Malware Analysis Report

2024-10-19 08:23

Sample ID 240613-xcap6axgpd
Target c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7
SHA256 c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7

Threat Level: Shows suspicious behavior

The file c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7 was found to be: Shows suspicious behavior.

Malicious Activity Summary


Loads dropped DLL

Deletes itself

Executes dropped EXE

Enumerates connected drives

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Runs net.exe

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 18:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 18:42

Reported

2024-06-13 18:44

Platform

win7-20240508-en

Max time kernel

149s

Max time network

121s

Command Line

C:\Windows\Explorer.EXE

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\Microsoft Games\More Games\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\browser\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\klist.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\ENU\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\groove.net\Servers\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\hr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\cgg\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ca\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\et\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Spades\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\is\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\lo\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Defender\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\schema\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre7\lib\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ku_IQ\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\Mac\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\zu\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft.NET\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.WW\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\ink\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\HWRCustomization\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\stream_out\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\Images\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\RMNSQUE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\rmiregistry.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\Solitaire\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FRAR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\JMC.profile\.data\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Defender\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\fr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\sr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Library\SOLVER\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\vDll.dll C:\Windows\Logo1_.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2444 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe C:\Windows\SysWOW64\cmd.exe
PID 2444 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe C:\Windows\SysWOW64\cmd.exe
PID 2444 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe C:\Windows\SysWOW64\cmd.exe
PID 2444 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe C:\Windows\SysWOW64\cmd.exe
PID 2444 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe C:\Windows\Logo1_.exe
PID 2444 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe C:\Windows\Logo1_.exe
PID 2444 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe C:\Windows\Logo1_.exe
PID 2444 wrote to memory of 2936 N/A C:\Users\Admin\AppData\Local\Temp\c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe C:\Windows\Logo1_.exe
PID 2936 wrote to memory of 2200 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2936 wrote to memory of 2200 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2936 wrote to memory of 2200 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2936 wrote to memory of 2200 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2928 wrote to memory of 2976 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe
PID 2928 wrote to memory of 2976 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe
PID 2928 wrote to memory of 2976 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe
PID 2928 wrote to memory of 2976 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe
PID 2200 wrote to memory of 2624 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2200 wrote to memory of 2624 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2200 wrote to memory of 2624 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2200 wrote to memory of 2624 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2936 wrote to memory of 1200 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 2936 wrote to memory of 1200 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe

"C:\Users\Admin\AppData\Local\Temp\c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a1C18.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe

"C:\Users\Admin\AppData\Local\Temp\c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

N/A

Files

memory/2444-0-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2444-16-0x00000000003B0000-0x00000000003E5000-memory.dmp

memory/2444-15-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\Logo1_.exe

MD5 d0d42004d5e14fecf764dc99963c82fa
SHA1 2b05a3b17e23a16df2a838d31d8c4113993dd833
SHA256 fe58d080c6a43f69deaec1b3fa9ffa2963dd9a3384b6f3aa9895c4dd2c485a8f
SHA512 72f9b71e46512dfcec9bd294930cc9a01acdb8c5b33a3c9a48c9475889f300e35d13191e5868c9798fd335af5a32793f19180b9d015ec18d2b112d0ac1749bee

C:\Users\Admin\AppData\Local\Temp\$$a1C18.bat

MD5 1b7db488ee12fd97bcb8cf29a582e12f
SHA1 14552a3f990f3e31c4f2bfe0b4a1bd6bbcc992f6
SHA256 bef61d81f288e3ec4522e9926adfeee6bb753b8f3c03d7e2b8d94efefb456cdf
SHA512 71da7c1e70914d5f637c6a10ac0175637dc07c634de0b51e0e466c73fc47bcd2bc22313840ffefae8eff28a72ab6c84ad0ac7846e5d510e2465ac00bb07e1cb4

memory/2936-21-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe.exe

MD5 bf261e4750c3149989422b64ca0a8c61
SHA1 d4de22caa39df29160c0d74ca43aa0a124add689
SHA256 bbb18f78f5b4892c1e8d0d5285b1c2ecd744b9bd44ecf614117b4b4694d5a5af
SHA512 3c7e86ab252b9132ff3d9ebeebb1597f8a5860a2e664ba9f99dafbb54b10bd807cf7ba3a1e7ff0fac3ecaa39edc6613fd5a4735275862326d30b3a80c573113f

memory/1200-29-0x0000000002550000-0x0000000002551000-memory.dmp

memory/2936-31-0x0000000000400000-0x0000000000435000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-2737914667-933161113-3798636211-1000\_desktop.ini

MD5 4f2460b507685f7d7bfe6393f335f1c9
SHA1 378d42f114b1515872e58de6662373af31ab8c7b
SHA256 47a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42
SHA512 75dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb

memory/2936-38-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2936-44-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2936-90-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2936-96-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2936-638-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2936-1874-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2936-2181-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 0b2679dc1eb882abf56d11ca591aeb76
SHA1 7a5c7ff9a42f9c84873d269d1e776a89045a1f45
SHA256 3d1b129d45f7fe6c861e380906a0c97576a804240426a0d2408f131cbaedc354
SHA512 8661ecb16631ac033db4d7ee8aa291647ca3311888988693633acd1a69fd9d6eb890c94c97656602c47964219a082f875bce41710fe036cf546c29ae49e2e114

memory/2936-3334-0x0000000000400000-0x0000000000435000-memory.dmp

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 88eb1bca8c399bc3f46e99cdde2f047e
SHA1 55fafbceb011e1af2edced978686a90971bd95f2
SHA256 42fd78c05bc240d4ded16ac974f17c336f6ae3a1814d548021c48a942cc30428
SHA512 149d4de0c024e25a13a7bb17471e6f48391d4f26b1c8388672320eed1c255f84219ad7b72bbebc531ae558d5192dd4bb6d0dddd6c65a45300c8e8348a4fb3728

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 18:42

Reported

2024-06-13 18:44

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

C:\Windows\Explorer.EXE

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\pt-br\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\tr-tr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\en-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\nn\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ru-ru\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\co\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\en-us\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Images\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\zh-cn\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\zu\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\tr-tr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\tr-tr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\fi-fi\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ar-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\eu-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\de-de\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Setup Files\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.People_10.1902.633.0_x64__8wekyb3d8bbwe\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\images\themes\dark\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\sl-si\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\de-de\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sk-sk\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-ma\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.YourPhone_0.19051.7.0_neutral_split.scale-125_8wekyb3d8bbwe\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\root\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ja-jp\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\@1x\themes\dark\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\themes\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre-1.8\lib\security\policy\unlimited\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\ro-ro\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\pl-pl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ja-jp\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\SubsetList\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\es\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ja\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\collect_feedback\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\en-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-125_kzf8qxf38zg5c\Assets\Images\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\en-gb\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ar-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ru-ru\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\da-dk\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\en-gb\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\he-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\cs\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroApp\ENU\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ro-ro\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\sv-se\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\es-es\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\vDll.dll C:\Windows\Logo1_.exe N/A

Runs net.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2512 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe C:\Windows\SysWOW64\cmd.exe
PID 2512 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe C:\Windows\SysWOW64\cmd.exe
PID 2512 wrote to memory of 684 N/A C:\Users\Admin\AppData\Local\Temp\c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe C:\Windows\SysWOW64\cmd.exe
PID 2512 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe C:\Windows\Logo1_.exe
PID 2512 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe C:\Windows\Logo1_.exe
PID 2512 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe C:\Windows\Logo1_.exe
PID 3040 wrote to memory of 3164 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3040 wrote to memory of 3164 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3040 wrote to memory of 3164 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3164 wrote to memory of 4348 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3164 wrote to memory of 4348 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3164 wrote to memory of 4348 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 684 wrote to memory of 4824 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe
PID 684 wrote to memory of 4824 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe
PID 3040 wrote to memory of 3456 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 3040 wrote to memory of 3456 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe

"C:\Users\Admin\AppData\Local\Temp\c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a687E.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe

"C:\Users\Admin\AppData\Local\Temp\c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe"

Network

Country Destination Domain Proto
US 23.53.113.159:80 tcp

Files

memory/2512-0-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\Logo1_.exe

MD5 d0d42004d5e14fecf764dc99963c82fa
SHA1 2b05a3b17e23a16df2a838d31d8c4113993dd833
SHA256 fe58d080c6a43f69deaec1b3fa9ffa2963dd9a3384b6f3aa9895c4dd2c485a8f
SHA512 72f9b71e46512dfcec9bd294930cc9a01acdb8c5b33a3c9a48c9475889f300e35d13191e5868c9798fd335af5a32793f19180b9d015ec18d2b112d0ac1749bee

memory/3040-11-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2512-8-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a687E.bat

MD5 7d85496401503f3fda0d7e4eaf898608
SHA1 e42950ca88e6f7caa24089b4a7f718e372b6a7b5
SHA256 631971f8bf3ecedb1c075bd1f57a1fe71fbf824fdbdc2eb790a5644a58662f2c
SHA512 6ce08b8bb4ee29ca0b29377cdf6768a25e6233dacf0fee2fa1bac3221b0f36dffab7895e668abb32f50f314e1bf02065cd73930f49ca8d0bd09978f6a6577626

C:\Users\Admin\AppData\Local\Temp\c53a5da3dc11fc53bed73e3560b1fdf748f083f662156b98847f9f6683717ae7.exe.exe

MD5 bf261e4750c3149989422b64ca0a8c61
SHA1 d4de22caa39df29160c0d74ca43aa0a124add689
SHA256 bbb18f78f5b4892c1e8d0d5285b1c2ecd744b9bd44ecf614117b4b4694d5a5af
SHA512 3c7e86ab252b9132ff3d9ebeebb1597f8a5860a2e664ba9f99dafbb54b10bd807cf7ba3a1e7ff0fac3ecaa39edc6613fd5a4735275862326d30b3a80c573113f

memory/3040-20-0x0000000000400000-0x0000000000435000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-4124900551-4068476067-3491212533-1000\_desktop.ini

MD5 4f2460b507685f7d7bfe6393f335f1c9
SHA1 378d42f114b1515872e58de6662373af31ab8c7b
SHA256 47a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42
SHA512 75dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb

memory/3040-27-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3040-33-0x0000000000400000-0x0000000000435000-memory.dmp

memory/3040-37-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Program Files\7-Zip\7z.exe

MD5 14a1606ee014690541ddd1c51169cba2
SHA1 2a75e583a802f1737912793c4977721b976a29b8
SHA256 41a57fc5677fdb1ae06acc8ad9c88f8ca184d986ef55a0551c5558372da8e065
SHA512 cd36672cd1ad94990e928c81e872d2ec9fa0cb0765b0002b5b676d62f801ac6df077ab042eb978a1f9fef644e92d08ef2cdc6f860d2161b0e12848108fa7fef7

memory/3040-1231-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 0b2679dc1eb882abf56d11ca591aeb76
SHA1 7a5c7ff9a42f9c84873d269d1e776a89045a1f45
SHA256 3d1b129d45f7fe6c861e380906a0c97576a804240426a0d2408f131cbaedc354
SHA512 8661ecb16631ac033db4d7ee8aa291647ca3311888988693633acd1a69fd9d6eb890c94c97656602c47964219a082f875bce41710fe036cf546c29ae49e2e114

memory/3040-4797-0x0000000000400000-0x0000000000435000-memory.dmp

C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

MD5 9cba1e86016b20490fff38fb45ff4963
SHA1 378720d36869d50d06e9ffeef87488fbc2a8c8f7
SHA256 a22e6d0f5c7d44fefc2204e0f7c7b048e1684f6cf249ba98c006bbf791c22d19
SHA512 2f3737d29ea3925d10ea5c717786425f6434be732974586328f03691a35cd1539828e3301685749e5c4135b8094f15b87fb9659915de63678a25749e2f8f5765

memory/3040-5236-0x0000000000400000-0x0000000000435000-memory.dmp