Malware Analysis Report

2025-08-11 06:03

Sample ID 240222-wkjscsdd51
Target geode-installer-v2.0.0-beta.20-win.exe
SHA256 b8cb661ff6b8dd7be850a9ac2594a6bec1ad468316a8254470ff062112b64910
Tags
discovery
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral17

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral18

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral23

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral20

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral21

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral24

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral19

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral13

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral14

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral15

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral16

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral22

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

b8cb661ff6b8dd7be850a9ac2594a6bec1ad468316a8254470ff062112b64910

Threat Level: Shows suspicious behavior

The file geode-installer-v2.0.0-beta.20-win.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery

Loads dropped DLL

Executes dropped EXE

Loads dropped DLL

Checks installed software on the system

Executes dropped EXE

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-22 17:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-22 17:58

Reported

2024-02-22 18:02

Platform

win10v2004-20240221-en

Max time kernel

92s

Max time network

114s

Command Line

"C:\Users\Admin\AppData\Local\Temp\geode-installer-v2.0.0-beta.20-win.exe"

Signatures

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\geode-installer-v2.0.0-beta.20-win.exe

"C:\Users\Admin\AppData\Local\Temp\geode-installer-v2.0.0-beta.20-win.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 148.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 63.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
GB 92.123.128.177:443 www.bing.com tcp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 177.128.123.92.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\nsi416F.tmp\LangDLL.dll

MD5 50016010fb0d8db2bc4cd258ceb43be5
SHA1 44ba95ee12e69da72478cf358c93533a9c7a01dc
SHA256 32230128c18574c1e860dfe4b17fe0334f685740e27bc182e0d525a8948c9c2e
SHA512 ed4cf49f756fbf673449dca20e63dce6d3a612b61f294efc9c3ccebeffa6a1372667932468816d3a7afdb7e5a652760689d8c6d3f331cedee7247404c879a233

C:\Users\Admin\AppData\Local\Temp\nsi416F.tmp\nsDialogs.dll

MD5 1d8f01a83ddd259bc339902c1d33c8f1
SHA1 9f7806af462c94c39e2ec6cc9c7ad05c44eba04e
SHA256 4b7d17da290f41ebe244827cc295ce7e580da2f7e9f7cc3efc1abc6898e3c9ed
SHA512 28bf647374b4b500a0f3dbced70c2b256f93940e2b39160512e6e486ac31d1d90945acecef578f61b0a501f27c7106b6ffc3deab2ec3bfb3d9af24c9449a1567

Analysis: behavioral3

Detonation Overview

Submitted

2024-02-22 17:58

Reported

2024-02-22 18:02

Platform

win7-20240221-en

Max time kernel

120s

Max time network

125s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2072 -s 224

Network

N/A

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2024-02-22 17:58

Reported

2024-02-22 18:02

Platform

win7-20240221-en

Max time kernel

118s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2092 -s 244

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2024-02-22 17:58

Reported

2024-02-22 18:02

Platform

win10v2004-20240221-en

Max time kernel

149s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Geode.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1560 wrote to memory of 2620 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1560 wrote to memory of 2620 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1560 wrote to memory of 2620 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Geode.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Geode.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 74.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 81.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 11.73.50.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral12

Detonation Overview

Submitted

2024-02-22 17:58

Reported

2024-02-22 18:02

Platform

win10v2004-20240221-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\GeodeUninstaller.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu1.tmp\Un.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu1.tmp\Un.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\GeodeUninstaller.exe

"C:\Users\Admin\AppData\Local\Temp\GeodeUninstaller.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu1.tmp\Un.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu1.tmp\Un.exe" _?=C:\Users\Admin\AppData\Local\Temp\

Network

Country Destination Domain Proto
US 8.8.8.8:53 147.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 75.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 48.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 80.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 27.178.89.13.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\~nsu1.tmp\Un.exe

MD5 0c0eccfe42409d4920761b9e97024a19
SHA1 6697aff9d1d2194ac70ff0c1b15c367eb717fcb1
SHA256 1d5cb5664ce800d33fa62ef0c3fd8f8c2f5aac11fb6d47d430ec8620a1b4fef5
SHA512 7fa5ce5e5881fe191a567adbff6954b375638c230dd50ddc41ef89c778b4c403ed6322a108743432f0733852c1710255f330ce0892d0c7462c3dd95e2ca3b0ba

C:\Users\Admin\AppData\Local\Temp\nsh59E8.tmp\LangDLL.dll

MD5 50016010fb0d8db2bc4cd258ceb43be5
SHA1 44ba95ee12e69da72478cf358c93533a9c7a01dc
SHA256 32230128c18574c1e860dfe4b17fe0334f685740e27bc182e0d525a8948c9c2e
SHA512 ed4cf49f756fbf673449dca20e63dce6d3a612b61f294efc9c3ccebeffa6a1372667932468816d3a7afdb7e5a652760689d8c6d3f331cedee7247404c879a233

Analysis: behavioral17

Detonation Overview

Submitted

2024-02-22 17:58

Reported

2024-02-22 18:02

Platform

win7-20240221-en

Max time kernel

122s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 244

Network

N/A

Files

N/A

Analysis: behavioral18

Detonation Overview

Submitted

2024-02-22 17:58

Reported

2024-02-22 18:02

Platform

win10v2004-20240221-en

Max time kernel

146s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3240 wrote to memory of 3992 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3240 wrote to memory of 3992 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3240 wrote to memory of 3992 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 3992 -ip 3992

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3992 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 21.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 58.189.79.40.in-addr.arpa udp

Files

N/A

Analysis: behavioral23

Detonation Overview

Submitted

2024-02-22 17:58

Reported

2024-02-22 18:02

Platform

win7-20240221-en

Max time kernel

121s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\XInput9_1_0.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\XInput9_1_0.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\XInput9_1_0.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-02-22 17:58

Reported

2024-02-22 18:02

Platform

win10v2004-20240221-en

Max time kernel

92s

Max time network

126s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2716 wrote to memory of 3664 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2716 wrote to memory of 3664 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2716 wrote to memory of 3664 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 3664 -ip 3664

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3664 -s 608

Network

Country Destination Domain Proto
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 61.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 203.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 50.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 81.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 62.179.17.96.in-addr.arpa udp

Files

N/A

Analysis: behavioral5

Detonation Overview

Submitted

2024-02-22 17:58

Reported

2024-02-22 18:02

Platform

win7-20240221-en

Max time kernel

118s

Max time network

123s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1500 -s 224

Network

N/A

Files

N/A

Analysis: behavioral6

Detonation Overview

Submitted

2024-02-22 17:58

Reported

2024-02-22 18:02

Platform

win10v2004-20240221-en

Max time kernel

145s

Max time network

152s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2444 wrote to memory of 4468 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2444 wrote to memory of 4468 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2444 wrote to memory of 4468 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4468 -ip 4468

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4468 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 75.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 81.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 84.65.42.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2024-02-22 17:58

Reported

2024-02-22 18:02

Platform

win7-20240221-en

Max time kernel

122s

Max time network

128s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Geode.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2152 wrote to memory of 2248 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2152 wrote to memory of 2248 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2152 wrote to memory of 2248 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2152 wrote to memory of 2248 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2152 wrote to memory of 2248 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2152 wrote to memory of 2248 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2152 wrote to memory of 2248 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Geode.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\Geode.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral20

Detonation Overview

Submitted

2024-02-22 17:58

Reported

2024-02-22 18:02

Platform

win10v2004-20240221-en

Max time kernel

148s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\GeodeUpdater.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\GeodeUpdater.exe

"C:\Users\Admin\AppData\Local\Temp\GeodeUpdater.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 139.203.100.95.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 75.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 210.143.182.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral21

Detonation Overview

Submitted

2024-02-22 17:58

Reported

2024-02-22 18:02

Platform

win7-20240220-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\VC_redist.x86.exe"

Signatures

Checks installed software on the system

discovery

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Temp\{FBAB9EFD-451E-4B67-BFD0-31697C488EC5}\.cr\VC_redist.x86.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\VC_redist.x86.exe

"C:\Users\Admin\AppData\Local\Temp\VC_redist.x86.exe"

C:\Windows\Temp\{FBAB9EFD-451E-4B67-BFD0-31697C488EC5}\.cr\VC_redist.x86.exe

"C:\Windows\Temp\{FBAB9EFD-451E-4B67-BFD0-31697C488EC5}\.cr\VC_redist.x86.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\VC_redist.x86.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188

Network

N/A

Files

\Windows\Temp\{FBAB9EFD-451E-4B67-BFD0-31697C488EC5}\.cr\VC_redist.x86.exe

MD5 7bd0b2d204d75012d3a9a9ce107c379e
SHA1 41edd6321965d48e11ecded3852eb32e3c13848d
SHA256 d4c6f5c74bbb45c4f33d9cb7ddce47226ea0a5ab90b8ff3f420b63a55c3f6dd2
SHA512 d85ac030ebb3ba4412e69b5693406fe87e46696ca2a926ef75b6f6438e16b0c7ed1342363098530cdceb4db8e50614f33f972f7995e4222313fcef036887d0f0

\Windows\Temp\{7BD0A2DE-98D5-4AB2-9886-C6E8C26CEBDB}\.ba\wixstdba.dll

MD5 eab9caf4277829abdf6223ec1efa0edd
SHA1 74862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256 a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA512 45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

C:\Windows\Temp\{7BD0A2DE-98D5-4AB2-9886-C6E8C26CEBDB}\.ba\logo.png

MD5 d6bd210f227442b3362493d046cea233
SHA1 ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b

Analysis: behavioral24

Detonation Overview

Submitted

2024-02-22 17:58

Reported

2024-02-22 18:02

Platform

win10v2004-20240221-en

Max time kernel

148s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\XInput9_1_0.dll,#1

Signatures

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5012 wrote to memory of 4844 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5012 wrote to memory of 4844 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 5012 wrote to memory of 4844 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\XInput9_1_0.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\XInput9_1_0.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 186.110.86.104.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 75.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 81.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 3.173.189.20.in-addr.arpa udp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-22 17:58

Reported

2024-02-22 18:02

Platform

win7-20240221-en

Max time kernel

120s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\geode-installer-v2.0.0-beta.20-win.exe"

Signatures

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\geode-installer-v2.0.0-beta.20-win.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\geode-installer-v2.0.0-beta.20-win.exe

"C:\Users\Admin\AppData\Local\Temp\geode-installer-v2.0.0-beta.20-win.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nsyF5D.tmp\LangDLL.dll

MD5 50016010fb0d8db2bc4cd258ceb43be5
SHA1 44ba95ee12e69da72478cf358c93533a9c7a01dc
SHA256 32230128c18574c1e860dfe4b17fe0334f685740e27bc182e0d525a8948c9c2e
SHA512 ed4cf49f756fbf673449dca20e63dce6d3a612b61f294efc9c3ccebeffa6a1372667932468816d3a7afdb7e5a652760689d8c6d3f331cedee7247404c879a233

\Users\Admin\AppData\Local\Temp\nsyF5D.tmp\nsDialogs.dll

MD5 1d8f01a83ddd259bc339902c1d33c8f1
SHA1 9f7806af462c94c39e2ec6cc9c7ad05c44eba04e
SHA256 4b7d17da290f41ebe244827cc295ce7e580da2f7e9f7cc3efc1abc6898e3c9ed
SHA512 28bf647374b4b500a0f3dbced70c2b256f93940e2b39160512e6e486ac31d1d90945acecef578f61b0a501f27c7106b6ffc3deab2ec3bfb3d9af24c9449a1567

\Users\Admin\AppData\Local\Temp\nsyF5D.tmp\System.dll

MD5 4add245d4ba34b04f213409bfe504c07
SHA1 ef756d6581d70e87d58cc4982e3f4d18e0ea5b09
SHA256 9111099efe9d5c9b391dc132b2faf0a3851a760d4106d5368e30ac744eb42706
SHA512 1bd260cabe5ea3cefbbc675162f30092ab157893510f45a1b571489e03ebb2903c55f64f89812754d3fe03c8f10012b8078d1261a7e73ac1f87c82f714bce03d

Analysis: behavioral8

Detonation Overview

Submitted

2024-02-22 17:58

Reported

2024-02-22 18:02

Platform

win10v2004-20240221-en

Max time kernel

149s

Max time network

151s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3736 wrote to memory of 3188 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3736 wrote to memory of 3188 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3736 wrote to memory of 3188 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\nsDialogs.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 404 -p 3188 -ip 3188

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3188 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 50.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 80.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 62.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2024-02-22 17:58

Reported

2024-02-22 18:02

Platform

win7-20240220-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\GeodeUninstaller.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu1.tmp\Un.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\GeodeUninstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\~nsu1.tmp\Un.exe N/A

Enumerates physical storage devices

Processes

C:\Users\Admin\AppData\Local\Temp\GeodeUninstaller.exe

"C:\Users\Admin\AppData\Local\Temp\GeodeUninstaller.exe"

C:\Users\Admin\AppData\Local\Temp\~nsu1.tmp\Un.exe

"C:\Users\Admin\AppData\Local\Temp\~nsu1.tmp\Un.exe" _?=C:\Users\Admin\AppData\Local\Temp\

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\~nsu1.tmp\Un.exe

MD5 0c0eccfe42409d4920761b9e97024a19
SHA1 6697aff9d1d2194ac70ff0c1b15c367eb717fcb1
SHA256 1d5cb5664ce800d33fa62ef0c3fd8f8c2f5aac11fb6d47d430ec8620a1b4fef5
SHA512 7fa5ce5e5881fe191a567adbff6954b375638c230dd50ddc41ef89c778b4c403ed6322a108743432f0733852c1710255f330ce0892d0c7462c3dd95e2ca3b0ba

\Users\Admin\AppData\Local\Temp\nst2702.tmp\LangDLL.dll

MD5 50016010fb0d8db2bc4cd258ceb43be5
SHA1 44ba95ee12e69da72478cf358c93533a9c7a01dc
SHA256 32230128c18574c1e860dfe4b17fe0334f685740e27bc182e0d525a8948c9c2e
SHA512 ed4cf49f756fbf673449dca20e63dce6d3a612b61f294efc9c3ccebeffa6a1372667932468816d3a7afdb7e5a652760689d8c6d3f331cedee7247404c879a233

Analysis: behavioral19

Detonation Overview

Submitted

2024-02-22 17:58

Reported

2024-02-22 18:02

Platform

win7-20240221-en

Max time kernel

122s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\GeodeUpdater.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\GeodeUpdater.exe

"C:\Users\Admin\AppData\Local\Temp\GeodeUpdater.exe"

Network

N/A

Files

N/A

Analysis: behavioral13

Detonation Overview

Submitted

2024-02-22 17:58

Reported

2024-02-22 18:02

Platform

win7-20240215-en

Max time kernel

120s

Max time network

121s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1752 -s 220

Network

N/A

Files

N/A

Analysis: behavioral14

Detonation Overview

Submitted

2024-02-22 17:58

Reported

2024-02-22 18:02

Platform

win10v2004-20240221-en

Max time kernel

94s

Max time network

122s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 444 wrote to memory of 4920 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 444 wrote to memory of 4920 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 444 wrote to memory of 4920 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\LangDLL.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 4920 -ip 4920

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4920 -s 600

Network

Country Destination Domain Proto
US 8.8.8.8:53 147.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 74.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 75.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral15

Detonation Overview

Submitted

2024-02-22 17:58

Reported

2024-02-22 18:02

Platform

win7-20240221-en

Max time kernel

120s

Max time network

124s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2360 -s 224

Network

N/A

Files

N/A

Analysis: behavioral16

Detonation Overview

Submitted

2024-02-22 17:58

Reported

2024-02-22 18:02

Platform

win10v2004-20240221-en

Max time kernel

148s

Max time network

154s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2484 wrote to memory of 1712 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2484 wrote to memory of 1712 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2484 wrote to memory of 1712 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\System.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 1712 -ip 1712

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1712 -s 612

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 65.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 66.112.168.52.in-addr.arpa udp

Files

N/A

Analysis: behavioral22

Detonation Overview

Submitted

2024-02-22 17:58

Reported

2024-02-22 18:02

Platform

win10v2004-20240221-en

Max time kernel

149s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\VC_redist.x86.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\VC_redist.x86.exe

"C:\Users\Admin\AppData\Local\Temp\VC_redist.x86.exe"

C:\Windows\Temp\{5C60C584-E3B2-4CBA-B3CE-CDC79AF312B1}\.cr\VC_redist.x86.exe

"C:\Windows\Temp\{5C60C584-E3B2-4CBA-B3CE-CDC79AF312B1}\.cr\VC_redist.x86.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\VC_redist.x86.exe" -burn.filehandle.attached=552 -burn.filehandle.self=520

Network

Country Destination Domain Proto
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 81.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 140.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 83.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 104.193.132.51.in-addr.arpa udp

Files

C:\Windows\Temp\{5C60C584-E3B2-4CBA-B3CE-CDC79AF312B1}\.cr\VC_redist.x86.exe

MD5 7bd0b2d204d75012d3a9a9ce107c379e
SHA1 41edd6321965d48e11ecded3852eb32e3c13848d
SHA256 d4c6f5c74bbb45c4f33d9cb7ddce47226ea0a5ab90b8ff3f420b63a55c3f6dd2
SHA512 d85ac030ebb3ba4412e69b5693406fe87e46696ca2a926ef75b6f6438e16b0c7ed1342363098530cdceb4db8e50614f33f972f7995e4222313fcef036887d0f0

C:\Windows\Temp\{250C2130-B969-4CEF-BFCA-31D24433453E}\.ba\wixstdba.dll

MD5 eab9caf4277829abdf6223ec1efa0edd
SHA1 74862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256 a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA512 45b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2

C:\Windows\Temp\{250C2130-B969-4CEF-BFCA-31D24433453E}\.ba\logo.png

MD5 d6bd210f227442b3362493d046cea233
SHA1 ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256 335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512 464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b