Malware Analysis Report

2025-04-14 03:03

Sample ID 240613-e8kacsxhpl
Target a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90
SHA256 a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90

Threat Level: Shows suspicious behavior

The file a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90 was found to be: Shows suspicious behavior.

Malicious Activity Summary


Deletes itself

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Runs net.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 04:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 04:36

Reported

2024-06-13 04:39

Platform

win7-20231129-en

Max time kernel

149s

Max time network

119s

Command Line

C:\Windows\Explorer.EXE

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_out\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\FreeCell\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\nb\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Outlook.en-us\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Esl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\TextConv\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\brx\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Defender\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Filters\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ach\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\sq\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\it\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\Purble Place\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ro\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Mail\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VBA\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Journal\PDIALOG.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Mail\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Internet Explorer\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Library\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RMNSQUE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATER\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Sports\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\WinMail.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Computers\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\d3d9\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\FAX\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATERMAR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\Mahjong\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\si\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\NETWORK\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\vDll.dll C:\Windows\Logo1_.exe N/A

Enumerates physical storage devices

Runs net.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1540 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe C:\Windows\SysWOW64\cmd.exe
PID 1540 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe C:\Windows\SysWOW64\cmd.exe
PID 1540 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe C:\Windows\SysWOW64\cmd.exe
PID 1540 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe C:\Windows\SysWOW64\cmd.exe
PID 1540 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe C:\Windows\Logo1_.exe
PID 1540 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe C:\Windows\Logo1_.exe
PID 1540 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe C:\Windows\Logo1_.exe
PID 1540 wrote to memory of 2208 N/A C:\Users\Admin\AppData\Local\Temp\a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe C:\Windows\Logo1_.exe
PID 2208 wrote to memory of 1876 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2208 wrote to memory of 1876 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2208 wrote to memory of 1876 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2208 wrote to memory of 1876 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2196 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe
PID 2196 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe
PID 2196 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe
PID 2196 wrote to memory of 2600 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe
PID 1876 wrote to memory of 2664 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1876 wrote to memory of 2664 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1876 wrote to memory of 2664 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1876 wrote to memory of 2664 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2600 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
PID 2600 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
PID 2600 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
PID 2600 wrote to memory of 2832 N/A C:\Users\Admin\AppData\Local\Temp\a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
PID 2208 wrote to memory of 1348 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 2208 wrote to memory of 1348 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe

"C:\Users\Admin\AppData\Local\Temp\a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a7AE.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe

"C:\Users\Admin\AppData\Local\Temp\a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

"C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\

Network

N/A

Files

memory/1540-0-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a7AE.bat

MD5 6d47c60a07364dfdcf05ba7dc9b1c21d
SHA1 d7959fa249615843a926c05e436136cf01310da0
SHA256 014d8485936d7c364c1554786f0e1dc478fc69445f5d874b193e56e2ba0a6549
SHA512 3c33e6ff222d41b0094604b91224eefe501ae3e706b9670f1c56c7ba388d7a8bdfa1794d3dae234ea2fa0a77c4b81f7d5254776226e18856c1498c6552e6f843

C:\Windows\Logo1_.exe

MD5 803416611d3ff9892e3e5c729d18a4cf
SHA1 bc99a7db9810cc6c08c4c1eee041d666396a00a8
SHA256 44dd551c7c131158282194d127971c71fa4e16b60b526f3886427bdd1b52eae9
SHA512 02ad74b45ef2338c97df02d421951b43730531db1c9cc88e85ab294ebf94f7cd0f2991278a4e6e9c4af3dac0f7952e7f2ea09ed14a3ce6b16990371c3d5ec083

memory/1540-17-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2208-18-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe.exe

MD5 47a6c51c0904f930c3ea2acd11843598
SHA1 66dbd0a1bef915d2efbf405b5da32a0eed93a62c
SHA256 4cb64e345f2ccf5bb6b3493dc55b11048ef249baed3645b09033758c652734af
SHA512 455d26fdaf4396106096c6e1698bf58864ffbff1b073adfafb2c8f66dbfcca502ce452011064bc4ccf38341b848cbd7b02a3471331356ffb8a117ec0bc1a428e

\Users\Admin\AppData\Local\Temp\nsy8F7.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

memory/1348-41-0x0000000002580000-0x0000000002581000-memory.dmp

\Users\Admin\AppData\Local\Temp\nsy8F7.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

C:\Users\Admin\AppData\Local\Temp\nsy8F7.tmp\nsProcess.dll

MD5 f0438a894f3a7e01a4aae8d1b5dd0289
SHA1 b058e3fcfb7b550041da16bf10d8837024c38bf6
SHA256 30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11
SHA512 f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

\Users\Admin\AppData\Local\Temp\nsy8F7.tmp\WinShell.dll

MD5 1cc7c37b7e0c8cd8bf04b6cc283e1e56
SHA1 0b9519763be6625bd5abce175dcc59c96d100d4c
SHA256 9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6
SHA512 7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

memory/2208-70-0x0000000000400000-0x0000000000434000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-3627615824-4061627003-3019543961-1000\_desktop.ini

MD5 4f2460b507685f7d7bfe6393f335f1c9
SHA1 378d42f114b1515872e58de6662373af31ab8c7b
SHA256 47a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42
SHA512 75dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb

memory/2208-77-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2208-83-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2208-129-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2208-135-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2208-930-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2208-1888-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 8c76d8209d2e719930c9ba1c3aec96a4
SHA1 688649466318e5e496c8256fd3168039b3b330aa
SHA256 ac040dc7f1ccb3b1a1a0ba7f57c5f1787081c64b56d3af79fdfc24aa69759a9f
SHA512 19744836971e4202ee281738f0b895e0b96150642499067e1b51a7434865be790f6a1c65f2163cdbd108adbc7f44ca812c6647eb1952a9925b152b13007ab269

memory/2208-2943-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2208-3348-0x0000000000400000-0x0000000000434000-memory.dmp

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 28f6479e5c0b7a32e8ae773b9221a22a
SHA1 882e24734f4d42c4e0b95bb695c921ee66ae2042
SHA256 5ec41e0b29c00dd288859df2f583b0e771c11c01d8fd519fe2bd8921b3bed4f3
SHA512 d27c5c01bfe526652af0083bc17c4a3212fc00d594344b6a1a39999248623fba1ae14c79ec849c3567d1bf952cdf7e1e4fd5b22fde938227d89338529fb43685

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 04:36

Reported

2024-06-13 04:39

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

52s

Command Line

C:\Windows\Explorer.EXE

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\en-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ja-jp\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sk-SK\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\contrast-white\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\ru-ru\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\manifests\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\zh-cn\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nb-no\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ro-ro\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ko-kr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\root\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxGameOverlay_1.46.11001.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ro-ro\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Mac\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ar-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\root\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\pl-pl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ru-ru\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\eo\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Multimedia Platform\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\MSEnv\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\hr-hr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\hu-hu\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\hu-hu\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\fi-fi\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\en-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ca-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ko-kr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Defender\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\en-gb\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ar-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\he-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\da-dk\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\gd\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\lt-LT\View3d\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\MSInfo\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\sr-latn-cs\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\vDll.dll C:\Windows\Logo1_.exe N/A

Enumerates physical storage devices

Runs net.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3632 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe C:\Windows\SysWOW64\cmd.exe
PID 3632 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe C:\Windows\SysWOW64\cmd.exe
PID 3632 wrote to memory of 1936 N/A C:\Users\Admin\AppData\Local\Temp\a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe C:\Windows\SysWOW64\cmd.exe
PID 3632 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe C:\Windows\Logo1_.exe
PID 3632 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe C:\Windows\Logo1_.exe
PID 3632 wrote to memory of 2332 N/A C:\Users\Admin\AppData\Local\Temp\a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe C:\Windows\Logo1_.exe
PID 2332 wrote to memory of 4416 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2332 wrote to memory of 4416 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2332 wrote to memory of 4416 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4416 wrote to memory of 3908 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4416 wrote to memory of 3908 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4416 wrote to memory of 3908 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1936 wrote to memory of 4788 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe
PID 1936 wrote to memory of 4788 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe
PID 1936 wrote to memory of 4788 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe
PID 4788 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
PID 4788 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
PID 4788 wrote to memory of 2300 N/A C:\Users\Admin\AppData\Local\Temp\a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe
PID 2332 wrote to memory of 3564 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 2332 wrote to memory of 3564 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe

"C:\Users\Admin\AppData\Local\Temp\a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a3C9B.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe

"C:\Users\Admin\AppData\Local\Temp\a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe"

C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe

"C:\Users\Admin\AppData\Local\Temp\~nsuA.tmp\Un_A.exe" _?=C:\Users\Admin\AppData\Local\Temp\

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/3632-0-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\Logo1_.exe

MD5 803416611d3ff9892e3e5c729d18a4cf
SHA1 bc99a7db9810cc6c08c4c1eee041d666396a00a8
SHA256 44dd551c7c131158282194d127971c71fa4e16b60b526f3886427bdd1b52eae9
SHA512 02ad74b45ef2338c97df02d421951b43730531db1c9cc88e85ab294ebf94f7cd0f2991278a4e6e9c4af3dac0f7952e7f2ea09ed14a3ce6b16990371c3d5ec083

memory/3632-12-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2332-13-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a3C9B.bat

MD5 05f7679b2764230c25a85dc98f846974
SHA1 6d72467a519bc1f2177933ab96bc228c4b35d553
SHA256 9a9c4c54c041e7ed7cfb1de85cf52959cdbe8fccd557010d4df14211b3f273ec
SHA512 28e43370086ebbb1536fdeda203555ef70929be2c69f9fd0fd8b17baa65c5ed3a324e51ae24b645d3b151ebbcdfeed73091b866d03fc882c947bec623f8bea0d

C:\Users\Admin\AppData\Local\Temp\a02420dab560800c6d86285ce39f1da859ac2f76e3ddd19fd0aab82f6919ab90.exe.exe

MD5 47a6c51c0904f930c3ea2acd11843598
SHA1 66dbd0a1bef915d2efbf405b5da32a0eed93a62c
SHA256 4cb64e345f2ccf5bb6b3493dc55b11048ef249baed3645b09033758c652734af
SHA512 455d26fdaf4396106096c6e1698bf58864ffbff1b073adfafb2c8f66dbfcca502ce452011064bc4ccf38341b848cbd7b02a3471331356ffb8a117ec0bc1a428e

C:\Users\Admin\AppData\Local\Temp\nsc3F2D.tmp\System.dll

MD5 0d7ad4f45dc6f5aa87f606d0331c6901
SHA1 48df0911f0484cbe2a8cdd5362140b63c41ee457
SHA256 3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512 c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

C:\Users\Admin\AppData\Local\Temp\nsc3F2D.tmp\StdUtils.dll

MD5 c6a6e03f77c313b267498515488c5740
SHA1 3d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256 b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA512 9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

C:\Users\Admin\AppData\Local\Temp\nsc3F2D.tmp\nsProcess.dll

MD5 f0438a894f3a7e01a4aae8d1b5dd0289
SHA1 b058e3fcfb7b550041da16bf10d8837024c38bf6
SHA256 30c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11
SHA512 f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7

C:\Users\Admin\AppData\Local\Temp\nsc3F2D.tmp\WinShell.dll

MD5 1cc7c37b7e0c8cd8bf04b6cc283e1e56
SHA1 0b9519763be6625bd5abce175dcc59c96d100d4c
SHA256 9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6
SHA512 7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

memory/2332-56-0x0000000000400000-0x0000000000434000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-1337824034-2731376981-3755436523-1000\_desktop.ini

MD5 4f2460b507685f7d7bfe6393f335f1c9
SHA1 378d42f114b1515872e58de6662373af31ab8c7b
SHA256 47a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42
SHA512 75dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb

memory/2332-63-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2332-69-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2332-73-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Program Files\7-Zip\7z.exe

MD5 9a82d81ba2e36e6a954f13c6f3447007
SHA1 9379936d5b85fc829946d4e67aca1609545c70ad
SHA256 1f2ae1902b9b9c1cb54f98a02d3deff12bbbb95e16911640b3bba79113799f77
SHA512 08e28ce1842f7e5e910d1bc731231a7e1bbaba6cb499696e6b5d528ef13f7885b3c453165bf32dad4e1c9e222f235ec080d9f003de79494423fef107e833193b

memory/2332-1267-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 8c76d8209d2e719930c9ba1c3aec96a4
SHA1 688649466318e5e496c8256fd3168039b3b330aa
SHA256 ac040dc7f1ccb3b1a1a0ba7f57c5f1787081c64b56d3af79fdfc24aa69759a9f
SHA512 19744836971e4202ee281738f0b895e0b96150642499067e1b51a7434865be790f6a1c65f2163cdbd108adbc7f44ca812c6647eb1952a9925b152b13007ab269

memory/2332-4833-0x0000000000400000-0x0000000000434000-memory.dmp

C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

MD5 82168b5f40194e6e86457c2b534cfc21
SHA1 3e2702a384a03243e98ee6866e09f6d5df9b5de5
SHA256 c2f452c90356d0070c71ce17da69c4245dc24f46e1215eca22748567e48279d9
SHA512 6d041166b41e4608aa46b1724322a22d49e5d709f4b1bf89d2c6819282a813c88cd74ba6167f337d4d36a741ae53830b04e58e92fbfc597f85cd7f763284c774

memory/2332-5272-0x0000000000400000-0x0000000000434000-memory.dmp