Malware Analysis Report

2024-10-19 08:20

Sample ID 240613-w88rdsxgjd
Target fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516
SHA256 fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516

Threat Level: Shows suspicious behavior

The file fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516 was found to be: Shows suspicious behavior.

Malicious Activity Summary


Deletes itself

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 18:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 18:36

Reported

2024-06-13 18:39

Platform

win7-20240508-en

Max time kernel

150s

Max time network

118s

Command Line

C:\Windows\Explorer.EXE

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\af\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Esl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Triedit\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Minesweeper\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Journal\Templates\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\FreeCell\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\pingsender.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ast\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\WksConv\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\mr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\intf\modules\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\my\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInViews\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Stationery\1033\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Checkers\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\META-INF\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\en_GB\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ff\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\ext\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ug\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Wordconv.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Triedit\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\uz\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Mahjong\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EVRGREEN\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\wabmig.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Publisher.en-us\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\vDll.dll C:\Windows\Logo1_.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2436 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe C:\Windows\SysWOW64\cmd.exe
PID 2436 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe C:\Windows\SysWOW64\cmd.exe
PID 2436 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe C:\Windows\SysWOW64\cmd.exe
PID 2436 wrote to memory of 2488 N/A C:\Users\Admin\AppData\Local\Temp\fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe C:\Windows\SysWOW64\cmd.exe
PID 2436 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe C:\Windows\Logo1_.exe
PID 2436 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe C:\Windows\Logo1_.exe
PID 2436 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe C:\Windows\Logo1_.exe
PID 2436 wrote to memory of 2068 N/A C:\Users\Admin\AppData\Local\Temp\fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe C:\Windows\Logo1_.exe
PID 2488 wrote to memory of 2736 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe
PID 2488 wrote to memory of 2736 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe
PID 2488 wrote to memory of 2736 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe
PID 2488 wrote to memory of 2736 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe
PID 2068 wrote to memory of 2748 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2068 wrote to memory of 2748 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2068 wrote to memory of 2748 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2068 wrote to memory of 2748 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2748 wrote to memory of 2756 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2748 wrote to memory of 2756 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2748 wrote to memory of 2756 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2748 wrote to memory of 2756 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2068 wrote to memory of 1196 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 2068 wrote to memory of 1196 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe

"C:\Users\Admin\AppData\Local\Temp\fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a1ED6.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Users\Admin\AppData\Local\Temp\fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe

"C:\Users\Admin\AppData\Local\Temp\fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

N/A

Files

memory/2436-0-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a1ED6.bat

MD5 496f1eaff8540238b19125aaf606e3a8
SHA1 06b5298b4b896fec3519f4d7841bf30e366f415b
SHA256 0868fa58a1af9f4ef3ba6e622ea3ca2fe06945b69cae2b208af58e79a2c881e4
SHA512 d214de9c59364f41bfd0aa000cf299e49ecd7701a2223425803987b12dc87f885d6f34555089d58094b0b6c8a280f4fa4874c589c47f77d69fbe9876769158c6

memory/2436-16-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\Logo1_.exe

MD5 dccda60757967a88ad8a9a89f813748b
SHA1 30342bac716279dc71135ca51c669c25940a8684
SHA256 73bb214769970609319af0d08f3d0938a9cad1d1fc864b23527c9474cca5b2f2
SHA512 b022e816473dd0c16723393e1381ef9e99298fc6e85724eb451271c62a1f1e77541543fe02cb5e9cc7d758a3793103930288c36e7becfb7ff2716893ee228816

memory/2068-18-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe.exe

MD5 766721f110f52057319fb87a2f1d4225
SHA1 6b2d5b226224567f726fe5c641f4a55e575a1781
SHA256 4ed35a2d5af16c722524f9f012dcfa7281744b9d223fc9e03040f9066ee2c66f
SHA512 49d9dc340f7d8fb9396c50cccb948215a6b427075beb7ffe007ecadaa5ada99778b0dfdb9a44ce1da13c3c3703b23536a81d9fcb2dbb2c753bc3989d19441fb9

memory/1196-30-0x00000000025B0000-0x00000000025B1000-memory.dmp

memory/2068-32-0x0000000000400000-0x0000000000436000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-2737914667-933161113-3798636211-1000\_desktop.ini

MD5 4f2460b507685f7d7bfe6393f335f1c9
SHA1 378d42f114b1515872e58de6662373af31ab8c7b
SHA256 47a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42
SHA512 75dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb

memory/2068-39-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2068-45-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2068-91-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2068-97-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2068-534-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2068-1874-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2068-2084-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 432aa5b6bcd692caa88869c8bdc43681
SHA1 aeb7c43781d43851f7f127b4e5adc46f743d1b14
SHA256 86cfebefaf5ede042543c8a48550b01fe7ef3b6b7812000c3888319ae9dc3d2f
SHA512 4f160f737ac1f8a879bbcfffc37d499ed1e26cd21f7798cc8cc430b2d0c3fa83f6f30d1c5ddc6010523c32f9a81e8756a5c723b880e61f63135f4d42b79c9058

memory/2068-3334-0x0000000000400000-0x0000000000436000-memory.dmp

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 6f0ec1ca208b0521f58bcd694897df06
SHA1 808a16d524301513af8ee772936f6bdcf41623a6
SHA256 53b5d4205b0f2ae4ba0051244fffcaf0cfecbf78dfc448e4d2e68e53e15f15bf
SHA512 d8318484059a9988dae4b8a53d1ccec1a54ed825e1937d70fccc9bd26222a0c4b23718f368e6d193e6dd7b9d999e5e8d5f23717ea160468b6287004a722503f2

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 18:36

Reported

2024-06-13 18:39

Platform

win10v2004-20240226-en

Max time kernel

153s

Max time network

159s

Command Line

C:\Windows\Explorer.EXE

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\oc\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\pstn\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.Membership.MeControl\Assets\OfflinePages\Scripts\Me\MeControl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ko-kr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\resources\strings\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-black\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.Telemetry\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\sl-sl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\nl-nl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\zh-cn\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInViews\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\text_renderer\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.XboxApp_48.49.31001.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\de-de\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\pl-pl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sl-sl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\sl-si\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\themes\dark\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ja-jp\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.0\de\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-gb\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.185.17\MicrosoftEdgeUpdate.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\identity_proxy\win11\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\identity_proxy\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.GetHelp_10.1706.13331.0_neutral_split.scale-125_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\da-dk\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\tr-tr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\sk-sk\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.1813.0_neutral_~_8wekyb3d8bbwe\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\ko-kr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\nl-nl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\include\win32\bridge\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\kinit.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ru-ru\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsAlarms_10.1906.2182.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\pt-br\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sl-sl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\zh-cn\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\ICU\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files-select\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\en-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\fonts\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\PdfPreview\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\122.0.2365.52\ResiliencyLinks\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\demux\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.UI\Resources\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\vDll.dll C:\Windows\Logo1_.exe N/A

Runs net.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 904 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe C:\Windows\SysWOW64\cmd.exe
PID 904 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe C:\Windows\SysWOW64\cmd.exe
PID 904 wrote to memory of 1428 N/A C:\Users\Admin\AppData\Local\Temp\fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe C:\Windows\SysWOW64\cmd.exe
PID 904 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe C:\Windows\Logo1_.exe
PID 904 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe C:\Windows\Logo1_.exe
PID 904 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe C:\Windows\Logo1_.exe
PID 1428 wrote to memory of 5552 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe
PID 1428 wrote to memory of 5552 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe
PID 1428 wrote to memory of 5552 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe
PID 3568 wrote to memory of 4040 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3568 wrote to memory of 4040 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3568 wrote to memory of 4040 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4040 wrote to memory of 2556 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4040 wrote to memory of 2556 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4040 wrote to memory of 2556 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3568 wrote to memory of 3196 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 3568 wrote to memory of 3196 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe

"C:\Users\Admin\AppData\Local\Temp\fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a1587.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Users\Admin\AppData\Local\Temp\fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe

"C:\Users\Admin\AppData\Local\Temp\fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3996 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 203.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
GB 142.250.187.202:443 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 234.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp

Files

memory/904-0-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\Logo1_.exe

MD5 dccda60757967a88ad8a9a89f813748b
SHA1 30342bac716279dc71135ca51c669c25940a8684
SHA256 73bb214769970609319af0d08f3d0938a9cad1d1fc864b23527c9474cca5b2f2
SHA512 b022e816473dd0c16723393e1381ef9e99298fc6e85724eb451271c62a1f1e77541543fe02cb5e9cc7d758a3793103930288c36e7becfb7ff2716893ee228816

memory/904-11-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3568-9-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a1587.bat

MD5 2ef5b15f576885b0b500c7616d94e4f1
SHA1 149ca6a7a882d01ffadd819454c8b0e72da6bb39
SHA256 caa38c9f2e6a4d83081090cb0bd9bf79dc9d7c3b6df84521f278ae50dc6d9f44
SHA512 ab73e8e79290ff4301766020378635d073185c73d2de0c3a48a03a635731cd7c049ead82dd25736a37a375676f9455ce542c5eea6d6ffa57548e03f706318c86

C:\Users\Admin\AppData\Local\Temp\fd6f938d9b4b09679cc7a1dfeacf3b1e9913ffa8d7d9ffe5ba7df94522dff516.exe.exe

MD5 766721f110f52057319fb87a2f1d4225
SHA1 6b2d5b226224567f726fe5c641f4a55e575a1781
SHA256 4ed35a2d5af16c722524f9f012dcfa7281744b9d223fc9e03040f9066ee2c66f
SHA512 49d9dc340f7d8fb9396c50cccb948215a6b427075beb7ffe007ecadaa5ada99778b0dfdb9a44ce1da13c3c3703b23536a81d9fcb2dbb2c753bc3989d19441fb9

memory/3568-20-0x0000000000400000-0x0000000000436000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\_desktop.ini

MD5 4f2460b507685f7d7bfe6393f335f1c9
SHA1 378d42f114b1515872e58de6662373af31ab8c7b
SHA256 47a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42
SHA512 75dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb

memory/3568-27-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3568-34-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3568-38-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3568-43-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Program Files\7-Zip\7z.exe

MD5 451d320c4693c75e5440cb4d9c47a77f
SHA1 eb33d16b45402ffab95c3735479cd3070892e03f
SHA256 ee272f52273d86c5612ac01738c5dbf9467aa805560258e77c1de59bc9bebfca
SHA512 93cbaba8c9793e66a210b0c4f1f788b15d011b8170feee09275ec5cfd22b972999186d1172ccbc0ddb448c1a563cd3d289f17fc8fb665932d3db5477234aa33f

memory/3568-142-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3568-1182-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3568-1683-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 432aa5b6bcd692caa88869c8bdc43681
SHA1 aeb7c43781d43851f7f127b4e5adc46f743d1b14
SHA256 86cfebefaf5ede042543c8a48550b01fe7ef3b6b7812000c3888319ae9dc3d2f
SHA512 4f160f737ac1f8a879bbcfffc37d499ed1e26cd21f7798cc8cc430b2d0c3fa83f6f30d1c5ddc6010523c32f9a81e8756a5c723b880e61f63135f4d42b79c9058

memory/3568-4911-0x0000000000400000-0x0000000000436000-memory.dmp