Malware Analysis Report

2025-01-22 08:15

Sample ID 241026-eylensxnfy
Target f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec
SHA256 f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec
Tags
discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec

Threat Level: Shows suspicious behavior

The file f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery spyware stealer

Drops startup file

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Deletes itself

Checks installed software on the system

Enumerates connected drives

Drops file in Windows directory

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-26 04:20

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-26 04:20

Reported

2024-10-26 04:23

Platform

win7-20241010-en

Max time kernel

149s

Max time network

124s

Command Line

C:\Windows\Explorer.EXE

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Internet Explorer\ExtExport.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\bs\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\en_GB\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SLATE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\DVD Maker\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Journal\Journal.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Mail\wabmig.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ARFR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\BabyBoy\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\EURO\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\br\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\brx\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\DVD Maker\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\kinit.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\meta\art\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\mk\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Journal\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\NETWORK\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\VSTA\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\binary\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Analysis Services\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\server\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VC\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Mozilla Firefox\uninstall\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\demux\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EVRGREEN\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Minesweeper\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\prc\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\Dll.dll C:\Windows\Logo1_.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Logo1_.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2776 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe C:\Windows\SysWOW64\net.exe
PID 2776 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe C:\Windows\SysWOW64\net.exe
PID 2776 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe C:\Windows\SysWOW64\net.exe
PID 2776 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe C:\Windows\SysWOW64\net.exe
PID 2848 wrote to memory of 2180 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2848 wrote to memory of 2180 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2848 wrote to memory of 2180 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2848 wrote to memory of 2180 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2776 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe C:\Windows\SysWOW64\cmd.exe
PID 2776 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe C:\Windows\Logo1_.exe
PID 2776 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe C:\Windows\Logo1_.exe
PID 2776 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe C:\Windows\Logo1_.exe
PID 2776 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe C:\Windows\Logo1_.exe
PID 2960 wrote to memory of 2060 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2960 wrote to memory of 2060 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2960 wrote to memory of 2060 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2960 wrote to memory of 2060 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2916 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe
PID 2916 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe
PID 2916 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe
PID 2916 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe
PID 2916 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe
PID 2916 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe
PID 2916 wrote to memory of 2656 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe
PID 2060 wrote to memory of 2680 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2060 wrote to memory of 2680 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2060 wrote to memory of 2680 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2060 wrote to memory of 2680 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2656 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe
PID 2656 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe
PID 2656 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe
PID 2656 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe
PID 2656 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe
PID 2656 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe
PID 2656 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe
PID 2960 wrote to memory of 2424 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2960 wrote to memory of 2424 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2960 wrote to memory of 2424 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2960 wrote to memory of 2424 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2424 wrote to memory of 2608 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2424 wrote to memory of 2608 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2424 wrote to memory of 2608 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2424 wrote to memory of 2608 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2960 wrote to memory of 1188 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 2960 wrote to memory of 1188 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe

"C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a3CF1.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe

"C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe

"C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe" -burn.unelevated BurnPipe.{867ADDB3-92A1-4389-9562-99DA3A07396D} {A5907949-362F-43AA-9C83-109F92F26009} 2656

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

N/A

Files

memory/2776-0-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a3CF1.bat

MD5 c862d0940f612bd83874e5bfc6dead17
SHA1 ce556fd27b35bc6a5f9a9df7b5bae434f823b9a7
SHA256 5eae0d6cf0a4b102a18caede39fd279dd4d2ccb9087b35a5a20f9e9fd56d263b
SHA512 27f2289791e82c139b0e39e1744c4f5b38a0d1e7f97ce7eef8f66b8aa6880f2a7fd79f7e7ab0831501a36f5b11524700f09cd5ad82ccf542f8c4c05e17245650

C:\Windows\Logo1_.exe

MD5 dd7de04b7104a93e35fb3a577b5b621b
SHA1 4d84ff8b82f359e1c303d9d68dda6dc503848ad6
SHA256 fc02df6a818f176e9499cda422291726b9e3d37d6e381dd5629295df031cde03
SHA512 569116a84fd5d09c06c4967d466de2f6a7be71b77edaa28bef11836d0eb5fa20eef5c9c415540a8f5f785cdbe0e059f21a835952b81ac97b5e620a52bf56a921

memory/2776-17-0x0000000000230000-0x000000000026D000-memory.dmp

memory/2776-19-0x0000000000400000-0x000000000043D000-memory.dmp

memory/2776-15-0x0000000000230000-0x000000000026D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe.exe

MD5 2b48f69517044d82e1ee675b1690c08b
SHA1 83ca22c8a8e9355d2b184c516e58b5400d8343e0
SHA256 507bdc3ab5a6d9ddba2df68aff6f59572180134252f5eb8cb46f9bb23006b496
SHA512 97d9b130a483263ddf59c35baceba999d7c8db4effc97bcb935cb57acc7c8d46d3681c95e24975a099e701997330c6c6175e834ddb16abc48d5e9827c74a325b

\Users\Admin\AppData\Local\Temp\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\.ba1\wixstdba.dll

MD5 d7bf29763354eda154aad637017b5483
SHA1 dfa7d296bfeecde738ef4708aaabfebec6bc1e48
SHA256 7f5f8fcfd84132579f07e395e65b44e1b031fe01a299bce0e3dd590131c5cb93
SHA512 1c76175732fe68b9b12cb46077daa21e086041adbd65401717a9a1b5f3c516e03c35a90897c22c7281647d6af4a1a5ffb3fbd5706ea376d8f6e574d27396019c

C:\Users\Admin\AppData\Local\Temp\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\.ba1\logo.png

MD5 d6bd210f227442b3362493d046cea233
SHA1 ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

memory/1188-46-0x0000000002BA0000-0x0000000002BA1000-memory.dmp

memory/2960-49-0x0000000000400000-0x000000000043D000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-3692679935-4019334568-335155002-1000\_desktop.ini

MD5 28a582403dbb209b6c5cb7bada9c918d
SHA1 db58560be63032a4cbd738d2d639e5bf764d6277
SHA256 b5a9fa3acde4d9499ea08a6d9ff193fc9cda57f04141f82d2422a4008f451200
SHA512 511b4d3886d671d01c66d2509b784a199e68a00f2597d311d8d0770f0b1030680136ee450343a8d6c4b51d9de8448bafdde44dc1a1c6e62bccde47d5af03fbae

memory/2960-1191-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 dd5f511ac42d9719d30a69ad45d2efd4
SHA1 6a74d19c5f70b2950a01f54d6526ed1e1db4dd42
SHA256 b209a195049e7e6704c77e5856589ab1a257bb70f6457099a5a39cd9531d81bb
SHA512 f1aae77e9af1cccdd44936477504d7d1e92a093b9755d555eaa1510f66e5ed4e96b25c7a8b6f2cb79bd39537d1aae368d6af0176be563885ef61d4e7d752ffaa

memory/2960-3611-0x0000000000400000-0x000000000043D000-memory.dmp

memory/2960-4113-0x0000000000400000-0x000000000043D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-26 04:20

Reported

2024-10-26 04:23

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

143s

Command Line

C:\Windows\Explorer.EXE

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jinfo.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\FREN\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\nn\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\meta\reader\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\es-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\nb-no\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\ar-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\limited\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\CONCRETE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\fr-fr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\cs-cz\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\de-de\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\meta\art\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Portable Devices\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\hr-hr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\nl-nl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files-select\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\root\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\BHO\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\rmiregistry.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\bn_IN\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\zh-cn\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\cs-cz\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\sl-si\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\legal\javafx\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\audio_output\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\root\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-ma\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ach\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\spu\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\ja\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\he-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\es-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sk-sk\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft.NET\ADOMD.NET\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\cs-cz\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ko-kr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\it-it\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\EQUATION\1033\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\NETWORK\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\MSBuild\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ka\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\sl-sl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files-select\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsPowerShell\Configuration\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\tr-tr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\pl-pl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\nb-no\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\it-it\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ja\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\dtplugin\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\en-gb\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ja-jp\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\an\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\Dll.dll C:\Windows\Logo1_.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Logo1_.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4860 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe C:\Windows\SysWOW64\net.exe
PID 4860 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe C:\Windows\SysWOW64\net.exe
PID 4860 wrote to memory of 4904 N/A C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe C:\Windows\SysWOW64\net.exe
PID 4904 wrote to memory of 4644 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4904 wrote to memory of 4644 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4904 wrote to memory of 4644 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4860 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe C:\Windows\SysWOW64\cmd.exe
PID 4860 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe C:\Windows\SysWOW64\cmd.exe
PID 4860 wrote to memory of 4312 N/A C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe C:\Windows\SysWOW64\cmd.exe
PID 4860 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe C:\Windows\Logo1_.exe
PID 4860 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe C:\Windows\Logo1_.exe
PID 4860 wrote to memory of 2924 N/A C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe C:\Windows\Logo1_.exe
PID 2924 wrote to memory of 3844 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2924 wrote to memory of 3844 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2924 wrote to memory of 3844 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3844 wrote to memory of 2628 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3844 wrote to memory of 2628 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3844 wrote to memory of 2628 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4312 wrote to memory of 1916 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe
PID 4312 wrote to memory of 1916 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe
PID 4312 wrote to memory of 1916 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe
PID 1916 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe
PID 1916 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe
PID 1916 wrote to memory of 4544 N/A C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe
PID 2924 wrote to memory of 4420 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2924 wrote to memory of 4420 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2924 wrote to memory of 4420 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4420 wrote to memory of 4064 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4420 wrote to memory of 4064 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4420 wrote to memory of 4064 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2924 wrote to memory of 3560 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 2924 wrote to memory of 3560 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe

"C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aAD66.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe

"C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe"

C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe

"C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe" -burn.unelevated BurnPipe.{20B8B901-54FE-41E1-9C3C-043951117FAB} {AD731F2C-88A0-48DE-B7F6-C9D5098B039F} 1916

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 105.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp

Files

memory/4860-0-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Windows\Logo1_.exe

MD5 dd7de04b7104a93e35fb3a577b5b621b
SHA1 4d84ff8b82f359e1c303d9d68dda6dc503848ad6
SHA256 fc02df6a818f176e9499cda422291726b9e3d37d6e381dd5629295df031cde03
SHA512 569116a84fd5d09c06c4967d466de2f6a7be71b77edaa28bef11836d0eb5fa20eef5c9c415540a8f5f785cdbe0e059f21a835952b81ac97b5e620a52bf56a921

memory/2924-8-0x0000000000400000-0x000000000043D000-memory.dmp

memory/4860-11-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$aAD66.bat

MD5 341058fb9fafaeb388442dd979f0ca54
SHA1 67f40f3c87661dc03503c03476eb0407522a5b52
SHA256 288b0fdb82f827dc8036b64970ba0333aeb74a8fbbd235d70ad34a29bc571608
SHA512 258d8fd64100913aa2e3655fc46178693d8213ead66dd1b6842a47fd8d988278ee28ff62da1ad592c43f8c44264361404cc18ddb7531696386050d9bb9c804e5

C:\Users\Admin\AppData\Local\Temp\f033bbb306ff9feebc9f881d7bf293d303af233130e795d86a20b16aad085eec.exe.exe

MD5 2b48f69517044d82e1ee675b1690c08b
SHA1 83ca22c8a8e9355d2b184c516e58b5400d8343e0
SHA256 507bdc3ab5a6d9ddba2df68aff6f59572180134252f5eb8cb46f9bb23006b496
SHA512 97d9b130a483263ddf59c35baceba999d7c8db4effc97bcb935cb57acc7c8d46d3681c95e24975a099e701997330c6c6175e834ddb16abc48d5e9827c74a325b

C:\Users\Admin\AppData\Local\Temp\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\.ba1\wixstdba.dll

MD5 d7bf29763354eda154aad637017b5483
SHA1 dfa7d296bfeecde738ef4708aaabfebec6bc1e48
SHA256 7f5f8fcfd84132579f07e395e65b44e1b031fe01a299bce0e3dd590131c5cb93
SHA512 1c76175732fe68b9b12cb46077daa21e086041adbd65401717a9a1b5f3c516e03c35a90897c22c7281647d6af4a1a5ffb3fbd5706ea376d8f6e574d27396019c

C:\Users\Admin\AppData\Local\Temp\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\.ba1\logo.png

MD5 d6bd210f227442b3362493d046cea233
SHA1 ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

memory/2924-35-0x0000000000400000-0x000000000043D000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-4050598569-1597076380-177084960-1000\_desktop.ini

MD5 28a582403dbb209b6c5cb7bada9c918d
SHA1 db58560be63032a4cbd738d2d639e5bf764d6277
SHA256 b5a9fa3acde4d9499ea08a6d9ff193fc9cda57f04141f82d2422a4008f451200
SHA512 511b4d3886d671d01c66d2509b784a199e68a00f2597d311d8d0770f0b1030680136ee450343a8d6c4b51d9de8448bafdde44dc1a1c6e62bccde47d5af03fbae

C:\Program Files\7-Zip\7z.exe

MD5 c271a86be0a29d90a35fe31a5c49272e
SHA1 40ce9f85f7a6dda6fe54d36a86a46d131bc120dc
SHA256 6865992bfc8198f5af017209cc289eb9d2adee1e4aede750f881fb5cf307523a
SHA512 e32d6246ec9c00d8bb8a14793f30b22983f1c03ea418c241bf4c8e22c9992334fe0ab3715b64e3d43d44b9a6cba86e4d75c2ff55d8ff2201fcb1329510b762ae

memory/2924-2930-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe

MD5 10a7fff2e496850370cd3b3ee33cada0
SHA1 2fbeb0236ab8937b7aa472cae8b3720802e9c764
SHA256 3114db136b324064263065317536490601c26e731d3558a7caf6cc7507db4d97
SHA512 d714185364cce8be63ecaa6ba4abdd3da5ded059a2df252f9d26e2440cbbcecfc96e0944a84ea3201b0d8b1afa57154053dc814995dbea36bd06dfbfe629ef58

memory/2924-8940-0x0000000000400000-0x000000000043D000-memory.dmp