Malware Analysis Report

2024-09-11 07:34

Sample ID 240613-zd6kbszbqd
Target dc21cbe87c53865d32a78b5ecbe0f0187101e4e07910354a48ce74300e709b02
SHA256 dc21cbe87c53865d32a78b5ecbe0f0187101e4e07910354a48ce74300e709b02
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

dc21cbe87c53865d32a78b5ecbe0f0187101e4e07910354a48ce74300e709b02

Threat Level: Shows suspicious behavior

The file dc21cbe87c53865d32a78b5ecbe0f0187101e4e07910354a48ce74300e709b02 was found to be: Shows suspicious behavior.

Malicious Activity Summary


Checks computer location settings

Deletes itself

Loads dropped DLL

Executes dropped EXE

Enumerates connected drives

Drops file in Windows directory

Drops file in Program Files directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Runs net.exe

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
Query Registry
T1012
System Information Discovery
T1082
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-13 20:37

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 20:37

Reported

2024-06-13 20:39

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

151s

Command Line

C:\Windows\Explorer.EXE

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\dc21cbe87c53865d32a78b5ecbe0f0187101e4e07910354a48ce74300e709b02.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc21cbe87c53865d32a78b5ecbe0f0187101e4e07910354a48ce74300e709b02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PUMPSETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\SETUPX64\PUMPSETUP64.EXE N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\de-de\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\es-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\he-IL\View3d\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\fr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\cs-cz\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\pl-pl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\tr-tr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\zh-tw\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ko-kr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.NET.Native.Framework.2.2_2.2.27405.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\Autogen\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.StorePurchaseApp_11811.1001.18.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroTextExtractor.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\nl-nl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\pt-br\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\logs\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\dtplugin\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\ko-kr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ca-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\Abbreviations\en_CA\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\wmplayer.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\pt-br\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\hu-hu\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\tr-tr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\zh-tw\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\be\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\sk\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.VCLibs.140.00.UWPDesktop_14.0.27629.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\themes\dark\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\ca-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\ru-ru\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sl-si\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.NETCore.App\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_x64__8wekyb3d8bbwe\Assets\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sv-se\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\cs-cz\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\gd\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\zu\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\en-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\cs-cz\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\ko-kr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\images\themes\dark\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\bn-BD\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxIdentityProvider_12.50.6001.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\images\themeless\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\dc21cbe87c53865d32a78b5ecbe0f0187101e4e07910354a48ce74300e709b02.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\dc21cbe87c53865d32a78b5ecbe0f0187101e4e07910354a48ce74300e709b02.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\vDll.dll C:\Windows\Logo1_.exe N/A

Enumerates physical storage devices

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PUMPSETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\SETUPX64\PUMPSETUP64.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 116 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\dc21cbe87c53865d32a78b5ecbe0f0187101e4e07910354a48ce74300e709b02.exe C:\Windows\SysWOW64\cmd.exe
PID 116 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\dc21cbe87c53865d32a78b5ecbe0f0187101e4e07910354a48ce74300e709b02.exe C:\Windows\SysWOW64\cmd.exe
PID 116 wrote to memory of 4528 N/A C:\Users\Admin\AppData\Local\Temp\dc21cbe87c53865d32a78b5ecbe0f0187101e4e07910354a48ce74300e709b02.exe C:\Windows\SysWOW64\cmd.exe
PID 116 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\dc21cbe87c53865d32a78b5ecbe0f0187101e4e07910354a48ce74300e709b02.exe C:\Windows\Logo1_.exe
PID 116 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\dc21cbe87c53865d32a78b5ecbe0f0187101e4e07910354a48ce74300e709b02.exe C:\Windows\Logo1_.exe
PID 116 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\dc21cbe87c53865d32a78b5ecbe0f0187101e4e07910354a48ce74300e709b02.exe C:\Windows\Logo1_.exe
PID 3960 wrote to memory of 956 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3960 wrote to memory of 956 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3960 wrote to memory of 956 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 956 wrote to memory of 1972 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 956 wrote to memory of 1972 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 956 wrote to memory of 1972 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4528 wrote to memory of 4408 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\dc21cbe87c53865d32a78b5ecbe0f0187101e4e07910354a48ce74300e709b02.exe
PID 4528 wrote to memory of 4408 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\dc21cbe87c53865d32a78b5ecbe0f0187101e4e07910354a48ce74300e709b02.exe
PID 4528 wrote to memory of 4408 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\dc21cbe87c53865d32a78b5ecbe0f0187101e4e07910354a48ce74300e709b02.exe
PID 3960 wrote to memory of 3532 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 3960 wrote to memory of 3532 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 4408 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\dc21cbe87c53865d32a78b5ecbe0f0187101e4e07910354a48ce74300e709b02.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PUMPSETUP.EXE
PID 4408 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\dc21cbe87c53865d32a78b5ecbe0f0187101e4e07910354a48ce74300e709b02.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PUMPSETUP.EXE
PID 4408 wrote to memory of 1652 N/A C:\Users\Admin\AppData\Local\Temp\dc21cbe87c53865d32a78b5ecbe0f0187101e4e07910354a48ce74300e709b02.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PUMPSETUP.EXE
PID 1652 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PUMPSETUP.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\SETUPX64\PUMPSETUP64.EXE
PID 1652 wrote to memory of 2304 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PUMPSETUP.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\SETUPX64\PUMPSETUP64.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\dc21cbe87c53865d32a78b5ecbe0f0187101e4e07910354a48ce74300e709b02.exe

"C:\Users\Admin\AppData\Local\Temp\dc21cbe87c53865d32a78b5ecbe0f0187101e4e07910354a48ce74300e709b02.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a46AE.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\dc21cbe87c53865d32a78b5ecbe0f0187101e4e07910354a48ce74300e709b02.exe

"C:\Users\Admin\AppData\Local\Temp\dc21cbe87c53865d32a78b5ecbe0f0187101e4e07910354a48ce74300e709b02.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PUMPSETUP.EXE

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\PUMPSETUP.EXE"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\SETUPX64\PUMPSETUP64.EXE

C:\Users\Admin\AppData\Local\Temp\RarSFX0\SETUPX64\PUMPSETUP64.EXE

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp

Files

memory/116-3-0x0000000000400000-0x0000000000434000-memory.dmp

memory/116-9-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\Logo1_.exe

MD5 6a642b6265d1b27b9cc6eb897e651406
SHA1 f286966ee0dcc2be28a16a062c9bc7d1a74bdc9e
SHA256 bfe028ae725ae2c6b577e56f908e46a13810bf3425c3846a7dbfe7c931bfa82e
SHA512 46ca3c579c1280425656ef33a242baccf019533bea36e0201bd9b1072e68be3a07e482365b4156498f95b29c81f6c3eaebe3f0c7f0306a355d2d9bfd2b45faa8

memory/3960-13-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a46AE.bat

MD5 09c69064d9c6e6740e5b45f3239b61a3
SHA1 34e3115283ce3ec96366afb4fd540823a4a85fa6
SHA256 5dcd4ef6aeb44f1f80f682b43839dd51d41298799f5061517ae48c43f7828e00
SHA512 5a973df27a7dc056c217e22a654118c658967357079e5a4eee24b95549b854405abd293fc181cf52789874fcb011aef999cb41cf29739563d286bbad3e1798b8

C:\Users\Admin\AppData\Local\Temp\dc21cbe87c53865d32a78b5ecbe0f0187101e4e07910354a48ce74300e709b02.exe.exe

MD5 52606a5ae27afa8e8479861e322b062b
SHA1 fd4b55c76aee21576c8af3f34f53c874341eb9c1
SHA256 8ab96f15b257abd09ceef9eacf1e665e7b21da27a8fbf68d163ec73cef410c2e
SHA512 ace879b899ad41ad93ed11c42db4057dbf8375334f0ed90b78692cc090b92e3b77a7d27e2b1abf8ef2f9d54a12213c746751a2328cb7faccba6922683919cf3b

memory/4408-19-0x0000000000DE0000-0x0000000000E42000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\DRV_2S1P\WIN 2012&8&81&2016&10\PCIESER.sys

MD5 9e959e4d047fba87f0d1888b1156c1da
SHA1 2e08b94d5ef397d79f5eb97d3eda3355e7dd955c
SHA256 aab1ac0c34c0174eba26e44056274534e71ed1cd3805ef8f1f1337e84e937111
SHA512 3ad05a6d412d488cdd2dafc17fab089e5e4db402daae4dea45d98b4a605b239f86d57653847a8a2526b60dd9792429df9a287453cf9441eeb28245c2acd8f4ff

C:\Users\Admin\AppData\Local\Temp\RarSFX0\DRV_2S1P\WIN 2012&8&81&2016&10\wcheports.dll

MD5 97ef611fd2954025fa333e20fc76feaf
SHA1 0ab6507cc4cc991880f7e401d4ad33a4eec8bd50
SHA256 1d130b3ece96939ca228de625c574205653e5108d7dfbc89d6652b1965e3acd3
SHA512 a213c4c55d5807eaeb33a702b7366e760527a938c93627226eb376e8ea4697687f6045eb1091a30d3769b2a2af2258cee965c6e71e91274fdab1148dd4c74047

C:\Users\Admin\AppData\Local\Temp\RarSFX0\DRV_2S1P\WIN 98&NT40\CH38MDRV.INF

MD5 eb43d8e3154ec6c529a27af9f272ee30
SHA1 3d157e904af76364d10e143339bab73cf594ec8c
SHA256 f7ff373d4aae7f882d7b853eef493af5e17ca82a2545fe7dbf3bb1a55b0d7cb0
SHA512 7a2cf9c8b0d5e80997c1d1c77f4914099629f93d7bcafa8f69b1399374e8248c3084cc7385b33b9ec81d90686ee88751c3c13304604e551319a9aa608db0741e

C:\Users\Admin\AppData\Local\Temp\RarSFX0\DRV_2S1P\WIN 98&NT40\EMPORTS.INF

MD5 7133304c033e42cc1098dce068d17276
SHA1 00d938d9778a75a3459597c7116d5e85bd6fe7ab
SHA256 bd81acad6e28fd7b69b0f5132a771198647180cc9133b233caee02ce53aeca6e
SHA512 b31cb11f98175ee632d3f030c8d1fd37ea40918694d3573b4d70bd18a62da2a63a1e22c957183e4c4c48c42c5db72dabd0a5bb4ede38510c325344576f829c90

C:\Users\Admin\AppData\Local\Temp\RarSFX0\DRV_4S\WIN 2003&XP&VISTA&2008&7\ch38xdrv.cat

MD5 6bbfcc4872a3ef5347366e4ca70886e0
SHA1 9512e71b9fc11383d2e41c379f94c47e0cd8fd8a
SHA256 7c5a91884b6dc1e10362349eeb416fec94b822d95b03117c79c6fea6152c2915
SHA512 673710d16d94e533305e9607bc8f81a490f36c187325c48590387f058f5ce892533b6d61e3647b8131511aa0c5a733c520da7cb9617d2a4603614e284549b6d4

C:\Users\Admin\AppData\Local\Temp\RarSFX0\DRV_4S\WIN 2003&XP&VISTA&2008&7\PCIESA64.sys

MD5 08b4416ace3d858c951fb9b70427db8e
SHA1 9a807ac6b00e20214ac33642782a756bf113812b
SHA256 b3e3807f14eef8739ea16a0cdef7048f23f02dd175c58030fa80ca37d93908eb
SHA512 ada056bc063ba3f93b9dabf341d3143f58990ca9d108edbbd6468fd1e28e56b7b1c9ea07d09ea72df2cbfdd821f84013d46ece59bacb3ffe4eafb215904de63f

C:\Users\Admin\AppData\Local\Temp\RarSFX0\DRV_4S\WIN 2003&XP&VISTA&2008&7\wcheports64.dll

MD5 3108dde0be18f0843eabc6bd829777e0
SHA1 bba9622e027a9f2adfdd363af7536cf4a46736b9
SHA256 b4b338294fe76b2fa0653760403fcf4c32431274853c546d65d9a6c6755acd11
SHA512 4edf07d93dc83bebb42ce4410f45041353a3d99610e42e0f8c3bf6825b3089f86c273ec3476728a669bfe5a6d3ba6f123e056bd804cb5780d84c6a01b9d09f98

C:\Users\Admin\AppData\Local\Temp\RarSFX0\DRV_4S1P\LINUX\driver\Makefile

MD5 07cf2a6df1ae4332a1fca076f94fc666
SHA1 d6463cc1814c1e7380db9170964e25087dcd8c7e
SHA256 ca701e7dc3f5cff0c98d0aa0689bfcd741ebe92506444a21002fbd45ac2a2307
SHA512 a388be59d8de59a4e1ba528e8e6e37db5503da76ebc367368ed761c84c9f96587731c2a6027aad3a285a6376ce6f118fea3afa0d513af82d9561e5a793314bae

C:\Users\Admin\AppData\Local\Temp\RarSFX0\DRV_4S1P\LINUX\driver\wch_common.h

MD5 6881afb5437910d41e99a2d0ef1dcb08
SHA1 99d8561f21631979a0283f0001e18425e6859619
SHA256 40d4b538d15abc146118ca530895f37f0daf869d69c4cdeeaf81609e6742d21f
SHA512 b0ab73082c7623b63bd69abd6f9798405e2b5f4bcd62d694825fa4f683d4f091b212a3634702bcb799a9605bd4079bc0fb66130b46ca61ec11f476c39753ad2a

C:\Users\Admin\AppData\Local\Temp\RarSFX0\DRV_4S1P\LINUX\driver\wch_devtable.c

MD5 21582239f825ecd714337e7beda0bd4b
SHA1 f87ba7dcdbaf947ccef581dbe750469c1e98b5ec
SHA256 9edd49c2842ab7d213cfe2838543a6510c03a719d16d744af18549899493d4ca
SHA512 38c9df985d5010bda2dc7b70f7318530b650d0a6280896db4ebc81938f8b257a94439d2ef5812a82680f485218a9860eb800a8c80b3861160e647c26aac77c08

C:\Users\Admin\AppData\Local\Temp\RarSFX0\DRV_4S1P\LINUX\driver\wch_main.c

MD5 07889835be28312c91b8e75042576b79
SHA1 c1a16512af45d677ae113390e63a39b3215898f5
SHA256 94a7c6ceb54d53fbf20d58377c954f8aa56912ec59108cacea2de9e8380d8599
SHA512 18e12c52f0681f64181059349bbea3a0e861aaa865e106730955a9cd8bf0623f11d4a3f6f1ebbeb6d9981075b5b72a22b508ebc874a4256911143c296e6be865

C:\Users\Admin\AppData\Local\Temp\RarSFX0\DRV_4S1P\LINUX\driver\wch_serial.c

MD5 9dbe497afe43518a91fcbf7ffd7e23b4
SHA1 7555891369e2d9b51026260e021ff26eb43d7eb3
SHA256 a2ed2ed7f708b565249c79c141fa43e44bdcf615ccd1ce5a9db05d7b48abe8ea
SHA512 f4898efe677e25b1439fa62662cdaa713b03d563c4ecb8ef5defe7a984161dee7491819e99924529f8933b9f2413e3516a28e97b84e76d8a063ddcab0b6fe0de

C:\Users\Admin\AppData\Local\Temp\RarSFX0\DRV_4S1P\LINUX\README

MD5 4e7d4a279bc5bf851aaa8436f9ca2de4
SHA1 5b181a9094c42d8de31b41760130f2294304a452
SHA256 f21532afe8ee1885917ebdf4e9b383286457704bbd896fe9908aaafa5cf8936c
SHA512 9cde244b7e29ee87f701c8342bc5dc142b8f0e62be16f27ddbb4feda5e08a5b1ddecc136bde073e4b963dbd275808820f45e9ae4791fa6728818d1ed1d678142

C:\Users\Admin\AppData\Local\Temp\RarSFX0\DRV_4S1P\LINUX\wchterm\Makefile

MD5 524540c7ce53746b7725a157fb54a07a
SHA1 2fb00d78be780a7aa7803379d2fcbf3bb261366d
SHA256 80368b581e178c46c2433e2104ada5055557512c6a52d5551d5d1289fad77cdc
SHA512 3f0d8c581c02e5616b86c559905363e41c38431972087870f51b4365a9399dd25625f648da9220378f56de9b68a560cfd979cf6631e9fad25a9e22d93a0ef333

C:\Users\Admin\AppData\Local\Temp\RarSFX0\DRV_4S1P\LINUX\wchterm\wchterm.c

MD5 99c11200c47af0abf9f144e0bb97d3a1
SHA1 21405cb4daa7a4fce306f2b87036527e18fda1f9
SHA256 50558006d260bdd4224977019617f02f05209ed0bfa70b4652f0d683592e670a
SHA512 41164dfc59eec11f2a2178553561279744ff7ef93e67b3fd11004ad0e0e47a1b1b1bbce8b630b28d928a3b3ab89eb214c68c128282761507356884335c105c9b

C:\Users\Admin\AppData\Local\Temp\RarSFX0\DRV_4S1P\LINUX\wchterm\wchterm.h

MD5 0b51548b16e322c0cdfb58a9b6a2d2e5
SHA1 acfdd51a3bca241ead35b00a73cda0b78edfc867
SHA256 106203829fe3a81daceda8d76df9f88aae3934e6802c672e28ba08ec176aa4fc
SHA512 63d24f7647c97d45c7d7edac7b8191682fd07f719271ae70796ea8b6877d9cd653e6289d898947d4bb34ef80073651569247a056967e68a8c1f5a19197266c7f

C:\Users\Admin\AppData\Local\Temp\RarSFX0\DRV_4S1P\WIN 2000\CH38MDRV2K.INF

MD5 22eb10147cc6545a01d34086e630e814
SHA1 9c3611295356aa17ac43d414d5043439230d90bf
SHA256 14044fa4c4da914f6276d576e0b92a3e38c4c5794a12cdac7a0d39234d0607c7
SHA512 d612bc9ad6de9208d203945999d935737e50a170e74e3953b8fe9f9eb880600b982bcdad2863e3c03dd2cce328a6967767f93828f9b26b13422da80c8f78f272

C:\Users\Admin\AppData\Local\Temp\RarSFX0\DRV_4S1P\WIN 2000\EMPORTS2K.INF

MD5 899bb87310c389096bc62d388dd97ab3
SHA1 06a0945a77855f5909312454788f4bbcc57090b4
SHA256 4345189b3a4818603958e60a7404ed1bc6a6c2b288a9e1effd72a65ca35481f8
SHA512 6880fec4f7e00b81ffc49f504eb3376282f1e646b6fd78aff2005b6836cbc44147e900fae1b89215fcb5a562846498d5676a9382284657c86ad76ce8068b90b0

C:\Users\Admin\AppData\Local\Temp\RarSFX0\DRV_1P\WIN 2000\PCIEPAR.sys

MD5 1b1831215df0698ead0368771163e276
SHA1 cea2772b516202f280895ecb21d91be5af7a5946
SHA256 a1bfb4195b20279ec6d5220f4e63e6bea92faffb2a5ca21a743aa5ff2971eecc
SHA512 e2a545e2a24736bd477ff729256f88a550c87beba3157f41c50dffc7d815328e8c1b037824bae344eb1a4c05624a17cac9a575e0752110b6526c8cc7c61f571f

C:\Users\Admin\AppData\Local\Temp\RarSFX0\DRV_1S\DOS\CH38XDOS.EXE

MD5 1398027ba484d73d558292b147145b22
SHA1 a8cc63e3d24e39d8f81e01b86f63e88413586fce
SHA256 8bbd22b6a7b3a6323f504ea741541a49a9dd2c38f1b6902b2d8c8fccc8d57283
SHA512 8751f8c7761fe1ef7b738b64296bf57cf207c5eb587fceb67df4c2c7cc6d5c8232f75aabdbc0fa59d643cc4cb7ec26b1f6aa6483b7732fc008cc7b21dcd1fb40

C:\Users\Admin\AppData\Local\Temp\RarSFX0\DRV_1S\DOS\readme.txt

MD5 e5614e9431672d37e26a43f17c02e402
SHA1 b65b4c195e4f6ccbdb0b21fa15db1246c5993c29
SHA256 cd1a34566f6086637ff689abf291df7dda8136c013aeda1e68c8c77dc0497828
SHA512 290f7c95104a79970e2bd42db0bfc2532f02aef6a553a5975ea47cf19224ee5692c4c10e7c85a39782ccca407c7587560dc57cdbe302412b41ff1ac299c22c94

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PUMPSETUP.EXE

MD5 44fa26d0383632eb291fa0e43678f27a
SHA1 47f8efa967a81081231bbfc4e75f00ba09557af3
SHA256 ee685c22ced54b7afbfbc748663ea45871fab5806ad6ee923261b27e211ebe6e
SHA512 3273d57ecba1d44b386599a08032bb063e13d5fd70953e5a9ced61dc0e33a3b68948402c24ab6f6c507d803298dbc043a6b0635a4247b7ae5bec96c9069a0fa1

C:\Users\Admin\AppData\Local\Temp\RarSFX0\SETUPX64\PUMPSETUP64.exe

MD5 cb18a5f27924cc59e739c2e84bd5c305
SHA1 593b66a162529e21251d837541a766c9b3c468de
SHA256 8c1b5d10f07913960dae751b54d3173bb48d7b7b2ade5909b5a549098ba762d1
SHA512 8090d639cf9958464ca0a855792c5f63cf1d5ec021445844bbdf0c5866271a0eb36c7cd39d7186ee23503bcc10bfd94ca43499ec4d78c4bde54b9eea4f1ffe8e

memory/4408-590-0x0000000000DE0000-0x0000000000E42000-memory.dmp

memory/3960-591-0x0000000000400000-0x0000000000434000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-1337824034-2731376981-3755436523-1000\_desktop.ini

MD5 4f2460b507685f7d7bfe6393f335f1c9
SHA1 378d42f114b1515872e58de6662373af31ab8c7b
SHA256 47a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42
SHA512 75dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb

memory/3960-598-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3960-604-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3960-608-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Program Files\7-Zip\7z.exe

MD5 39739a667d9134fe2147854b62e464ba
SHA1 357d17bdf82d755e250011a3e83ecd0ebed023f2
SHA256 c98e602e2dac094fda66a62c77a417dfbf85bbe674f8319a075ac7ded243f46b
SHA512 0a0bdc465ae3d053045b87a0a37a53599f0857e1e6cf35670fd471eec4ffc99a7f7269a75b0396b7435fb1a1454cdf91bca105af8fc96037067728a7763150c4

memory/3960-680-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3960-1803-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 ecc3f9c49b57f7c390617c6b22dd612c
SHA1 f8ba30ccaf7d1d2f05219a7daa8f412040130fd2
SHA256 f8b9d5a37e836b6ff7a487c096e522e6483ed50eba58680cca09bd5f4f099dab
SHA512 05698833e190e5263cada1475b29f877abfae445a70cddee997c9ce776aa9b76a16dbe2290fca742518c4e382aca1a512a3d49d5349b0a801d6e93f3dd9c0375

memory/3960-5368-0x0000000000400000-0x0000000000434000-memory.dmp

C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

MD5 2500f702e2b9632127c14e4eaae5d424
SHA1 8726fef12958265214eeb58001c995629834b13a
SHA256 82e5b0001f025ca3b8409c98e4fb06c119c68de1e4ef60a156360cb4ef61d19c
SHA512 f420c62fa1f6897f51dd7a0f0e910fb54ad14d51973a2d4840eeea0448c860bf83493fb1c07be65f731efc39e19f8a99886c8cfd058cee482fe52d255a33a55c

memory/3960-5807-0x0000000000400000-0x0000000000434000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 20:37

Reported

2024-06-13 20:39

Platform

win7-20231129-en

Max time kernel

149s

Max time network

121s

Command Line

C:\Windows\Explorer.EXE

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc21cbe87c53865d32a78b5ecbe0f0187101e4e07910354a48ce74300e709b02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PUMPSETUP.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\SETUPX64\PUMPSETUP64.EXE N/A
N/A N/A C:\Windows\Explorer.EXE N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc21cbe87c53865d32a78b5ecbe0f0187101e4e07910354a48ce74300e709b02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc21cbe87c53865d32a78b5ecbe0f0187101e4e07910354a48ce74300e709b02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc21cbe87c53865d32a78b5ecbe0f0187101e4e07910354a48ce74300e709b02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\dc21cbe87c53865d32a78b5ecbe0f0187101e4e07910354a48ce74300e709b02.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PUMPSETUP.EXE N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Media Player\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\7-Zip\Uninstall.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\Purble Place\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Help\2052\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\1033\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\vi\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\stream_filter\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\private_browsing.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Internet Explorer\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Journal\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EXPEDITN\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DW20.EXE C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Oasis\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\de\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Backgammon\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\mr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Portable Devices\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\icons\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\cgg\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Mail\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\SystemV\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Minesweeper\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\be\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\dialogs\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\AcroForm\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\1033\ONENOTE\14\Stationery\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\hy\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ARCTIC\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\am\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Defender\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SATIN\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\gu\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\hu\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Mail\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\vDll.dll C:\Windows\Logo1_.exe N/A
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\dc21cbe87c53865d32a78b5ecbe0f0187101e4e07910354a48ce74300e709b02.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\dc21cbe87c53865d32a78b5ecbe0f0187101e4e07910354a48ce74300e709b02.exe N/A

Enumerates physical storage devices

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2360 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\dc21cbe87c53865d32a78b5ecbe0f0187101e4e07910354a48ce74300e709b02.exe C:\Windows\SysWOW64\cmd.exe
PID 2360 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\dc21cbe87c53865d32a78b5ecbe0f0187101e4e07910354a48ce74300e709b02.exe C:\Windows\SysWOW64\cmd.exe
PID 2360 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\dc21cbe87c53865d32a78b5ecbe0f0187101e4e07910354a48ce74300e709b02.exe C:\Windows\SysWOW64\cmd.exe
PID 2360 wrote to memory of 2224 N/A C:\Users\Admin\AppData\Local\Temp\dc21cbe87c53865d32a78b5ecbe0f0187101e4e07910354a48ce74300e709b02.exe C:\Windows\SysWOW64\cmd.exe
PID 2360 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\dc21cbe87c53865d32a78b5ecbe0f0187101e4e07910354a48ce74300e709b02.exe C:\Windows\Logo1_.exe
PID 2360 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\dc21cbe87c53865d32a78b5ecbe0f0187101e4e07910354a48ce74300e709b02.exe C:\Windows\Logo1_.exe
PID 2360 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\dc21cbe87c53865d32a78b5ecbe0f0187101e4e07910354a48ce74300e709b02.exe C:\Windows\Logo1_.exe
PID 2360 wrote to memory of 2388 N/A C:\Users\Admin\AppData\Local\Temp\dc21cbe87c53865d32a78b5ecbe0f0187101e4e07910354a48ce74300e709b02.exe C:\Windows\Logo1_.exe
PID 2388 wrote to memory of 2776 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2388 wrote to memory of 2776 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2388 wrote to memory of 2776 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2388 wrote to memory of 2776 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2776 wrote to memory of 2652 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2776 wrote to memory of 2652 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2776 wrote to memory of 2652 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2776 wrote to memory of 2652 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2224 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\dc21cbe87c53865d32a78b5ecbe0f0187101e4e07910354a48ce74300e709b02.exe
PID 2224 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\dc21cbe87c53865d32a78b5ecbe0f0187101e4e07910354a48ce74300e709b02.exe
PID 2224 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\dc21cbe87c53865d32a78b5ecbe0f0187101e4e07910354a48ce74300e709b02.exe
PID 2224 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\dc21cbe87c53865d32a78b5ecbe0f0187101e4e07910354a48ce74300e709b02.exe
PID 2656 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\dc21cbe87c53865d32a78b5ecbe0f0187101e4e07910354a48ce74300e709b02.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PUMPSETUP.EXE
PID 2656 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\dc21cbe87c53865d32a78b5ecbe0f0187101e4e07910354a48ce74300e709b02.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PUMPSETUP.EXE
PID 2656 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\dc21cbe87c53865d32a78b5ecbe0f0187101e4e07910354a48ce74300e709b02.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PUMPSETUP.EXE
PID 2656 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\dc21cbe87c53865d32a78b5ecbe0f0187101e4e07910354a48ce74300e709b02.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PUMPSETUP.EXE
PID 2656 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\dc21cbe87c53865d32a78b5ecbe0f0187101e4e07910354a48ce74300e709b02.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PUMPSETUP.EXE
PID 2656 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\dc21cbe87c53865d32a78b5ecbe0f0187101e4e07910354a48ce74300e709b02.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PUMPSETUP.EXE
PID 2656 wrote to memory of 324 N/A C:\Users\Admin\AppData\Local\Temp\dc21cbe87c53865d32a78b5ecbe0f0187101e4e07910354a48ce74300e709b02.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\PUMPSETUP.EXE
PID 324 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PUMPSETUP.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\SETUPX64\PUMPSETUP64.EXE
PID 324 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PUMPSETUP.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\SETUPX64\PUMPSETUP64.EXE
PID 324 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PUMPSETUP.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\SETUPX64\PUMPSETUP64.EXE
PID 324 wrote to memory of 1248 N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\PUMPSETUP.EXE C:\Users\Admin\AppData\Local\Temp\RarSFX0\SETUPX64\PUMPSETUP64.EXE
PID 2388 wrote to memory of 1372 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 2388 wrote to memory of 1372 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\dc21cbe87c53865d32a78b5ecbe0f0187101e4e07910354a48ce74300e709b02.exe

"C:\Users\Admin\AppData\Local\Temp\dc21cbe87c53865d32a78b5ecbe0f0187101e4e07910354a48ce74300e709b02.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a58C.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\dc21cbe87c53865d32a78b5ecbe0f0187101e4e07910354a48ce74300e709b02.exe

"C:\Users\Admin\AppData\Local\Temp\dc21cbe87c53865d32a78b5ecbe0f0187101e4e07910354a48ce74300e709b02.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\PUMPSETUP.EXE

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\PUMPSETUP.EXE"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\SETUPX64\PUMPSETUP64.EXE

C:\Users\Admin\AppData\Local\Temp\RarSFX0\SETUPX64\PUMPSETUP64.EXE

Network

N/A

Files

memory/2360-0-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a58C.bat

MD5 5aa48b503da779798c326a185160c4d3
SHA1 de02e9122573746adbc5348aaa9f954c2c092c79
SHA256 d6e26bb92008686ad947cfce90f661961151f077f00b2a456de3994218b30835
SHA512 3a1deba2b8fa66c2ff4710b3bb0a0a0886933716d7e3aec0a2028f5dae58adcc9c80815b50563e2ba4c3186c27a758bec6910951bdc4052f2f096f2cc2b20309

C:\Windows\Logo1_.exe

MD5 6a642b6265d1b27b9cc6eb897e651406
SHA1 f286966ee0dcc2be28a16a062c9bc7d1a74bdc9e
SHA256 bfe028ae725ae2c6b577e56f908e46a13810bf3425c3846a7dbfe7c931bfa82e
SHA512 46ca3c579c1280425656ef33a242baccf019533bea36e0201bd9b1072e68be3a07e482365b4156498f95b29c81f6c3eaebe3f0c7f0306a355d2d9bfd2b45faa8

memory/2360-18-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2360-17-0x00000000005D0000-0x0000000000604000-memory.dmp

memory/2360-15-0x00000000005D0000-0x0000000000604000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dc21cbe87c53865d32a78b5ecbe0f0187101e4e07910354a48ce74300e709b02.exe.exe

MD5 52606a5ae27afa8e8479861e322b062b
SHA1 fd4b55c76aee21576c8af3f34f53c874341eb9c1
SHA256 8ab96f15b257abd09ceef9eacf1e665e7b21da27a8fbf68d163ec73cef410c2e
SHA512 ace879b899ad41ad93ed11c42db4057dbf8375334f0ed90b78692cc090b92e3b77a7d27e2b1abf8ef2f9d54a12213c746751a2328cb7faccba6922683919cf3b

memory/2224-28-0x0000000000480000-0x00000000004E2000-memory.dmp

memory/2656-30-0x0000000000B80000-0x0000000000BE2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\DRV_2S1P\WIN 2012&8&81&2016&10\PCIESER.sys

MD5 9e959e4d047fba87f0d1888b1156c1da
SHA1 2e08b94d5ef397d79f5eb97d3eda3355e7dd955c
SHA256 aab1ac0c34c0174eba26e44056274534e71ed1cd3805ef8f1f1337e84e937111
SHA512 3ad05a6d412d488cdd2dafc17fab089e5e4db402daae4dea45d98b4a605b239f86d57653847a8a2526b60dd9792429df9a287453cf9441eeb28245c2acd8f4ff

C:\Users\Admin\AppData\Local\Temp\RarSFX0\DRV_2S1P\WIN 2012&8&81&2016&10\wcheports.dll

MD5 97ef611fd2954025fa333e20fc76feaf
SHA1 0ab6507cc4cc991880f7e401d4ad33a4eec8bd50
SHA256 1d130b3ece96939ca228de625c574205653e5108d7dfbc89d6652b1965e3acd3
SHA512 a213c4c55d5807eaeb33a702b7366e760527a938c93627226eb376e8ea4697687f6045eb1091a30d3769b2a2af2258cee965c6e71e91274fdab1148dd4c74047

C:\Users\Admin\AppData\Local\Temp\RarSFX0\DRV_2S1P\WIN 98&NT40\CH38MDRV.INF

MD5 eb43d8e3154ec6c529a27af9f272ee30
SHA1 3d157e904af76364d10e143339bab73cf594ec8c
SHA256 f7ff373d4aae7f882d7b853eef493af5e17ca82a2545fe7dbf3bb1a55b0d7cb0
SHA512 7a2cf9c8b0d5e80997c1d1c77f4914099629f93d7bcafa8f69b1399374e8248c3084cc7385b33b9ec81d90686ee88751c3c13304604e551319a9aa608db0741e

C:\Users\Admin\AppData\Local\Temp\RarSFX0\DRV_2S1P\WIN 98&NT40\EMPORTS.INF

MD5 7133304c033e42cc1098dce068d17276
SHA1 00d938d9778a75a3459597c7116d5e85bd6fe7ab
SHA256 bd81acad6e28fd7b69b0f5132a771198647180cc9133b233caee02ce53aeca6e
SHA512 b31cb11f98175ee632d3f030c8d1fd37ea40918694d3573b4d70bd18a62da2a63a1e22c957183e4c4c48c42c5db72dabd0a5bb4ede38510c325344576f829c90

C:\Users\Admin\AppData\Local\Temp\RarSFX0\DRV_4S\WIN 2003&XP&VISTA&2008&7\ch38xdrv.cat

MD5 6bbfcc4872a3ef5347366e4ca70886e0
SHA1 9512e71b9fc11383d2e41c379f94c47e0cd8fd8a
SHA256 7c5a91884b6dc1e10362349eeb416fec94b822d95b03117c79c6fea6152c2915
SHA512 673710d16d94e533305e9607bc8f81a490f36c187325c48590387f058f5ce892533b6d61e3647b8131511aa0c5a733c520da7cb9617d2a4603614e284549b6d4

C:\Users\Admin\AppData\Local\Temp\RarSFX0\DRV_4S\WIN 2003&XP&VISTA&2008&7\PCIESA64.sys

MD5 08b4416ace3d858c951fb9b70427db8e
SHA1 9a807ac6b00e20214ac33642782a756bf113812b
SHA256 b3e3807f14eef8739ea16a0cdef7048f23f02dd175c58030fa80ca37d93908eb
SHA512 ada056bc063ba3f93b9dabf341d3143f58990ca9d108edbbd6468fd1e28e56b7b1c9ea07d09ea72df2cbfdd821f84013d46ece59bacb3ffe4eafb215904de63f

C:\Users\Admin\AppData\Local\Temp\RarSFX0\DRV_4S\WIN 2003&XP&VISTA&2008&7\wcheports64.dll

MD5 3108dde0be18f0843eabc6bd829777e0
SHA1 bba9622e027a9f2adfdd363af7536cf4a46736b9
SHA256 b4b338294fe76b2fa0653760403fcf4c32431274853c546d65d9a6c6755acd11
SHA512 4edf07d93dc83bebb42ce4410f45041353a3d99610e42e0f8c3bf6825b3089f86c273ec3476728a669bfe5a6d3ba6f123e056bd804cb5780d84c6a01b9d09f98

C:\Users\Admin\AppData\Local\Temp\RarSFX0\DRV_4S1P\LINUX\driver\Makefile

MD5 07cf2a6df1ae4332a1fca076f94fc666
SHA1 d6463cc1814c1e7380db9170964e25087dcd8c7e
SHA256 ca701e7dc3f5cff0c98d0aa0689bfcd741ebe92506444a21002fbd45ac2a2307
SHA512 a388be59d8de59a4e1ba528e8e6e37db5503da76ebc367368ed761c84c9f96587731c2a6027aad3a285a6376ce6f118fea3afa0d513af82d9561e5a793314bae

C:\Users\Admin\AppData\Local\Temp\RarSFX0\DRV_4S1P\LINUX\driver\wch_common.h

MD5 6881afb5437910d41e99a2d0ef1dcb08
SHA1 99d8561f21631979a0283f0001e18425e6859619
SHA256 40d4b538d15abc146118ca530895f37f0daf869d69c4cdeeaf81609e6742d21f
SHA512 b0ab73082c7623b63bd69abd6f9798405e2b5f4bcd62d694825fa4f683d4f091b212a3634702bcb799a9605bd4079bc0fb66130b46ca61ec11f476c39753ad2a

C:\Users\Admin\AppData\Local\Temp\RarSFX0\DRV_4S1P\LINUX\driver\wch_devtable.c

MD5 21582239f825ecd714337e7beda0bd4b
SHA1 f87ba7dcdbaf947ccef581dbe750469c1e98b5ec
SHA256 9edd49c2842ab7d213cfe2838543a6510c03a719d16d744af18549899493d4ca
SHA512 38c9df985d5010bda2dc7b70f7318530b650d0a6280896db4ebc81938f8b257a94439d2ef5812a82680f485218a9860eb800a8c80b3861160e647c26aac77c08

C:\Users\Admin\AppData\Local\Temp\RarSFX0\DRV_4S1P\LINUX\driver\wch_main.c

MD5 07889835be28312c91b8e75042576b79
SHA1 c1a16512af45d677ae113390e63a39b3215898f5
SHA256 94a7c6ceb54d53fbf20d58377c954f8aa56912ec59108cacea2de9e8380d8599
SHA512 18e12c52f0681f64181059349bbea3a0e861aaa865e106730955a9cd8bf0623f11d4a3f6f1ebbeb6d9981075b5b72a22b508ebc874a4256911143c296e6be865

C:\Users\Admin\AppData\Local\Temp\RarSFX0\DRV_4S1P\LINUX\driver\wch_serial.c

MD5 9dbe497afe43518a91fcbf7ffd7e23b4
SHA1 7555891369e2d9b51026260e021ff26eb43d7eb3
SHA256 a2ed2ed7f708b565249c79c141fa43e44bdcf615ccd1ce5a9db05d7b48abe8ea
SHA512 f4898efe677e25b1439fa62662cdaa713b03d563c4ecb8ef5defe7a984161dee7491819e99924529f8933b9f2413e3516a28e97b84e76d8a063ddcab0b6fe0de

C:\Users\Admin\AppData\Local\Temp\RarSFX0\DRV_4S1P\LINUX\README

MD5 4e7d4a279bc5bf851aaa8436f9ca2de4
SHA1 5b181a9094c42d8de31b41760130f2294304a452
SHA256 f21532afe8ee1885917ebdf4e9b383286457704bbd896fe9908aaafa5cf8936c
SHA512 9cde244b7e29ee87f701c8342bc5dc142b8f0e62be16f27ddbb4feda5e08a5b1ddecc136bde073e4b963dbd275808820f45e9ae4791fa6728818d1ed1d678142

C:\Users\Admin\AppData\Local\Temp\RarSFX0\DRV_4S1P\LINUX\wchterm\Makefile

MD5 524540c7ce53746b7725a157fb54a07a
SHA1 2fb00d78be780a7aa7803379d2fcbf3bb261366d
SHA256 80368b581e178c46c2433e2104ada5055557512c6a52d5551d5d1289fad77cdc
SHA512 3f0d8c581c02e5616b86c559905363e41c38431972087870f51b4365a9399dd25625f648da9220378f56de9b68a560cfd979cf6631e9fad25a9e22d93a0ef333

C:\Users\Admin\AppData\Local\Temp\RarSFX0\DRV_4S1P\LINUX\wchterm\wchterm.c

MD5 99c11200c47af0abf9f144e0bb97d3a1
SHA1 21405cb4daa7a4fce306f2b87036527e18fda1f9
SHA256 50558006d260bdd4224977019617f02f05209ed0bfa70b4652f0d683592e670a
SHA512 41164dfc59eec11f2a2178553561279744ff7ef93e67b3fd11004ad0e0e47a1b1b1bbce8b630b28d928a3b3ab89eb214c68c128282761507356884335c105c9b

C:\Users\Admin\AppData\Local\Temp\RarSFX0\DRV_4S1P\LINUX\wchterm\wchterm.h

MD5 0b51548b16e322c0cdfb58a9b6a2d2e5
SHA1 acfdd51a3bca241ead35b00a73cda0b78edfc867
SHA256 106203829fe3a81daceda8d76df9f88aae3934e6802c672e28ba08ec176aa4fc
SHA512 63d24f7647c97d45c7d7edac7b8191682fd07f719271ae70796ea8b6877d9cd653e6289d898947d4bb34ef80073651569247a056967e68a8c1f5a19197266c7f

C:\Users\Admin\AppData\Local\Temp\RarSFX0\DRV_4S1P\WIN 2000\CH38MDRV2K.INF

MD5 22eb10147cc6545a01d34086e630e814
SHA1 9c3611295356aa17ac43d414d5043439230d90bf
SHA256 14044fa4c4da914f6276d576e0b92a3e38c4c5794a12cdac7a0d39234d0607c7
SHA512 d612bc9ad6de9208d203945999d935737e50a170e74e3953b8fe9f9eb880600b982bcdad2863e3c03dd2cce328a6967767f93828f9b26b13422da80c8f78f272

C:\Users\Admin\AppData\Local\Temp\RarSFX0\DRV_4S1P\WIN 2000\EMPORTS2K.INF

MD5 899bb87310c389096bc62d388dd97ab3
SHA1 06a0945a77855f5909312454788f4bbcc57090b4
SHA256 4345189b3a4818603958e60a7404ed1bc6a6c2b288a9e1effd72a65ca35481f8
SHA512 6880fec4f7e00b81ffc49f504eb3376282f1e646b6fd78aff2005b6836cbc44147e900fae1b89215fcb5a562846498d5676a9382284657c86ad76ce8068b90b0

C:\Users\Admin\AppData\Local\Temp\RarSFX0\DRV_1P\WIN 2000\PCIEPAR.sys

MD5 1b1831215df0698ead0368771163e276
SHA1 cea2772b516202f280895ecb21d91be5af7a5946
SHA256 a1bfb4195b20279ec6d5220f4e63e6bea92faffb2a5ca21a743aa5ff2971eecc
SHA512 e2a545e2a24736bd477ff729256f88a550c87beba3157f41c50dffc7d815328e8c1b037824bae344eb1a4c05624a17cac9a575e0752110b6526c8cc7c61f571f

C:\Users\Admin\AppData\Local\Temp\RarSFX0\DRV_1S\DOS\CH38XDOS.EXE

MD5 1398027ba484d73d558292b147145b22
SHA1 a8cc63e3d24e39d8f81e01b86f63e88413586fce
SHA256 8bbd22b6a7b3a6323f504ea741541a49a9dd2c38f1b6902b2d8c8fccc8d57283
SHA512 8751f8c7761fe1ef7b738b64296bf57cf207c5eb587fceb67df4c2c7cc6d5c8232f75aabdbc0fa59d643cc4cb7ec26b1f6aa6483b7732fc008cc7b21dcd1fb40

C:\Users\Admin\AppData\Local\Temp\RarSFX0\DRV_1S\DOS\readme.txt

MD5 e5614e9431672d37e26a43f17c02e402
SHA1 b65b4c195e4f6ccbdb0b21fa15db1246c5993c29
SHA256 cd1a34566f6086637ff689abf291df7dda8136c013aeda1e68c8c77dc0497828
SHA512 290f7c95104a79970e2bd42db0bfc2532f02aef6a553a5975ea47cf19224ee5692c4c10e7c85a39782ccca407c7587560dc57cdbe302412b41ff1ac299c22c94

\Users\Admin\AppData\Local\Temp\RarSFX0\PUMPSETUP.EXE

MD5 44fa26d0383632eb291fa0e43678f27a
SHA1 47f8efa967a81081231bbfc4e75f00ba09557af3
SHA256 ee685c22ced54b7afbfbc748663ea45871fab5806ad6ee923261b27e211ebe6e
SHA512 3273d57ecba1d44b386599a08032bb063e13d5fd70953e5a9ced61dc0e33a3b68948402c24ab6f6c507d803298dbc043a6b0635a4247b7ae5bec96c9069a0fa1

\Users\Admin\AppData\Local\Temp\RarSFX0\SETUPX64\PUMPSETUP64.exe

MD5 cb18a5f27924cc59e739c2e84bd5c305
SHA1 593b66a162529e21251d837541a766c9b3c468de
SHA256 8c1b5d10f07913960dae751b54d3173bb48d7b7b2ade5909b5a549098ba762d1
SHA512 8090d639cf9958464ca0a855792c5f63cf1d5ec021445844bbdf0c5866271a0eb36c7cd39d7186ee23503bcc10bfd94ca43499ec4d78c4bde54b9eea4f1ffe8e

memory/1372-605-0x00000000029B0000-0x00000000029B1000-memory.dmp

memory/2656-608-0x0000000000B80000-0x0000000000BE2000-memory.dmp

memory/2388-609-0x0000000000400000-0x0000000000434000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-3627615824-4061627003-3019543961-1000\_desktop.ini

MD5 4f2460b507685f7d7bfe6393f335f1c9
SHA1 378d42f114b1515872e58de6662373af31ab8c7b
SHA256 47a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42
SHA512 75dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb

memory/2388-616-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2388-622-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2388-668-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2388-674-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2388-1467-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2388-2427-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 ecc3f9c49b57f7c390617c6b22dd612c
SHA1 f8ba30ccaf7d1d2f05219a7daa8f412040130fd2
SHA256 f8b9d5a37e836b6ff7a487c096e522e6483ed50eba58680cca09bd5f4f099dab
SHA512 05698833e190e5263cada1475b29f877abfae445a70cddee997c9ce776aa9b76a16dbe2290fca742518c4e382aca1a512a3d49d5349b0a801d6e93f3dd9c0375

memory/2388-3124-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2388-3887-0x0000000000400000-0x0000000000434000-memory.dmp

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 4cfdb20b04aa239d6f9e83084d5d0a77
SHA1 f22863e04cc1fd4435f785993ede165bd8245ac6
SHA256 30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9
SHA512 35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86