb011e1af2edced978686a90971bd95f2
SHA256 42fd78c05bc240d4ded16ac974f17c336f6ae3a1814d548021c48a942cc30428
SHA512 149d4de0c024e25a13a7bb17471e6f48391d4f26b1c8388672320eed1c255f84219ad7b72bbebc531ae558d5192dd4bb6d0dddd6c65a45300c8e8348a4fb3728

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 00:49

Reported

2024-06-13 00:52

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

49s

Command Line

C:\Windows\Explorer.EXE

Signatures

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\hr-hr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\tr-tr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ja-jp\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Uninstall Information\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\WinMetadata\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ar-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\fi-fi\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\win_x64\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\wmpshare.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\zh-CN\View3d\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\themes\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app-api\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sk-sk\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\fr-fr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files-select\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ar-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\Microsoft.Advertising\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.People_2019.305.632.0_neutral_~_8wekyb3d8bbwe\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\libs\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sv-se\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\da-dk\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\images\themeless\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\nb-no\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\sk-sk\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ko-kr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\de-de\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ru-ru\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example1.Diagnostics\Diagnostics\Simple\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\gmp-clearkey\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\km\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_x64__8wekyb3d8bbwe\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\hr-hr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\nb-no\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account-select\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ca-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\en-gb\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\pt-br\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\ja-jp\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\pl\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\dark\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ro-ro\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\nl-nl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\en_US\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCamera_2018.826.98.0_x64__8wekyb3d8bbwe\Assets\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\cs-cz\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugins\rhp\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\fi-fi\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\3e3aca8e34cc40ab388f58b3238bf0d74a6f4d4cb8e7b2067ccb9ff268a5e783.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\3e3aca8e34cc40ab388f58b3238bf0d74a6f4d4cb8e7b2067ccb9ff268a5e783.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\vDll.dll C:\Windows\Logo1_.exe N/A

Enumerates physical storage devices

Runs net.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4180 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\3e3aca8e34cc40ab388f58b3238bf0d74a6f4d4cb8e7b2067ccb9ff268a5e783.exe C:\Windows\SysWOW64\cmd.exe
PID 4180 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\3e3aca8e34cc40ab388f58b3238bf0d74a6f4d4cb8e7b2067ccb9ff268a5e783.exe C:\Windows\SysWOW64\cmd.exe
PID 4180 wrote to memory of 400 N/A C:\Users\Admin\AppData\Local\Temp\3e3aca8e34cc40ab388f58b3238bf0d74a6f4d4cb8e7b2067ccb9ff268a5e783.exe C:\Windows\SysWOW64\cmd.exe
PID 4180 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\3e3aca8e34cc40ab388f58b3238bf0d74a6f4d4cb8e7b2067ccb9ff268a5e783.exe C:\Windows\Logo1_.exe
PID 4180 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\3e3aca8e34cc40ab388f58b3238bf0d74a6f4d4cb8e7b2067ccb9ff268a5e783.exe C:\Windows\Logo1_.exe
PID 4180 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\3e3aca8e34cc40ab388f58b3238bf0d74a6f4d4cb8e7b2067ccb9ff268a5e783.exe C:\Windows\Logo1_.exe
PID 4620 wrote to memory of 2460 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4620 wrote to memory of 2460 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4620 wrote to memory of 2460 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2460 wrote to memory of 4136 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2460 wrote to memory of 4136 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2460 wrote to memory of 4136 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 400 wrote to memory of 1084 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\3e3aca8e34cc40ab388f58b3238bf0d74a6f4d4cb8e7b2067ccb9ff268a5e783.exe
PID 400 wrote to memory of 1084 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\3e3aca8e34cc40ab388f58b3238bf0d74a6f4d4cb8e7b2067ccb9ff268a5e783.exe
PID 400 wrote to memory of 1084 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\3e3aca8e34cc40ab388f58b3238bf0d74a6f4d4cb8e7b2067ccb9ff268a5e783.exe
PID 4620 wrote to memory of 3460 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 4620 wrote to memory of 3460 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\3e3aca8e34cc40ab388f58b3238bf0d74a6f4d4cb8e7b2067ccb9ff268a5e783.exe

"C:\Users\Admin\AppData\Local\Temp\3e3aca8e34cc40ab388f58b3238bf0d74a6f4d4cb8e7b2067ccb9ff268a5e783.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a57C5.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\3e3aca8e34cc40ab388f58b3238bf0d74a6f4d4cb8e7b2067ccb9ff268a5e783.exe

"C:\Users\Admin\AppData\Local\Temp\3e3aca8e34cc40ab388f58b3238bf0d74a6f4d4cb8e7b2067ccb9ff268a5e783.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 sd.360.cn udp
US 8.8.8.8:53 sd.360.cn udp

Files

memory/4180-0-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\Logo1_.exe

MD5 f8a976c5aaef6a6fedce55044f4832ea
SHA1 9b9037e1d3ca26d15e843b4cba0fb2bdc8e3c390
SHA256 2b6c93f29d20f9f1491af5b1ae69617f6b2fc9ac59e209ca5505dd404c7488e8
SHA512 c008146ac2e5181a43f319a540fbdac407c0c585231eda3ad82bf135dd8b398015eed7f363798722eecb5e4813421a733975063006993e54316e01f8459cd74e

memory/4180-10-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4620-11-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a57C5.bat

MD5 cd35120bda0ffddd72c4f4e64c20e104
SHA1 a682cf1a82515f27f1147c56a24427c22fef41de
SHA256 bf57c386d1e8c7c31e709981d311b1bddda87f95f41cdfe8ed5eaf3534e3cc37
SHA512 29808d54e3d0d234f6c91838a3ac8e2b76eb5273cbd2a780b504856e784016d1414d2a12bae3b6017acf9da3edaf6e035e5a339fe36eb1d07d62b58cc9fcdfc5

C:\Users\Admin\AppData\Local\Temp\3e3aca8e34cc40ab388f58b3238bf0d74a6f4d4cb8e7b2067ccb9ff268a5e783.exe.exe

MD5 09063641c4d999c685939ef7cad32a57
SHA1 91114fea2c5e88e9e387e87b2a52243d2048de21
SHA256 9e75f3a8ce0b8c7340e19707eaa7ceb742fd7f3a4d61f5dea61db53792a90957
SHA512 e41885fd98c7ca18a6a102b2aa09d9d6736de906bd1866798ce954768c22de51f89befa531325e74075949e00dd45167a18da5e23960a200fed3395b6d868e15

memory/4620-20-0x0000000000400000-0x0000000000435000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-3558294865-3673844354-2255444939-1000\_desktop.ini

MD5 4f2460b507685f7d7bfe6393f335f1c9
SHA1 378d42f114b1515872e58de6662373af31ab8c7b
SHA256 47a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42
SHA512 75dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb

memory/4620-27-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4620-33-0x0000000000400000-0x0000000000435000-memory.dmp

memory/4620-37-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Program Files\7-Zip\7z.exe

MD5 16ad3e3cbd4d87d75c0d6e5d8637e50d
SHA1 19b238142cd9b2cec357ba6368dbb9a40808a6c2
SHA256 a10555cfee91e6076638a4a5454f27970a4d66cae758f8297fab8ff0893fa7e8
SHA512 3bb474d5adb98640ca4ca09972a4e1924e3cf8f21b453939a3cc98f9315c6ecc7d456f6672a6294c23918d5c4b2de6c0add28bcc25f8464f43e3dcf4ad0df3f8

memory/4620-1232-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 45176869ff4ca97755d08ffb45765b23
SHA1 365bf2c70a10602370bd8d149802927c52164cb6
SHA256 548d006a501826f362a576842cee94d5c94812dbd5e17f709cf3fd071a8ff837
SHA512 f88d8c681e934302d0df4735b0e7b730a26dc5e818c7c0a1d0440c84d1a6658a70a5d7b53845b9dfc776ed383a381b7f76c8c040018e1b6a8d21197d3b0d8569

memory/4620-4797-0x0000000000400000-0x0000000000435000-memory.dmp

C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

MD5 9cba1e86016b20490fff38fb45ff4963
SHA1 378720d36869d50d06e9ffeef87488fbc2a8c8f7
SHA256 a22e6d0f5c7d44fefc2204e0f7c7b048e1684f6cf249ba98c006bbf791c22d19
SHA512 2f3737d29ea3925d10ea5c717786425f6434be732974586328f03691a35cd1539828e3301685749e5c4135b8094f15b87fb9659915de63678a25749e2f8f5765

memory/4620-5236-0x0000000000400000-0x0000000000435000-memory.dmp