Analysis Overview
SHA256
248989ebb401a62ab50da38b44ecd27b39c20d35611d146e90173e6e23ff36ed
Threat Level: Shows suspicious behavior
The file 248989ebb401a62ab50da38b44ecd27b39c20d35611d146e90173e6e23ff36ed was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Drops startup file
Reads user/profile data of web browsers
Enumerates connected drives
Drops file in Windows directory
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Unsigned PE
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V16
Analysis: static1
Detonation Overview
Reported
2025-06-30 17:38
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2025-06-30 17:38
Reported
2025-06-30 17:41
Platform
win11-20250619-en
Max time kernel
150s
Max time network
103s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Logo1_.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\248989ebb401a62ab50da38b44ecd27b39c20d35611d146e90173e6e23ff36ed.exe | N/A |
Reads user/profile data of web browsers
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\J: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\Logo1_.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\he-il\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\en-gb\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ro-ro\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\jre\lib\security\policy\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\Windows Photo Viewer\fr-FR\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example2.Diagnostics\1.0.1\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fr-fr\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sk-sk\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ca-es\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\de-de\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\en-gb\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\SUMIPNTG\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\it-it\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\nb-no\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\fr-fr\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\nl-nl\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\css\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ru-ru\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\es-es\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sl-sl\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\policytool.exe | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\loc\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\hu-hu\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ca-es\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\DAO\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\ink\de-DE\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Defender\es-ES\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\klist.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Integration\Addons\OneDriveSetup.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nl-nl\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\sk-sk\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\msedgewebview2.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\legal\javafx\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX64\Microsoft SQL Server\130\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\Resources\1033\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\ko-kr\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateSetup.exe | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\es\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\ESEN\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\app\dev\libs\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\da-dk\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\zh-tw\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\css\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\nl-nl\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\ru\LC_MESSAGES\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ca-es\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\2.0.1\Diagnostics\Simple\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\it-it\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\Microsoft Shared\ink\HWRCustomization\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\legal\javafx\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\en-US\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Esl\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\he-il\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\sv-se\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\sv-se\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\de-de\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\ka\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Logo1_.exe | C:\Users\Admin\AppData\Local\Temp\248989ebb401a62ab50da38b44ecd27b39c20d35611d146e90173e6e23ff36ed.exe | N/A |
| File opened for modification | C:\Windows\rundl132.exe | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Windows\Dll.dll | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Windows\rundl132.exe | C:\Users\Admin\AppData\Local\Temp\248989ebb401a62ab50da38b44ecd27b39c20d35611d146e90173e6e23ff36ed.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\248989ebb401a62ab50da38b44ecd27b39c20d35611d146e90173e6e23ff36ed.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Logo1_.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\248989ebb401a62ab50da38b44ecd27b39c20d35611d146e90173e6e23ff36ed.exe
"C:\Users\Admin\AppData\Local\Temp\248989ebb401a62ab50da38b44ecd27b39c20d35611d146e90173e6e23ff36ed.exe"
C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5D14.bat
C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
C:\Users\Admin\AppData\Local\Temp\248989ebb401a62ab50da38b44ecd27b39c20d35611d146e90173e6e23ff36ed.exe
"C:\Users\Admin\AppData\Local\Temp\248989ebb401a62ab50da38b44ecd27b39c20d35611d146e90173e6e23ff36ed.exe"
C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
Network
Files
memory/5688-0-0x0000000000400000-0x000000000043D000-memory.dmp
C:\Windows\Logo1_.exe
| MD5 | 07d465266ad0c96e77e6311dfbcec840 |
| SHA1 | d6daf990d3b110b08d58c11a485594925459ffdb |
| SHA256 | 6254846e8ff533bfbf772741e651a52e9e3629f167a8b5155d20066de051306b |
| SHA512 | baf801253d21798695f12af6718e0d694d3ba9ebe14e58800fb89eaafad9fccc704b07ea8ba7c04a90a28a863558904e0485deeb06856eb0214655765eed0bea |
memory/5688-8-0x0000000000400000-0x000000000043D000-memory.dmp
memory/2200-9-0x0000000000400000-0x000000000043D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\$$a5D14.bat
| MD5 | 17632571b4334416e71babe3bf4643c8 |
| SHA1 | 970e162ba8292984c49186ca726b5c8181586fbb |
| SHA256 | a31a608573315b02cf45b38aedc5d32f755aa8952fb323c1fa02906ee6101974 |
| SHA512 | 17a35ab70c181dc7d80c7ab53d6e34708a68976cc57c38656df42fdb6fcf6da6e3b6fc0a7b1fa382fa6b74a196e3f39ed1ae4f1461b23025ed6f0e0835dd181d |
C:\Users\Admin\AppData\Local\Temp\248989ebb401a62ab50da38b44ecd27b39c20d35611d146e90173e6e23ff36ed.exe.exe
| MD5 | 3440c72d695db245adb2728b6a5d9b1d |
| SHA1 | 1e510973687c9a0b58464aaf43048a183d825e26 |
| SHA256 | 37462e31a348d32c9421557f38a601a632c0bdf24d8157481ba82b45f8fef64f |
| SHA512 | 5be93dca3a1f9b8e286146d43f848ef6b8bc5ef99ca5cf50839a62dd5083d915dc94ca5a30658838e2365a45a5dd522e641ee71f811202148c9db860113018e6 |
memory/2200-17-0x0000000000400000-0x000000000043D000-memory.dmp
F:\$RECYCLE.BIN\S-1-5-21-3972667009-3658015838-2693993929-1000\_desktop.ini
| MD5 | 8d5d367ed8a2afc1fc0b8fc7d14da98c |
| SHA1 | fddfad39cd8b448d0d3dbb6e9c67752999568783 |
| SHA256 | 93740c0db50f557803e16032194380e92e586f9cd845c4543eae2c3aa97d95f6 |
| SHA512 | 3215518f650fe697fa80054e2e7e98a55a23832309347704985d502ecf46726048291ace0a619b669726fda404c9235047a21563971a238864ee3523f5bbe96b |
C:\Program Files\7-Zip\7z.exe
| MD5 | 38dacf57da2f972bcb2d91525760069b |
| SHA1 | 67089faa4a033a5fe62c12ae705501e5b322e1f8 |
| SHA256 | ce6f517e6f8c4c79963e91ba7a26b8ec36cbb4a2b4c25648da14447da6b1b0f4 |
| SHA512 | 98013276b20f8e41fc1157453c39696298119c2fc0b1d73770a45acdcbd5e5def0232e52f4e539a5770a8ef2aeb7abeee5650e1467d369a0dc29ed617ba9b642 |
memory/2200-1606-0x0000000000400000-0x000000000043D000-memory.dmp
C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.143.57\MicrosoftEdgeUpdateBroker.exe
| MD5 | 699a4d3829570887cf93d0bdae579565 |
| SHA1 | 88150a6ed3fb87229eaf9bf6effd9fdad4c7e81b |
| SHA256 | d58e7b9778c81c2f9588f0f63af1938cb047be0419e674e85086834b4815efb9 |
| SHA512 | 117db9d47cb3cb42c542fa92703c54f09a0fa497e55299943287dc16af886642e96955520e5bc1d4ecee7d523ff68e709bb0be1ec34f88c1efd32e7a10a4fa0e |
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe
| MD5 | 5ede147d684b624bff3c9087fc2f203f |
| SHA1 | 174c4ecba8d016bf2de19a1909479a08fc14de2b |
| SHA256 | 130a8a4abffa329e7253daa17685da1ca5eb705fd517766f88a7af704f6d71e1 |
| SHA512 | f605e21a16fc48327250ba0aa871d0921127a62c65613faf089e5fface89ccaecb5ab23067961930e2179699b686f291bf2c86da9cce2709304bfd5d3429e76e |
memory/2200-9653-0x0000000000400000-0x000000000043D000-memory.dmp
memory/2200-10017-0x0000000000400000-0x000000000043D000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2025-06-30 17:38
Reported
2025-06-30 17:41
Platform
win10v2004-20250619-en
Max time kernel
149s
Max time network
138s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Logo1_.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\248989ebb401a62ab50da38b44ecd27b39c20d35611d146e90173e6e23ff36ed.exe | N/A |
Reads user/profile data of web browsers
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\Y: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\Logo1_.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\VideoLAN\VLC\locale\fy\LC_MESSAGES\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\libs\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ar-ae\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\nl-nl\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\TRANSLAT\FREN\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft.NET\ADOMD.NET\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\sq\LC_MESSAGES\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\sv\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\it-IT\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\js\nls\it-it\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files-select\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\MSBuild\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\si\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\sk-sk\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\es-es\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ar-ae\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\de-de\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Functions\Assertions\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\ca\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\de\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sl-si\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\nb-no\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\plugins\selection-action-plugins\cpdf\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\tools\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files-select\js\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\nl-nl\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\he\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-ae\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\it-it\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ko-kr\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example1.Diagnostics\Diagnostics\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\it-IT\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\plugins\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeWebView\Application\132.0.2957.140\identity_proxy\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\en-il\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\it-it\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\ru-ru\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\Providers\Plugins2\AdobeHunspellPlugin\SupplementalDictionaries\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\EdgeCore\132.0.2957.140\edge_feedback\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\fr-FR\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\es\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nb-no\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\images\themes\dark\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\eu-es\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\en\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\collect_feedback\css\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\eu-es\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\he-il\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\root\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ro-ro\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ca-es\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.15\pl\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\de\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\lua\meta\reader\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\ar\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rundl132.exe | C:\Users\Admin\AppData\Local\Temp\248989ebb401a62ab50da38b44ecd27b39c20d35611d146e90173e6e23ff36ed.exe | N/A |
| File created | C:\Windows\Logo1_.exe | C:\Users\Admin\AppData\Local\Temp\248989ebb401a62ab50da38b44ecd27b39c20d35611d146e90173e6e23ff36ed.exe | N/A |
| File opened for modification | C:\Windows\rundl132.exe | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Windows\Dll.dll | C:\Windows\Logo1_.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Logo1_.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\248989ebb401a62ab50da38b44ecd27b39c20d35611d146e90173e6e23ff36ed.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\248989ebb401a62ab50da38b44ecd27b39c20d35611d146e90173e6e23ff36ed.exe
"C:\Users\Admin\AppData\Local\Temp\248989ebb401a62ab50da38b44ecd27b39c20d35611d146e90173e6e23ff36ed.exe"
C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD12B.bat
C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
C:\Users\Admin\AppData\Local\Temp\248989ebb401a62ab50da38b44ecd27b39c20d35611d146e90173e6e23ff36ed.exe
"C:\Users\Admin\AppData\Local\Temp\248989ebb401a62ab50da38b44ecd27b39c20d35611d146e90173e6e23ff36ed.exe"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 23.4.84.71:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | c.pki.goog | udp |
| GB | 142.250.200.3:80 | c.pki.goog | tcp |
Files
memory/3680-0-0x0000000000400000-0x000000000043D000-memory.dmp
memory/5640-9-0x0000000000400000-0x000000000043D000-memory.dmp
C:\Windows\Logo1_.exe
| MD5 | 07d465266ad0c96e77e6311dfbcec840 |
| SHA1 | d6daf990d3b110b08d58c11a485594925459ffdb |
| SHA256 | 6254846e8ff533bfbf772741e651a52e9e3629f167a8b5155d20066de051306b |
| SHA512 | baf801253d21798695f12af6718e0d694d3ba9ebe14e58800fb89eaafad9fccc704b07ea8ba7c04a90a28a863558904e0485deeb06856eb0214655765eed0bea |
memory/3680-11-0x0000000000400000-0x000000000043D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\$$aD12B.bat
| MD5 | ff73bfdc14ee5b0f765de564df8fc429 |
| SHA1 | 96040ddcec7c3f858435fde9860bf14902a2c64f |
| SHA256 | 1fe18c2d8dd81bc1236a5fa31a29cb20ea7dd8989bd0e8e19f2b194ac8b4e9a3 |
| SHA512 | a845629e85b16138e2340723118ca55d0e1c248758e884a7f20ca21b071335f1daf208b2af225ad9df0ba52a3de4a86fc91206fe81b910c1ac9b2b25e23b98a1 |
C:\Users\Admin\AppData\Local\Temp\248989ebb401a62ab50da38b44ecd27b39c20d35611d146e90173e6e23ff36ed.exe.exe
| MD5 | 3440c72d695db245adb2728b6a5d9b1d |
| SHA1 | 1e510973687c9a0b58464aaf43048a183d825e26 |
| SHA256 | 37462e31a348d32c9421557f38a601a632c0bdf24d8157481ba82b45f8fef64f |
| SHA512 | 5be93dca3a1f9b8e286146d43f848ef6b8bc5ef99ca5cf50839a62dd5083d915dc94ca5a30658838e2365a45a5dd522e641ee71f811202148c9db860113018e6 |
memory/5640-18-0x0000000000400000-0x000000000043D000-memory.dmp
F:\$RECYCLE.BIN\S-1-5-21-1567862796-3850854820-1319363977-1000\_desktop.ini
| MD5 | 8d5d367ed8a2afc1fc0b8fc7d14da98c |
| SHA1 | fddfad39cd8b448d0d3dbb6e9c67752999568783 |
| SHA256 | 93740c0db50f557803e16032194380e92e586f9cd845c4543eae2c3aa97d95f6 |
| SHA512 | 3215518f650fe697fa80054e2e7e98a55a23832309347704985d502ecf46726048291ace0a619b669726fda404c9235047a21563971a238864ee3523f5bbe96b |
C:\Program Files\ConvertToPing.exe
| MD5 | 72633205614a08e16ddf4e68bcca6ee8 |
| SHA1 | 8e4e795ce639d5721a6c38962e7d9254672c20fa |
| SHA256 | 9d3c1c1284e9d050975a1de5b473dafbe7640c86dee7a7991da4a7a7916baa5e |
| SHA512 | 98c767a753a14fce6f2e016191418bfe3d3f3493c7d9bf375875cff11863922bf9f433bd564584acfeb5679691573afcd3e785db077fee8aaf12f2b29595177a |
memory/5640-1664-0x0000000000400000-0x000000000043D000-memory.dmp
C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateBroker.exe
| MD5 | ba334de511777152ea7f48e370af44d4 |
| SHA1 | f42466e61a76545306265516e883e919249480f5 |
| SHA256 | 40acbed02bf2a35ce1651e2235e6aae414ba130dd10178e8586f3d41eda42e03 |
| SHA512 | 82250a04de1cbbfad518599179a1e88feae519e294c4c0df05ae1747a00ffab4290071d85048b3f6337a88dbfc113cb38a45b83949c2c4bc11fd175cf9f51d09 |
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\vcredist_x86.exe
| MD5 | 5ede147d684b624bff3c9087fc2f203f |
| SHA1 | 174c4ecba8d016bf2de19a1909479a08fc14de2b |
| SHA256 | 130a8a4abffa329e7253daa17685da1ca5eb705fd517766f88a7af704f6d71e1 |
| SHA512 | f605e21a16fc48327250ba0aa871d0921127a62c65613faf089e5fface89ccaecb5ab23067961930e2179699b686f291bf2c86da9cce2709304bfd5d3429e76e |
memory/5640-8591-0x0000000000400000-0x000000000043D000-memory.dmp
memory/5640-9899-0x0000000000400000-0x000000000043D000-memory.dmp