Malware Analysis Report

2025-01-22 08:14

Sample ID 241026-ezgg4sxlcn
Target ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e
SHA256 ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e
Tags
discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e

Threat Level: Shows suspicious behavior

The file ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery spyware stealer

Executes dropped EXE

Reads user/profile data of web browsers

Drops startup file

Deletes itself

Loads dropped DLL

Enumerates connected drives

Checks installed software on the system

Drops file in Program Files directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-26 04:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-26 04:22

Reported

2024-10-26 04:25

Platform

win7-20241010-en

Max time kernel

149s

Max time network

125s

Command Line

C:\Windows\Explorer.EXE

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Push\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\mn\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\skins\fonts\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\es-ES\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\REFINED\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SPRING\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\dtplugin\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Defender\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\MEIPreload\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ast\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\lt\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VSTA\8.0\x86\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\FreeCell\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\sd\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Help\1041\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PIXEL\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Effects\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Africa\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Optional\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\nn\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\audio_mixer\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\FRAR\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Triedit\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\wmlaunch.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\cache\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\keystore\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Mail\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\TableTextService\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\Dll.dll C:\Windows\Logo1_.exe N/A
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Logo1_.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3052 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe C:\Windows\SysWOW64\net.exe
PID 3052 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe C:\Windows\SysWOW64\net.exe
PID 3052 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe C:\Windows\SysWOW64\net.exe
PID 3052 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe C:\Windows\SysWOW64\net.exe
PID 1824 wrote to memory of 2072 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1824 wrote to memory of 2072 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1824 wrote to memory of 2072 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1824 wrote to memory of 2072 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3052 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe C:\Windows\SysWOW64\cmd.exe
PID 3052 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe C:\Windows\SysWOW64\cmd.exe
PID 3052 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe C:\Windows\SysWOW64\cmd.exe
PID 3052 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe C:\Windows\SysWOW64\cmd.exe
PID 3052 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe C:\Windows\Logo1_.exe
PID 3052 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe C:\Windows\Logo1_.exe
PID 3052 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe C:\Windows\Logo1_.exe
PID 3052 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe C:\Windows\Logo1_.exe
PID 2880 wrote to memory of 2988 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2880 wrote to memory of 2988 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2880 wrote to memory of 2988 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2880 wrote to memory of 2988 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2988 wrote to memory of 2888 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2988 wrote to memory of 2888 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2988 wrote to memory of 2888 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2988 wrote to memory of 2888 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2848 wrote to memory of 2972 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe
PID 2848 wrote to memory of 2972 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe
PID 2848 wrote to memory of 2972 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe
PID 2848 wrote to memory of 2972 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe
PID 2848 wrote to memory of 2972 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe
PID 2848 wrote to memory of 2972 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe
PID 2848 wrote to memory of 2972 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe
PID 2972 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe
PID 2972 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe
PID 2972 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe
PID 2972 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe
PID 2972 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe
PID 2972 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe
PID 2972 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe
PID 2880 wrote to memory of 3068 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2880 wrote to memory of 3068 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2880 wrote to memory of 3068 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2880 wrote to memory of 3068 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3068 wrote to memory of 1612 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3068 wrote to memory of 1612 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3068 wrote to memory of 1612 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3068 wrote to memory of 1612 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2880 wrote to memory of 1200 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 2880 wrote to memory of 1200 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe

"C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a23D6.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe

"C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe"

C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe

"C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe" -burn.unelevated BurnPipe.{BB4368DF-C969-4901-A263-66C86651B7BE} {6E737B87-834A-4687-946E-190C6731BF8C} 2972

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

N/A

Files

memory/3052-0-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a23D6.bat

MD5 a57dce8cdf720faae68f74bec1501b1f
SHA1 14b2c3db472d25d134c77d7dda654f963cb2f9b8
SHA256 8eb6a3c899db46f9fb4febd592517e4c859b9b0759133843252c4093e114d6cf
SHA512 6cf20d2e8fb45c329c16bef63320543e34f68e4c0eec06fcd53cdc7ec9f09e8ea8622de7d99d4a8c6a280ce1eb451bd93c01f4f6912c454f6dd7385bb5447025

memory/2880-18-0x0000000000400000-0x000000000043D000-memory.dmp

memory/3052-16-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Windows\Logo1_.exe

MD5 dd7de04b7104a93e35fb3a577b5b621b
SHA1 4d84ff8b82f359e1c303d9d68dda6dc503848ad6
SHA256 fc02df6a818f176e9499cda422291726b9e3d37d6e381dd5629295df031cde03
SHA512 569116a84fd5d09c06c4967d466de2f6a7be71b77edaa28bef11836d0eb5fa20eef5c9c415540a8f5f785cdbe0e059f21a835952b81ac97b5e620a52bf56a921

C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe.exe

MD5 6503c081f51457300e9bdef49253b867
SHA1 9313190893fdb4b732a5890845bd2337ea05366e
SHA256 5ebba234b1d2ff66d4797e2334f97e0ed38f066df15403db241ca9feb92730ea
SHA512 4477dbcee202971973786d62a8c22f889ea1f95b76a7279f0f11c315216d7e0f9e57018eabf2cf09fda0b58cae2178c14dcb70e2dee7efd3705c8b857f9d3901

\Users\Admin\AppData\Local\Temp\{61087a79-ac85-455c-934d-1fa22cc64f36}\.ba1\wixstdba.dll

MD5 a52e5220efb60813b31a82d101a97dcb
SHA1 56e16e4df0944cb07e73a01301886644f062d79b
SHA256 e7c8e7edd9112137895820e789baaaeca41626b01fb99fede82968ddb66d02cf
SHA512 d6565ba18b5b9795d6bde3ef94d8f7cd77bf8bb69ba3fe7adefb80fc7c5d888cdfdc79238d86a0839846aea4a1e51fc0caed3d62f7054885e8b15fad9f6c654e

C:\Users\Admin\AppData\Local\Temp\{61087a79-ac85-455c-934d-1fa22cc64f36}\.ba1\logo.png

MD5 d6bd210f227442b3362493d046cea233
SHA1 ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

memory/1200-46-0x0000000002A90000-0x0000000002A91000-memory.dmp

memory/2880-49-0x0000000000400000-0x000000000043D000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-3692679935-4019334568-335155002-1000\_desktop.ini

MD5 28a582403dbb209b6c5cb7bada9c918d
SHA1 db58560be63032a4cbd738d2d639e5bf764d6277
SHA256 b5a9fa3acde4d9499ea08a6d9ff193fc9cda57f04141f82d2422a4008f451200
SHA512 511b4d3886d671d01c66d2509b784a199e68a00f2597d311d8d0770f0b1030680136ee450343a8d6c4b51d9de8448bafdde44dc1a1c6e62bccde47d5af03fbae

memory/2880-1235-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 dd5f511ac42d9719d30a69ad45d2efd4
SHA1 6a74d19c5f70b2950a01f54d6526ed1e1db4dd42
SHA256 b209a195049e7e6704c77e5856589ab1a257bb70f6457099a5a39cd9531d81bb
SHA512 f1aae77e9af1cccdd44936477504d7d1e92a093b9755d555eaa1510f66e5ed4e96b25c7a8b6f2cb79bd39537d1aae368d6af0176be563885ef61d4e7d752ffaa

memory/2880-3543-0x0000000000400000-0x000000000043D000-memory.dmp

memory/2880-4122-0x0000000000400000-0x000000000043D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-26 04:22

Reported

2024-10-26 04:25

Platform

win10v2004-20241007-en

Max time kernel

149s

Max time network

152s

Command Line

C:\Windows\Explorer.EXE

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A

Reads user/profile data of web browsers

spyware stealer

Checks installed software on the system

discovery

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ko\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\hr-hr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\uk-ua\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\notification_helper.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\sq\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\de-de\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ar-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\cs-cz\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre-1.8\legal\javafx\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\de-de\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\da-dk\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\root\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\ko-kr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\nb-no\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\es-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\dotnet.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\pl-pl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ca-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\RMNSQUE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Legal\ENU\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\IntegratedOffice.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\uk-ua\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\root\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\eu-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\pl-pl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\1033\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ku_IQ\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\cpdf\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\ro-ro\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ka\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\tr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ro-ro\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\root\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\es-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\es-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\he-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\nl-nl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\fr-ma\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\epdf\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\hr-hr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fr-fr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\sk-sk\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\sv-se\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\en-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\sk-sk\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Internet Explorer\ielowutil.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ENFR\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ko-kr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\en-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\es-es\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\Dll.dll C:\Windows\Logo1_.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Logo1_.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\net.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 924 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe C:\Windows\SysWOW64\net.exe
PID 924 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe C:\Windows\SysWOW64\net.exe
PID 924 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe C:\Windows\SysWOW64\net.exe
PID 1552 wrote to memory of 1628 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1552 wrote to memory of 1628 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1552 wrote to memory of 1628 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 924 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe C:\Windows\SysWOW64\cmd.exe
PID 924 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe C:\Windows\SysWOW64\cmd.exe
PID 924 wrote to memory of 2800 N/A C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe C:\Windows\SysWOW64\cmd.exe
PID 924 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe C:\Windows\Logo1_.exe
PID 924 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe C:\Windows\Logo1_.exe
PID 924 wrote to memory of 4444 N/A C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe C:\Windows\Logo1_.exe
PID 4444 wrote to memory of 4832 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4444 wrote to memory of 4832 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4444 wrote to memory of 4832 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4832 wrote to memory of 2948 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4832 wrote to memory of 2948 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4832 wrote to memory of 2948 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2800 wrote to memory of 5000 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe
PID 2800 wrote to memory of 5000 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe
PID 2800 wrote to memory of 5000 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe
PID 5000 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe
PID 5000 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe
PID 5000 wrote to memory of 404 N/A C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe
PID 4444 wrote to memory of 4904 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4444 wrote to memory of 4904 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4444 wrote to memory of 4904 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4904 wrote to memory of 216 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4904 wrote to memory of 216 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4904 wrote to memory of 216 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4444 wrote to memory of 3532 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 4444 wrote to memory of 3532 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe

"C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a6EE6.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe

"C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe"

C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe

"C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe" -burn.unelevated BurnPipe.{A82C33E8-B55A-445F-BE64-7127AEE3C92E} {DDE9AE8A-290E-4F4C-B2B7-81CEBCD9B74B} 5000

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 69.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp

Files

memory/924-0-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Windows\Logo1_.exe

MD5 dd7de04b7104a93e35fb3a577b5b621b
SHA1 4d84ff8b82f359e1c303d9d68dda6dc503848ad6
SHA256 fc02df6a818f176e9499cda422291726b9e3d37d6e381dd5629295df031cde03
SHA512 569116a84fd5d09c06c4967d466de2f6a7be71b77edaa28bef11836d0eb5fa20eef5c9c415540a8f5f785cdbe0e059f21a835952b81ac97b5e620a52bf56a921

memory/4444-8-0x0000000000400000-0x000000000043D000-memory.dmp

memory/924-10-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a6EE6.bat

MD5 837261d9f78481633c5764da0233d2f5
SHA1 2c40a36213c3deb56a20cd40a2361fa81ccf052b
SHA256 8bc469cce08c7b84b57e5256ba8320dfa749cf02d6de639ac26b4d8df07a1f74
SHA512 00487d02e82a5c0b126361808016a6adbe8054ee2d5b7e7d852e809f93bd59fe9bac930b853a6fc663267791c21d211661fa3bfbe121a684ce5be079bfdb836b

C:\Users\Admin\AppData\Local\Temp\ec479b359747438266f75f97bb50b916d0f27d607e3dd40d8871c299a43cba4e.exe.exe

MD5 6503c081f51457300e9bdef49253b867
SHA1 9313190893fdb4b732a5890845bd2337ea05366e
SHA256 5ebba234b1d2ff66d4797e2334f97e0ed38f066df15403db241ca9feb92730ea
SHA512 4477dbcee202971973786d62a8c22f889ea1f95b76a7279f0f11c315216d7e0f9e57018eabf2cf09fda0b58cae2178c14dcb70e2dee7efd3705c8b857f9d3901

C:\Users\Admin\AppData\Local\Temp\{61087a79-ac85-455c-934d-1fa22cc64f36}\.ba1\wixstdba.dll

MD5 a52e5220efb60813b31a82d101a97dcb
SHA1 56e16e4df0944cb07e73a01301886644f062d79b
SHA256 e7c8e7edd9112137895820e789baaaeca41626b01fb99fede82968ddb66d02cf
SHA512 d6565ba18b5b9795d6bde3ef94d8f7cd77bf8bb69ba3fe7adefb80fc7c5d888cdfdc79238d86a0839846aea4a1e51fc0caed3d62f7054885e8b15fad9f6c654e

C:\Users\Admin\AppData\Local\Temp\{61087a79-ac85-455c-934d-1fa22cc64f36}\.ba1\logo.png

MD5 d6bd210f227442b3362493d046cea233
SHA1 ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

memory/4444-36-0x0000000000400000-0x000000000043D000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-2878641211-696417878-3864914810-1000\_desktop.ini

MD5 28a582403dbb209b6c5cb7bada9c918d
SHA1 db58560be63032a4cbd738d2d639e5bf764d6277
SHA256 b5a9fa3acde4d9499ea08a6d9ff193fc9cda57f04141f82d2422a4008f451200
SHA512 511b4d3886d671d01c66d2509b784a199e68a00f2597d311d8d0770f0b1030680136ee450343a8d6c4b51d9de8448bafdde44dc1a1c6e62bccde47d5af03fbae

C:\Program Files\7-Zip\7z.exe

MD5 c271a86be0a29d90a35fe31a5c49272e
SHA1 40ce9f85f7a6dda6fe54d36a86a46d131bc120dc
SHA256 6865992bfc8198f5af017209cc289eb9d2adee1e4aede750f881fb5cf307523a
SHA512 e32d6246ec9c00d8bb8a14793f30b22983f1c03ea418c241bf4c8e22c9992334fe0ab3715b64e3d43d44b9a6cba86e4d75c2ff55d8ff2201fcb1329510b762ae

memory/4444-3564-0x0000000000400000-0x000000000043D000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe

MD5 10a7fff2e496850370cd3b3ee33cada0
SHA1 2fbeb0236ab8937b7aa472cae8b3720802e9c764
SHA256 3114db136b324064263065317536490601c26e731d3558a7caf6cc7507db4d97
SHA512 d714185364cce8be63ecaa6ba4abdd3da5ded059a2df252f9d26e2440cbbcecfc96e0944a84ea3201b0d8b1afa57154053dc814995dbea36bd06dfbfe629ef58

memory/4444-8748-0x0000000000400000-0x000000000043D000-memory.dmp