Malware Analysis Report

2024-10-18 22:05

Sample ID 240616-y5n9pawdra
Target e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf
SHA256 e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf
Tags
bootkit persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf

Threat Level: Shows suspicious behavior

The file e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit persistence

Deletes itself

Loads dropped DLL

Executes dropped EXE

Enumerates connected drives

Writes to the Master Boot Record (MBR)

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-16 20:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 20:22

Reported

2024-06-16 20:24

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

152s

Command Line

C:\Windows\Explorer.EXE

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\RTL\contrast-white\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ca-ES\View3d\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\uninstall\helper.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\zh-TW\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_split.scale-100_8wekyb3d8bbwe\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\Diagnostics\Simple\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\en-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\en-gb\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Photo Viewer\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxGamingOverlay_2.34.28001.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example1.Diagnostics\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\da-dk\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\it-it\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ja-jp\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\nl-nl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\pl-pl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\ar-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\RTL\contrast-white\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_x64__8wekyb3d8bbwe\Resources\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\ca-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\sv-se\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\cs-cz\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\uk-ua\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\hu-hu\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-100_8wekyb3d8bbwe\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Work\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-si\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\root\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\fi-fi\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Sigma\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\da-dk\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\sk-sk\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\eu-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ja-jp\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\cs-cz\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\pt-br\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\zh-tw\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\lib\security\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\nb\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Mail\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\themeless\Appstore\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Images\Stickers\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\FileAssociation\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_10.1906.1972.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\include\win32\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\an\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\nl-nl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\eu-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\nl-nl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Media Player\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ro-ro\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\vDll.dll C:\Windows\Logo1_.exe N/A

Runs net.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3788 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe C:\Windows\SysWOW64\cmd.exe
PID 3788 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe C:\Windows\SysWOW64\cmd.exe
PID 3788 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe C:\Windows\SysWOW64\cmd.exe
PID 3788 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe C:\Windows\Logo1_.exe
PID 3788 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe C:\Windows\Logo1_.exe
PID 3788 wrote to memory of 4064 N/A C:\Users\Admin\AppData\Local\Temp\e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe C:\Windows\Logo1_.exe
PID 4064 wrote to memory of 4784 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4064 wrote to memory of 4784 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4064 wrote to memory of 4784 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4784 wrote to memory of 2700 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4784 wrote to memory of 2700 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4784 wrote to memory of 2700 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3604 wrote to memory of 704 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe
PID 3604 wrote to memory of 704 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe
PID 3604 wrote to memory of 704 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe
PID 4064 wrote to memory of 3456 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 4064 wrote to memory of 3456 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe

"C:\Users\Admin\AppData\Local\Temp\e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a686E.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe

"C:\Users\Admin\AppData\Local\Temp\e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 s.ludashi.com udp
US 23.53.113.159:80 tcp

Files

memory/3788-0-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\Logo1_.exe

MD5 c96a70874a471376780d70d7ad6b255a
SHA1 5b19ded6314cc223bac30dd4a1ee3041fa3cfa26
SHA256 1ae40b73fe2ab7e5f0282d11052dff7e4eff746da740d0dd75f7468638b0b7ef
SHA512 3a4d3a94f2535b3ce74bbd510119b0d99f37e888da05245d34482a5a76919b3e5c518a0445cf3098e9e443267250fbf339812d5315b70d34302a9131e5c00d88

memory/3788-8-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4064-10-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe

MD5 25c40a58d31194af030d2856153fc490
SHA1 9361a68e4a5585c4f03026165d61f5f588515128
SHA256 ea31aeb14e8542ea87d01839d10b4b8933ea5444af49c2536051d979bc924168
SHA512 3b19c2642f235b3da033a84539339f0338a4fec0de5656e925bba7e7d505fb877d02b06c636b34bc45fd5e95271741eef6eceb91a14f8e684243bdbdeec12f32

C:\Users\Admin\AppData\Local\Temp\$$a686E.bat

MD5 d17b37f6a249b875eecf1be016a1a4a0
SHA1 6c7e013982434019f6a56a4db2bca9c5fdb8d0c3
SHA256 a769fbe3362982a3bcf07679259924b838e59cbcfa415be8960ec1ce0b26afbd
SHA512 df469e55f59888a8f13a75784e17b39baa987732bde07ba90654f51d5a1d872fb1a09fa0bfcf780b245085b0f3f8787b8f7e8a84686a6a430c961f03647a4d6f

memory/4064-19-0x0000000000400000-0x0000000000434000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-4124900551-4068476067-3491212533-1000\_desktop.ini

MD5 1884bfdeea71ff22db39c196f4447c9c
SHA1 3eafc7e6e17ba6ce7a087a3588fb1efb596da038
SHA256 163167bc5a01ad6b3ed4406c2a9a1baaf2c0ef4620ab7d5b39aeddf976ca776d
SHA512 b22124aa3a912462e6face7f71ad3dfec4b27dab16b2e20e3a0adc277f89f631ec889c91b185ac4b9b670933d881b8fd26c25d6f405e465aa8148cdbb7f7c3e2

memory/4064-26-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4064-32-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4064-36-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Program Files\7-Zip\7z.exe

MD5 fb3c59046fa8058efaae6ca23bb72b5e
SHA1 058b24d4ec5196094292851d146837757786ddd5
SHA256 8f4cd343a9ff1968fc0286c995c5ce70e9b6a7ab08bb30b2be2878cabae30253
SHA512 1d8da7f9a0b72d36601a1427563c539f0a05a2612c95c1dfe8fb6d391061a6d822880e98de53c9e6ca2b5c13fb709da6fecf7cab26d1fbf1b9885d69960620d0

memory/4064-1230-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 baf165adaab6392d033d7f32319cabcb
SHA1 fa4b6413108c9b552b158ae614b63565509cece4
SHA256 c134d2515194f237193d125b905c679da1fe6baef94e7449c93c7ed387ba66e6
SHA512 0400ff9363143c589e5cf1172d6d4c971fd936de9e640d80e563b5e0136b772fa048497a0e6d79f51c02bf7b8ccda0d367180bf6cb91a35d9f21c320648c3a38

memory/4064-4796-0x0000000000400000-0x0000000000434000-memory.dmp

C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

MD5 2500f702e2b9632127c14e4eaae5d424
SHA1 8726fef12958265214eeb58001c995629834b13a
SHA256 82e5b0001f025ca3b8409c98e4fb06c119c68de1e4ef60a156360cb4ef61d19c
SHA512 f420c62fa1f6897f51dd7a0f0e910fb54ad14d51973a2d4840eeea0448c860bf83493fb1c07be65f731efc39e19f8a99886c8cfd058cee482fe52d255a33a55c

memory/4064-5235-0x0000000000400000-0x0000000000434000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 20:22

Reported

2024-06-16 20:24

Platform

win7-20240611-en

Max time kernel

149s

Max time network

124s

Command Line

C:\Windows\Explorer.EXE

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Mozilla Firefox\defaults\pref\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Fancy\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VBA\VBA6\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\DocumentShare\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Library\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Lime\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\Chrome\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\fr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\requests\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\on_desktop\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STRTEDGE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Word.en-us\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BrightOrange\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Library\Analysis\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\Indiana\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\uz\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\REFINED\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateComRegisterShell64.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Library\SOLVER\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.rcp.ja_5.5.0.165303\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\et\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ja\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Mail\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\BORDERS\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\Bin\1033\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\unpack200.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Uninstall Information\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\am_ET\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\vDll.dll C:\Windows\Logo1_.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2932 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe C:\Windows\SysWOW64\cmd.exe
PID 2932 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe C:\Windows\SysWOW64\cmd.exe
PID 2932 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe C:\Windows\SysWOW64\cmd.exe
PID 2932 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe C:\Windows\SysWOW64\cmd.exe
PID 2932 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe C:\Windows\Logo1_.exe
PID 2932 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe C:\Windows\Logo1_.exe
PID 2932 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe C:\Windows\Logo1_.exe
PID 2932 wrote to memory of 2120 N/A C:\Users\Admin\AppData\Local\Temp\e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe C:\Windows\Logo1_.exe
PID 2120 wrote to memory of 2656 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2120 wrote to memory of 2656 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2120 wrote to memory of 2656 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2120 wrote to memory of 2656 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2928 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe
PID 2928 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe
PID 2928 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe
PID 2928 wrote to memory of 2652 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe
PID 2656 wrote to memory of 2620 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2656 wrote to memory of 2620 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2656 wrote to memory of 2620 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2656 wrote to memory of 2620 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2120 wrote to memory of 1284 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 2120 wrote to memory of 1284 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe

"C:\Users\Admin\AppData\Local\Temp\e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a5F8E.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe

"C:\Users\Admin\AppData\Local\Temp\e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

Country Destination Domain Proto
US 8.8.8.8:53 s.ludashi.com udp
CN 139.224.193.172:80 s.ludashi.com tcp

Files

memory/2932-0-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a5F8E.bat

MD5 c702a9fd04d1218510900cd3492c4c3d
SHA1 97d2e0dd4bc91c4c91df2522a251ed3c9d98834c
SHA256 f3d9237f3050d868c5875d3c86a2e0e2362bdbdad6b157b25a8f0244bdc6d518
SHA512 194fd67cdc70295a763d3db73dc7641f891dc808f34175d96bc309f2edf8da7ac43a06867c9184c8f98631cb62626939197adc9dd46d849898e4def448caca21

memory/2932-12-0x00000000003A0000-0x00000000003D4000-memory.dmp

C:\Windows\Logo1_.exe

MD5 c96a70874a471376780d70d7ad6b255a
SHA1 5b19ded6314cc223bac30dd4a1ee3041fa3cfa26
SHA256 1ae40b73fe2ab7e5f0282d11052dff7e4eff746da740d0dd75f7468638b0b7ef
SHA512 3a4d3a94f2535b3ce74bbd510119b0d99f37e888da05245d34482a5a76919b3e5c518a0445cf3098e9e443267250fbf339812d5315b70d34302a9131e5c00d88

memory/2932-17-0x00000000003A0000-0x00000000003D4000-memory.dmp

memory/2932-16-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e84470ad42b86d9596c11534b883db3399c31a338a036d196cac2c0cbe17fabf.exe.exe

MD5 25c40a58d31194af030d2856153fc490
SHA1 9361a68e4a5585c4f03026165d61f5f588515128
SHA256 ea31aeb14e8542ea87d01839d10b4b8933ea5444af49c2536051d979bc924168
SHA512 3b19c2642f235b3da033a84539339f0338a4fec0de5656e925bba7e7d505fb877d02b06c636b34bc45fd5e95271741eef6eceb91a14f8e684243bdbdeec12f32

memory/1284-29-0x00000000029C0000-0x00000000029C1000-memory.dmp

memory/2120-31-0x0000000000400000-0x0000000000434000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-39690363-730359138-1046745555-1000\_desktop.ini

MD5 1884bfdeea71ff22db39c196f4447c9c
SHA1 3eafc7e6e17ba6ce7a087a3588fb1efb596da038
SHA256 163167bc5a01ad6b3ed4406c2a9a1baaf2c0ef4620ab7d5b39aeddf976ca776d
SHA512 b22124aa3a912462e6face7f71ad3dfec4b27dab16b2e20e3a0adc277f89f631ec889c91b185ac4b9b670933d881b8fd26c25d6f405e465aa8148cdbb7f7c3e2

memory/2120-38-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2120-44-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2120-90-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2120-96-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2120-136-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2120-1873-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 baf165adaab6392d033d7f32319cabcb
SHA1 fa4b6413108c9b552b158ae614b63565509cece4
SHA256 c134d2515194f237193d125b905c679da1fe6baef94e7449c93c7ed387ba66e6
SHA512 0400ff9363143c589e5cf1172d6d4c971fd936de9e640d80e563b5e0136b772fa048497a0e6d79f51c02bf7b8ccda0d367180bf6cb91a35d9f21c320648c3a38

memory/2120-3333-0x0000000000400000-0x0000000000434000-memory.dmp

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 4cfdb20b04aa239d6f9e83084d5d0a77
SHA1 f22863e04cc1fd4435f785993ede165bd8245ac6
SHA256 30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9
SHA512 35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86