Malware Analysis Report

2024-10-19 08:23

Sample ID 240613-xa7xwasalr
Target b2bbdce47bf1e3230dec7b5baa9a5aba384fb50e0c29f0fa34401ce42fdc9ec2
SHA256 b2bbdce47bf1e3230dec7b5baa9a5aba384fb50e0c29f0fa34401ce42fdc9ec2
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

b2bbdce47bf1e3230dec7b5baa9a5aba384fb50e0c29f0fa34401ce42fdc9ec2

Threat Level: Shows suspicious behavior

The file b2bbdce47bf1e3230dec7b5baa9a5aba384fb50e0c29f0fa34401ce42fdc9ec2 was found to be: Shows suspicious behavior.

Malicious Activity Summary


Deletes itself

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Runs net.exe

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 18:40

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 18:40

Reported

2024-06-13 18:42

Platform

win7-20240611-en

Max time kernel

150s

Max time network

119s

Command Line

C:\Windows\Explorer.EXE

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre7\lib\jfr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ug\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\Chess\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Welcome Tool\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\Media Renderer\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre7\lib\applet\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\am_ET\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Europe\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\INDUST\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\et\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\services_discovery\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\WORDICON.EXE C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Discussion\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.EXE C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ug\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\meta_engine\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Esl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ro\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\logger\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TextConv\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\FreeCell\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Bibliography\Sort\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\VisualBasic\1033\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\SoftBlue\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STUDIO\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\bn\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Triedit\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\HostSideAdapters\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Journal\Templates\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\vDll.dll C:\Windows\Logo1_.exe N/A
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\b2bbdce47bf1e3230dec7b5baa9a5aba384fb50e0c29f0fa34401ce42fdc9ec2.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\b2bbdce47bf1e3230dec7b5baa9a5aba384fb50e0c29f0fa34401ce42fdc9ec2.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1752 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\b2bbdce47bf1e3230dec7b5baa9a5aba384fb50e0c29f0fa34401ce42fdc9ec2.exe C:\Windows\SysWOW64\cmd.exe
PID 1752 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\b2bbdce47bf1e3230dec7b5baa9a5aba384fb50e0c29f0fa34401ce42fdc9ec2.exe C:\Windows\SysWOW64\cmd.exe
PID 1752 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\b2bbdce47bf1e3230dec7b5baa9a5aba384fb50e0c29f0fa34401ce42fdc9ec2.exe C:\Windows\SysWOW64\cmd.exe
PID 1752 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\b2bbdce47bf1e3230dec7b5baa9a5aba384fb50e0c29f0fa34401ce42fdc9ec2.exe C:\Windows\SysWOW64\cmd.exe
PID 1752 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\b2bbdce47bf1e3230dec7b5baa9a5aba384fb50e0c29f0fa34401ce42fdc9ec2.exe C:\Windows\Logo1_.exe
PID 1752 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\b2bbdce47bf1e3230dec7b5baa9a5aba384fb50e0c29f0fa34401ce42fdc9ec2.exe C:\Windows\Logo1_.exe
PID 1752 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\b2bbdce47bf1e3230dec7b5baa9a5aba384fb50e0c29f0fa34401ce42fdc9ec2.exe C:\Windows\Logo1_.exe
PID 1752 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\b2bbdce47bf1e3230dec7b5baa9a5aba384fb50e0c29f0fa34401ce42fdc9ec2.exe C:\Windows\Logo1_.exe
PID 2004 wrote to memory of 3016 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2004 wrote to memory of 3016 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2004 wrote to memory of 3016 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2004 wrote to memory of 3016 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2140 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\b2bbdce47bf1e3230dec7b5baa9a5aba384fb50e0c29f0fa34401ce42fdc9ec2.exe
PID 2140 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\b2bbdce47bf1e3230dec7b5baa9a5aba384fb50e0c29f0fa34401ce42fdc9ec2.exe
PID 2140 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\b2bbdce47bf1e3230dec7b5baa9a5aba384fb50e0c29f0fa34401ce42fdc9ec2.exe
PID 2140 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\b2bbdce47bf1e3230dec7b5baa9a5aba384fb50e0c29f0fa34401ce42fdc9ec2.exe
PID 2140 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\b2bbdce47bf1e3230dec7b5baa9a5aba384fb50e0c29f0fa34401ce42fdc9ec2.exe
PID 2140 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\b2bbdce47bf1e3230dec7b5baa9a5aba384fb50e0c29f0fa34401ce42fdc9ec2.exe
PID 2140 wrote to memory of 2696 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\b2bbdce47bf1e3230dec7b5baa9a5aba384fb50e0c29f0fa34401ce42fdc9ec2.exe
PID 3016 wrote to memory of 2632 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3016 wrote to memory of 2632 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3016 wrote to memory of 2632 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3016 wrote to memory of 2632 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2004 wrote to memory of 1144 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 2004 wrote to memory of 1144 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\b2bbdce47bf1e3230dec7b5baa9a5aba384fb50e0c29f0fa34401ce42fdc9ec2.exe

"C:\Users\Admin\AppData\Local\Temp\b2bbdce47bf1e3230dec7b5baa9a5aba384fb50e0c29f0fa34401ce42fdc9ec2.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a1390.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\b2bbdce47bf1e3230dec7b5baa9a5aba384fb50e0c29f0fa34401ce42fdc9ec2.exe

"C:\Users\Admin\AppData\Local\Temp\b2bbdce47bf1e3230dec7b5baa9a5aba384fb50e0c29f0fa34401ce42fdc9ec2.exe"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

N/A

Files

memory/1752-0-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a1390.bat

MD5 c3e45b10166123c14907ff08c0ef6c6b
SHA1 bfb32d24e0e71b21eb9a14241e178ff6f14a91ca
SHA256 1c276bfbd5da801debc95abd9335971d6b333ab369dae7222554b90a4bf4b120
SHA512 48b39aae1715be8c6e0ec6c5997f8d5abd671b92e50507b9ba7fef3f99e24c3b3fd1a3bd483dc1989176b02684656cba5df6ef7450bd6650481b3d054e788623

C:\Windows\Logo1_.exe

MD5 2fa7d646424dcabdc763a482ed72338a
SHA1 2917f669560129d017d689b255ff05b848a6fcd0
SHA256 b6e3f8544ab9ccaaf1cb6cc51639b7173edb46f7fc186b908d8bcd50b731da69
SHA512 02230628e90c8ae3397fa1c1908c9d4d27c112c7986ab6630608ce16054b1731bb06f3a129657c25a32214bd2451fe36b3f0e649073f5b8b6c86dca42d4b317b

memory/1752-17-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2004-21-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\b2bbdce47bf1e3230dec7b5baa9a5aba384fb50e0c29f0fa34401ce42fdc9ec2.exe.exe

MD5 9e4d73e24d912baa6e20a98fa4f98df3
SHA1 965fbbbaa4156dcb5c6391df4d245bbf94d62c0f
SHA256 28c6ce3582292ca5df81b9f8996369e82d489cc894cba9ed6b3e6678e67fc7f1
SHA512 0fc58e74c7a0773a6338c35656484f2e5682a55a9c6ca03bc479728c617afc99295a3dcb52d7d414d8f5cb9c37704886f54e26acf47a3d69ebb931ce2e3bd4f2

memory/2696-28-0x0000000073D2E000-0x0000000073D2F000-memory.dmp

memory/2696-29-0x0000000000280000-0x0000000000288000-memory.dmp

memory/1144-31-0x0000000002570000-0x0000000002571000-memory.dmp

memory/2004-33-0x0000000000400000-0x0000000000434000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-1340930862-1405011213-2821322012-1000\_desktop.ini

MD5 4f2460b507685f7d7bfe6393f335f1c9
SHA1 378d42f114b1515872e58de6662373af31ab8c7b
SHA256 47a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42
SHA512 75dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb

memory/2004-40-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2004-46-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2004-92-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2004-98-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2004-1102-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2004-1875-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 a33a8079a96b84fb107ee4603ea5a431
SHA1 4d57eace6522d58ce571c31103ce1335cac7a334
SHA256 3ca9dbf486bbdef38ddf2102a532563ab20f4d767c5e6228f39e606e626e76d8
SHA512 29ec766ea39de2e24661a6444590fcd3421dfaf8e2f9edc6b7420331b455e9726759add01d9f53862341b7563042f089c64703edfcc38afa5f26e1e4bb64709b

memory/2004-2870-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2004-3335-0x0000000000400000-0x0000000000434000-memory.dmp

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 4cfdb20b04aa239d6f9e83084d5d0a77
SHA1 f22863e04cc1fd4435f785993ede165bd8245ac6
SHA256 30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9
SHA512 35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 18:40

Reported

2024-06-13 18:42

Platform

win10v2004-20240226-en

Max time kernel

151s

Max time network

151s

Command Line

C:\Windows\Explorer.EXE

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\root\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeWebView\Application\122.0.2365.52\ResiliencyLinks\Trust Protection Lists\Mu\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Security\BrowserCore\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\AppCS\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\de-de\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.25\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\he\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-sl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeCore\122.0.2365.52\Notifications\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\as_IN\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\es-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ko-kr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\pl-pl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\hu-hu\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sk-sk\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Diagnostics\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\fr-ma\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\da-dk\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\root\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\uk-ua\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\zh-tw\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Offline\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sl-sl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-white\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ca-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\nl-nl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ko-kr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\bin\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\it-it\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ja-jp\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ko-kr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\nl-nl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sl-sl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\th\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\nb-NO\View3d\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\dev\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\he-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_~_8wekyb3d8bbwe\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\nl-nl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\jfr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\it\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\uz\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\meta\art\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fi-fi\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\nb-no\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ca-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\en-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\Accessories\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\vDll.dll C:\Windows\Logo1_.exe N/A
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\b2bbdce47bf1e3230dec7b5baa9a5aba384fb50e0c29f0fa34401ce42fdc9ec2.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\b2bbdce47bf1e3230dec7b5baa9a5aba384fb50e0c29f0fa34401ce42fdc9ec2.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A

Runs net.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3292 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\b2bbdce47bf1e3230dec7b5baa9a5aba384fb50e0c29f0fa34401ce42fdc9ec2.exe C:\Windows\SysWOW64\cmd.exe
PID 3292 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\b2bbdce47bf1e3230dec7b5baa9a5aba384fb50e0c29f0fa34401ce42fdc9ec2.exe C:\Windows\SysWOW64\cmd.exe
PID 3292 wrote to memory of 3544 N/A C:\Users\Admin\AppData\Local\Temp\b2bbdce47bf1e3230dec7b5baa9a5aba384fb50e0c29f0fa34401ce42fdc9ec2.exe C:\Windows\SysWOW64\cmd.exe
PID 3292 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\b2bbdce47bf1e3230dec7b5baa9a5aba384fb50e0c29f0fa34401ce42fdc9ec2.exe C:\Windows\Logo1_.exe
PID 3292 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\b2bbdce47bf1e3230dec7b5baa9a5aba384fb50e0c29f0fa34401ce42fdc9ec2.exe C:\Windows\Logo1_.exe
PID 3292 wrote to memory of 5036 N/A C:\Users\Admin\AppData\Local\Temp\b2bbdce47bf1e3230dec7b5baa9a5aba384fb50e0c29f0fa34401ce42fdc9ec2.exe C:\Windows\Logo1_.exe
PID 5036 wrote to memory of 2672 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 5036 wrote to memory of 2672 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 5036 wrote to memory of 2672 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3544 wrote to memory of 1088 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\b2bbdce47bf1e3230dec7b5baa9a5aba384fb50e0c29f0fa34401ce42fdc9ec2.exe
PID 3544 wrote to memory of 1088 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\b2bbdce47bf1e3230dec7b5baa9a5aba384fb50e0c29f0fa34401ce42fdc9ec2.exe
PID 3544 wrote to memory of 1088 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\b2bbdce47bf1e3230dec7b5baa9a5aba384fb50e0c29f0fa34401ce42fdc9ec2.exe
PID 2672 wrote to memory of 960 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2672 wrote to memory of 960 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2672 wrote to memory of 960 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 5036 wrote to memory of 3332 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 5036 wrote to memory of 3332 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\b2bbdce47bf1e3230dec7b5baa9a5aba384fb50e0c29f0fa34401ce42fdc9ec2.exe

"C:\Users\Admin\AppData\Local\Temp\b2bbdce47bf1e3230dec7b5baa9a5aba384fb50e0c29f0fa34401ce42fdc9ec2.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a11CE.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\b2bbdce47bf1e3230dec7b5baa9a5aba384fb50e0c29f0fa34401ce42fdc9ec2.exe

"C:\Users\Admin\AppData\Local\Temp\b2bbdce47bf1e3230dec7b5baa9a5aba384fb50e0c29f0fa34401ce42fdc9ec2.exe"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4232 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 235.86.200.23.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 216.58.212.202:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 202.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 29.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 18.24.18.2.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 28.73.42.20.in-addr.arpa udp

Files

memory/3292-0-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\Logo1_.exe

MD5 2fa7d646424dcabdc763a482ed72338a
SHA1 2917f669560129d017d689b255ff05b848a6fcd0
SHA256 b6e3f8544ab9ccaaf1cb6cc51639b7173edb46f7fc186b908d8bcd50b731da69
SHA512 02230628e90c8ae3397fa1c1908c9d4d27c112c7986ab6630608ce16054b1731bb06f3a129657c25a32214bd2451fe36b3f0e649073f5b8b6c86dca42d4b317b

memory/3292-8-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5036-9-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a11CE.bat

MD5 97d0a3fae6be4ca9fbb1feb03ee27d9f
SHA1 23c3a2cb348b8c6971b9506f57d28ff9ab2a4b4e
SHA256 6f3d26028d309ab9206d65ed99d2dea7c1d11f7ae8f5cb4be255c984ec3b40c2
SHA512 9658bcce2044f7bcca2a319c11c84acbc8d34e826757aff1473b07734234b5c719ccbd3960ff4f86a130f037c92e7257768171059e7cd0e7af8ab044061c751d

C:\Users\Admin\AppData\Local\Temp\b2bbdce47bf1e3230dec7b5baa9a5aba384fb50e0c29f0fa34401ce42fdc9ec2.exe.exe

MD5 9e4d73e24d912baa6e20a98fa4f98df3
SHA1 965fbbbaa4156dcb5c6391df4d245bbf94d62c0f
SHA256 28c6ce3582292ca5df81b9f8996369e82d489cc894cba9ed6b3e6678e67fc7f1
SHA512 0fc58e74c7a0773a6338c35656484f2e5682a55a9c6ca03bc479728c617afc99295a3dcb52d7d414d8f5cb9c37704886f54e26acf47a3d69ebb931ce2e3bd4f2

memory/1088-19-0x0000000074A5E000-0x0000000074A5F000-memory.dmp

memory/1088-20-0x0000000000FF0000-0x0000000000FF8000-memory.dmp

memory/5036-22-0x0000000000400000-0x0000000000434000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-3808065738-1666277613-1125846146-1000\_desktop.ini

MD5 4f2460b507685f7d7bfe6393f335f1c9
SHA1 378d42f114b1515872e58de6662373af31ab8c7b
SHA256 47a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42
SHA512 75dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb

memory/5036-29-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5036-35-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5036-40-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5036-44-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Program Files\7-Zip\7z.exe

MD5 30008560b9177bfb052f3a9762fdeae3
SHA1 f2efbe2b8d8cdc97929a61e68aea51b7e1b1a255
SHA256 7df732e0ff8923eab2f1206791b2a9b88d834fc10333dbde8f4ed8c47b23f3fe
SHA512 7468e1f8e8acd12dd0a97d21350cf5e6fe0463819bdd897a5158bce5186757189b363c4b2b926c048548a3fb76f415b4635e11ad50912da0ac3a57e0922f4b0b

memory/5036-109-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5036-1184-0x0000000000400000-0x0000000000434000-memory.dmp

memory/5036-1939-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 a33a8079a96b84fb107ee4603ea5a431
SHA1 4d57eace6522d58ce571c31103ce1335cac7a334
SHA256 3ca9dbf486bbdef38ddf2102a532563ab20f4d767c5e6228f39e606e626e76d8
SHA512 29ec766ea39de2e24661a6444590fcd3421dfaf8e2f9edc6b7420331b455e9726759add01d9f53862341b7563042f089c64703edfcc38afa5f26e1e4bb64709b

memory/5036-4913-0x0000000000400000-0x0000000000434000-memory.dmp