Malware Analysis Report

2025-08-10 21:27

Sample ID 240525-ax2m2sgf93
Target 04053d4da072db95dc797eb41c7240e656692cdc67fe17510866c36bf5205aca
SHA256 04053d4da072db95dc797eb41c7240e656692cdc67fe17510866c36bf5205aca
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

04053d4da072db95dc797eb41c7240e656692cdc67fe17510866c36bf5205aca

Threat Level: Shows suspicious behavior

The file 04053d4da072db95dc797eb41c7240e656692cdc67fe17510866c36bf5205aca was found to be: Shows suspicious behavior.

Malicious Activity Summary


Deletes itself

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Runs net.exe

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-25 00:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-25 00:36

Reported

2024-05-25 00:38

Platform

win7-20240508-en

Max time kernel

150s

Max time network

123s

Command Line

C:\Windows\Explorer.EXE

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Common Files\microsoft shared\MSClientDataMgr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft.NET\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\fr-FR\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Desert\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SpringGreen\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ta\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\Asia\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Chess\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Fancy\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\locale\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft.NET\RedistList\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Mail\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\sr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\bn\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\gifs\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Spades\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Media Player\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\unpack200.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows NT\TableTextService\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\META-INF\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\he\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\in_sidebar\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe AIR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\Accessories\wordpad.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows NT\Accessories\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows NT\Accessories\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\Purble Place\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\management\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\kab\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\ext\locale\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AdobeCollabSync.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\Multimedia\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\PROOF\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\kab\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\pt_BR\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Templates\Presentation Designs\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.rjmx_5.5.0.165303\lib\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\Solitaire\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\sr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\id\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\TextConv\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\pt_BR\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\04053d4da072db95dc797eb41c7240e656692cdc67fe17510866c36bf5205aca.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\04053d4da072db95dc797eb41c7240e656692cdc67fe17510866c36bf5205aca.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\vDll.dll C:\Windows\Logo1_.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2972 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\04053d4da072db95dc797eb41c7240e656692cdc67fe17510866c36bf5205aca.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\04053d4da072db95dc797eb41c7240e656692cdc67fe17510866c36bf5205aca.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\04053d4da072db95dc797eb41c7240e656692cdc67fe17510866c36bf5205aca.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 2912 N/A C:\Users\Admin\AppData\Local\Temp\04053d4da072db95dc797eb41c7240e656692cdc67fe17510866c36bf5205aca.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\04053d4da072db95dc797eb41c7240e656692cdc67fe17510866c36bf5205aca.exe C:\Windows\Logo1_.exe
PID 2972 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\04053d4da072db95dc797eb41c7240e656692cdc67fe17510866c36bf5205aca.exe C:\Windows\Logo1_.exe
PID 2972 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\04053d4da072db95dc797eb41c7240e656692cdc67fe17510866c36bf5205aca.exe C:\Windows\Logo1_.exe
PID 2972 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\04053d4da072db95dc797eb41c7240e656692cdc67fe17510866c36bf5205aca.exe C:\Windows\Logo1_.exe
PID 2916 wrote to memory of 2648 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2916 wrote to memory of 2648 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2916 wrote to memory of 2648 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2916 wrote to memory of 2648 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2912 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\04053d4da072db95dc797eb41c7240e656692cdc67fe17510866c36bf5205aca.exe
PID 2912 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\04053d4da072db95dc797eb41c7240e656692cdc67fe17510866c36bf5205aca.exe
PID 2912 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\04053d4da072db95dc797eb41c7240e656692cdc67fe17510866c36bf5205aca.exe
PID 2912 wrote to memory of 2708 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\04053d4da072db95dc797eb41c7240e656692cdc67fe17510866c36bf5205aca.exe
PID 2648 wrote to memory of 2928 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2648 wrote to memory of 2928 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2648 wrote to memory of 2928 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2648 wrote to memory of 2928 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2916 wrote to memory of 1208 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 2916 wrote to memory of 1208 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\04053d4da072db95dc797eb41c7240e656692cdc67fe17510866c36bf5205aca.exe

"C:\Users\Admin\AppData\Local\Temp\04053d4da072db95dc797eb41c7240e656692cdc67fe17510866c36bf5205aca.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a146B.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\04053d4da072db95dc797eb41c7240e656692cdc67fe17510866c36bf5205aca.exe

"C:\Users\Admin\AppData\Local\Temp\04053d4da072db95dc797eb41c7240e656692cdc67fe17510866c36bf5205aca.exe"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

N/A

Files

memory/2972-0-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a146B.bat

MD5 091eec9a0c065312de2e104302e1f895
SHA1 f0fd73d055aed07715dbb13f30b3160f80625aa5
SHA256 61142a6d91a7937443d6acfe4f161feab9a4e409b13cc5626f049f723739453b
SHA512 465beb2771858aad2cba20a905e104f2b3605ec5d8d5173e2f5dd9135906890bfd231a744247a509cf5609fcaa30b8d137f58e6a151ddc1b44b1802d561cec18

memory/2972-12-0x0000000000220000-0x0000000000255000-memory.dmp

memory/2972-17-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\Logo1_.exe

MD5 2b90d375fad4e39663e1c00356e9206b
SHA1 5c84c40605f4af4185647e0a68aafed0ebbdc393
SHA256 623973fd332abcafc9944af01d2fe114d0293a00cc29a67300cde94769b337cf
SHA512 7c9491cf52bdea6936bb7b2e30562941ca26a41587e5fdd05e02d17e37b773ebf0856092b3030ae31da2ce43196682e96873c0c9adfc8525903b11bf36e4806f

C:\Users\Admin\AppData\Local\Temp\04053d4da072db95dc797eb41c7240e656692cdc67fe17510866c36bf5205aca.exe.exe

MD5 9f498971cbe636662f3d210747d619e1
SHA1 44b8e2732fa1e2f204fc70eaa1cb406616250085
SHA256 8adf6748981c3e7b62f5dbca992be6675574fffbce7673743f2d7fe787d56a41
SHA512 b73083c2f7b028d2946cb8f7b4fe2289fedaa4175364a2aac37db0aeff4602aede772ccc9eba7e6dcfcb7276e52604ca45d8021952201b5834485b48bca3dc93

memory/1208-29-0x0000000002EA0000-0x0000000002EA1000-memory.dmp

memory/2916-31-0x0000000000400000-0x0000000000435000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-268080393-3149932598-1824759070-1000\_desktop.ini

MD5 7619ead719f9163af9f64f79eeff7c36
SHA1 7b956c82fba1f4a0ea8b09ca2e39d89159e21b75
SHA256 da9af76d7e3938d1bd300436de0d394ef0453f260a69c94905084222eb3fbb45
SHA512 29dd3ef54766931036c2f0d755bb3fc89619e548c95658577930a5a748ac2b2855a9e5ee5601697ebbac8a7d435abd4c9e9e2255b0e455e267e0d95358fa86df

memory/2916-38-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2916-44-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2916-90-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2916-96-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2916-477-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2916-1873-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 6735a16d04dfac1f92f7ab89c64b071f
SHA1 502eaa755229fc80b186faf533cf827c322bab66
SHA256 3a071105a38c10f7fa17dcc239337e999b57b68f4bd05c168b2548956931383c
SHA512 bfe01bb853f187f68d0fe64da2da4cf1d26c0491eb3183a7c7d5e905a1b1c3db90b84c1cdadb00c7d7f733ef32a9153dfa73de5259d9f1c3d401633145b420a8

memory/2916-3333-0x0000000000400000-0x0000000000435000-memory.dmp

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 88eb1bca8c399bc3f46e99cdde2f047e
SHA1 55fafbceb011e1af2edced978686a90971bd95f2
SHA256 42fd78c05bc240d4ded16ac974f17c336f6ae3a1814d548021c48a942cc30428
SHA512 149d4de0c024e25a13a7bb17471e6f48391d4f26b1c8388672320eed1c255f84219ad7b72bbebc531ae558d5192dd4bb6d0dddd6c65a45300c8e8348a4fb3728

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-25 00:36

Reported

2024-05-25 00:38

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

106s

Command Line

C:\Windows\Explorer.EXE

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\cs-cz\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\zh-tw\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\legal\javafx\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\an\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\hr-HR\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ja-JP\View3d\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PowerShellGet\1.0.0.1\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\Mappings\Adobe\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\host\fxr\7.0.16\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account-select\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\de-de\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\java.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\uk-ua\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\en-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\uninstall.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\uz\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.YourPhone_0.19051.7.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Functions\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\ADelRCP.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\sv-se\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Defender\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\mn\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\sl-sl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ca\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\cs-cz\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\tr-tr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\css\fonts\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\de-de\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\pl-pl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\it-it\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office 15\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\codec\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.549981C3F5F10_1.1911.21713.0_x64__8wekyb3d8bbwe\Assets\Images\contrast-black\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Viewer\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\is-IS\View3d\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\TabTip32.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Trust Protection Lists\Sigma\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ml\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_neutral_~_8wekyb3d8bbwe\AppxMetadata\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\it\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\ar-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\nb-no\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\it-it\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\hi\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\hu\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example3.Diagnostics\1.1.1\Diagnostics\Simple\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\zh-tw\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\maintenanceservice_installer.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\minidump-analyzer.exe C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\04053d4da072db95dc797eb41c7240e656692cdc67fe17510866c36bf5205aca.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\04053d4da072db95dc797eb41c7240e656692cdc67fe17510866c36bf5205aca.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\vDll.dll C:\Windows\Logo1_.exe N/A

Runs net.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2360 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\04053d4da072db95dc797eb41c7240e656692cdc67fe17510866c36bf5205aca.exe C:\Windows\SysWOW64\cmd.exe
PID 2360 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\04053d4da072db95dc797eb41c7240e656692cdc67fe17510866c36bf5205aca.exe C:\Windows\SysWOW64\cmd.exe
PID 2360 wrote to memory of 1160 N/A C:\Users\Admin\AppData\Local\Temp\04053d4da072db95dc797eb41c7240e656692cdc67fe17510866c36bf5205aca.exe C:\Windows\SysWOW64\cmd.exe
PID 2360 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\04053d4da072db95dc797eb41c7240e656692cdc67fe17510866c36bf5205aca.exe C:\Windows\Logo1_.exe
PID 2360 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\04053d4da072db95dc797eb41c7240e656692cdc67fe17510866c36bf5205aca.exe C:\Windows\Logo1_.exe
PID 2360 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\04053d4da072db95dc797eb41c7240e656692cdc67fe17510866c36bf5205aca.exe C:\Windows\Logo1_.exe
PID 2596 wrote to memory of 2076 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2596 wrote to memory of 2076 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2596 wrote to memory of 2076 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2076 wrote to memory of 3276 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2076 wrote to memory of 3276 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2076 wrote to memory of 3276 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1160 wrote to memory of 4356 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\04053d4da072db95dc797eb41c7240e656692cdc67fe17510866c36bf5205aca.exe
PID 1160 wrote to memory of 4356 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\04053d4da072db95dc797eb41c7240e656692cdc67fe17510866c36bf5205aca.exe
PID 2596 wrote to memory of 3536 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 2596 wrote to memory of 3536 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\04053d4da072db95dc797eb41c7240e656692cdc67fe17510866c36bf5205aca.exe

"C:\Users\Admin\AppData\Local\Temp\04053d4da072db95dc797eb41c7240e656692cdc67fe17510866c36bf5205aca.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a325A.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\04053d4da072db95dc797eb41c7240e656692cdc67fe17510866c36bf5205aca.exe

"C:\Users\Admin\AppData\Local\Temp\04053d4da072db95dc797eb41c7240e656692cdc67fe17510866c36bf5205aca.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp

Files

memory/2360-0-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Windows\rundl132.exe

MD5 2b90d375fad4e39663e1c00356e9206b
SHA1 5c84c40605f4af4185647e0a68aafed0ebbdc393
SHA256 623973fd332abcafc9944af01d2fe114d0293a00cc29a67300cde94769b337cf
SHA512 7c9491cf52bdea6936bb7b2e30562941ca26a41587e5fdd05e02d17e37b773ebf0856092b3030ae31da2ce43196682e96873c0c9adfc8525903b11bf36e4806f

memory/2360-12-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2596-13-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a325A.bat

MD5 413cdb88a1f093f464bbe09af1fa4743
SHA1 3bd7d598b6dc44768363e0d13ce48c3a971b3365
SHA256 47b4796252f70fb4153bb74cb83e537a56f61d473c3e7aca4c2e9d7fc0500e4b
SHA512 27053984f2d254d5b6a35fbb58916e30451c86c0446714f3c7044ef68ff8ead3c46d7f14f6f7d9bd443805643a72be4894feddadf22d4880af8ee924d2fb7fc7

C:\Users\Admin\AppData\Local\Temp\04053d4da072db95dc797eb41c7240e656692cdc67fe17510866c36bf5205aca.exe.exe

MD5 9f498971cbe636662f3d210747d619e1
SHA1 44b8e2732fa1e2f204fc70eaa1cb406616250085
SHA256 8adf6748981c3e7b62f5dbca992be6675574fffbce7673743f2d7fe787d56a41
SHA512 b73083c2f7b028d2946cb8f7b4fe2289fedaa4175364a2aac37db0aeff4602aede772ccc9eba7e6dcfcb7276e52604ca45d8021952201b5834485b48bca3dc93

memory/2596-20-0x0000000000400000-0x0000000000435000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-3906287020-2915474608-1755617787-1000\_desktop.ini

MD5 7619ead719f9163af9f64f79eeff7c36
SHA1 7b956c82fba1f4a0ea8b09ca2e39d89159e21b75
SHA256 da9af76d7e3938d1bd300436de0d394ef0453f260a69c94905084222eb3fbb45
SHA512 29dd3ef54766931036c2f0d755bb3fc89619e548c95658577930a5a748ac2b2855a9e5ee5601697ebbac8a7d435abd4c9e9e2255b0e455e267e0d95358fa86df

memory/2596-27-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2596-33-0x0000000000400000-0x0000000000435000-memory.dmp

memory/2596-37-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Program Files\7-Zip\7z.exe

MD5 bab747a805ee67f925718f2624d54a11
SHA1 3f6fa0fe958f3a43e38c66014443e0c261f46bcc
SHA256 03078980fff7ce8873b7e46fd8b79c2a86bb0354fc65268eac2aeff6d981e73e
SHA512 65edbfebdfdf27c496f596bac45f63cd4834dbfb171bd2683a15a3d207b489ee65a045a0b78729005b457f551f128f444fba45baa63c8fe8748f422f48431c14

memory/2596-1231-0x0000000000400000-0x0000000000435000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 6735a16d04dfac1f92f7ab89c64b071f
SHA1 502eaa755229fc80b186faf533cf827c322bab66
SHA256 3a071105a38c10f7fa17dcc239337e999b57b68f4bd05c168b2548956931383c
SHA512 bfe01bb853f187f68d0fe64da2da4cf1d26c0491eb3183a7c7d5e905a1b1c3db90b84c1cdadb00c7d7f733ef32a9153dfa73de5259d9f1c3d401633145b420a8

memory/2596-4797-0x0000000000400000-0x0000000000435000-memory.dmp

C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

MD5 9cba1e86016b20490fff38fb45ff4963
SHA1 378720d36869d50d06e9ffeef87488fbc2a8c8f7
SHA256 a22e6d0f5c7d44fefc2204e0f7c7b048e1684f6cf249ba98c006bbf791c22d19
SHA512 2f3737d29ea3925d10ea5c717786425f6434be732974586328f03691a35cd1539828e3301685749e5c4135b8094f15b87fb9659915de63678a25749e2f8f5765

memory/2596-5236-0x0000000000400000-0x0000000000435000-memory.dmp