Malware Analysis Report

2025-08-05 16:00

Sample ID 240610-g9e35sdh74
Target 66e7cf0074df6f8113d916150df7020efa7d4331e1fca3a8e8dd970c308b8ddf
SHA256 66e7cf0074df6f8113d916150df7020efa7d4331e1fca3a8e8dd970c308b8ddf
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

66e7cf0074df6f8113d916150df7020efa7d4331e1fca3a8e8dd970c308b8ddf

Threat Level: Shows suspicious behavior

The file 66e7cf0074df6f8113d916150df7020efa7d4331e1fca3a8e8dd970c308b8ddf was found to be: Shows suspicious behavior.

Malicious Activity Summary


Deletes itself

Loads dropped DLL

Executes dropped EXE

Enumerates connected drives

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Runs net.exe

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-10 06:30

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-10 06:29

Reported

2024-06-10 06:38

Platform

win7-20231129-en

Max time kernel

100s

Max time network

125s

Command Line

C:\Windows\Explorer.EXE

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Vignette\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\com.jrockit.mc.feature.core_5.5.0.165303\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\DVD Maker\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\fonts\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\DVD Maker\Shared\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.rcp.feature_1.2.0.v20140523-0116\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\ResizingPanels\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jdb.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\db\lib\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\notification_helper.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.equinox.simpleconfigurator\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\7-Zip\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\DVD Maker\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\FlipPage\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\configuration\org.eclipse.update\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.help_2.0.102.v20141007-2301\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\7-Zip\Lang\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\images\cursors\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\DVD Maker\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\amd64\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Atlantic\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\Performance\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Argentina\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.feature_3.9.1.v20140827-1444\META-INF\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.core\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\DVD Maker\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Memories\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\66e7cf0074df6f8113d916150df7020efa7d4331e1fca3a8e8dd970c308b8ddf.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\66e7cf0074df6f8113d916150df7020efa7d4331e1fca3a8e8dd970c308b8ddf.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\vDll.dll C:\Windows\Logo1_.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2136 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\66e7cf0074df6f8113d916150df7020efa7d4331e1fca3a8e8dd970c308b8ddf.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\66e7cf0074df6f8113d916150df7020efa7d4331e1fca3a8e8dd970c308b8ddf.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\66e7cf0074df6f8113d916150df7020efa7d4331e1fca3a8e8dd970c308b8ddf.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\66e7cf0074df6f8113d916150df7020efa7d4331e1fca3a8e8dd970c308b8ddf.exe C:\Windows\SysWOW64\cmd.exe
PID 2136 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\66e7cf0074df6f8113d916150df7020efa7d4331e1fca3a8e8dd970c308b8ddf.exe C:\Windows\Logo1_.exe
PID 2136 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\66e7cf0074df6f8113d916150df7020efa7d4331e1fca3a8e8dd970c308b8ddf.exe C:\Windows\Logo1_.exe
PID 2136 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\66e7cf0074df6f8113d916150df7020efa7d4331e1fca3a8e8dd970c308b8ddf.exe C:\Windows\Logo1_.exe
PID 2136 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\66e7cf0074df6f8113d916150df7020efa7d4331e1fca3a8e8dd970c308b8ddf.exe C:\Windows\Logo1_.exe
PID 3052 wrote to memory of 2244 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3052 wrote to memory of 2244 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3052 wrote to memory of 2244 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 3052 wrote to memory of 2244 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2244 wrote to memory of 2616 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2244 wrote to memory of 2616 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2244 wrote to memory of 2616 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2244 wrote to memory of 2616 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3052 wrote to memory of 1368 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 3052 wrote to memory of 1368 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\66e7cf0074df6f8113d916150df7020efa7d4331e1fca3a8e8dd970c308b8ddf.exe

"C:\Users\Admin\AppData\Local\Temp\66e7cf0074df6f8113d916150df7020efa7d4331e1fca3a8e8dd970c308b8ddf.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$aBE3.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\66e7cf0074df6f8113d916150df7020efa7d4331e1fca3a8e8dd970c308b8ddf.exe

"C:\Users\Admin\AppData\Local\Temp\66e7cf0074df6f8113d916150df7020efa7d4331e1fca3a8e8dd970c308b8ddf.exe"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

N/A

Files

memory/2136-0-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$aBE3.bat

MD5 5403ff0bf3a0a5ab0b00c2d1f7586a1c
SHA1 dba2ac191989b664fd8c097a978c1d49cf21a80b
SHA256 0db066534289acb3d7308af0bb56da5a17175a939c5eeb2735dd66a1159cf3ff
SHA512 3165129c0bd90017766d0e5e36efe0f1b3318b1607fdbbf9aa13ed5931fd37a732e5eb0996127700f931b826b58c546a0be7de626ff5e6d585b66ac21764cb85

memory/2136-12-0x00000000002D0000-0x0000000000306000-memory.dmp

C:\Windows\Logo1_.exe

MD5 ba189b5e31c56a2e16e9c7accf623760
SHA1 52470f4d5e556832e9e4ff4625751ae62219d0ee
SHA256 037c1fc35982012dddedd497646d12ef35654415a14d4bbd467dca672954a3ed
SHA512 8da8c08b8af3450f715d2a04b492f2f459a93695bdf7514441705d041d5aba0df6edbb7a5e69e9a8bcbabd9f3c692e2522365ef2e889db3857043118c6df05b0

memory/2136-18-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3052-19-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\66e7cf0074df6f8113d916150df7020efa7d4331e1fca3a8e8dd970c308b8ddf.exe.exe

MD5 ba18e99b3e17adb5b029eaebc457dd89
SHA1 ec0458f3c00d35b323f08d4e1cc2e72899429c38
SHA256 f5ee36de8edf9be2ac2752b219cfdcb7ca1677071b8e116cb876306e9f1b6628
SHA512 1f41929e6f5b555b60c411c7810cbf14e3af26100df5ac4533ec3739a278c1b925687284660efb4868e3741305098e2737836229efc9fe46c97a6057c10e677c

memory/1368-30-0x0000000002B30000-0x0000000002B31000-memory.dmp

memory/3052-32-0x0000000000400000-0x0000000000436000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-3627615824-4061627003-3019543961-1000\_desktop.ini

MD5 60b1ffe4d5892b7ae054738eec1fd425
SHA1 80d4e944617f4132b1c6917345b158f3693f35c8
SHA256 5e9944cc48c7ec641cf7b1b0125f47f26102c371a973612f0583f604bc3900d4
SHA512 7f5c200924dbb5531df997e6a35cb94f36b54f5651284b0d6404f0576301125ef72b410a170fca889d46c033063663cfc7791f9e4c3c30695af069053eee66cc

memory/3052-39-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3052-45-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3052-91-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3052-97-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3052-1065-0x0000000000400000-0x0000000000436000-memory.dmp

memory/3052-1850-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 9fff503fad7fa1d9cc7453fdf86ff0e0
SHA1 f9b728ba2e8bf2b3a570583f06b0fd7e9fce4ef2
SHA256 826148f8b31a5372a71adf8f51961e1b59de63c8865393feffb99ece5e113147
SHA512 c00773863ea4b6d88ba1c5a9dcfd2f1033e540c854f2f041bb193f367a9153d54d9fcec0c71e4e9834bbe98a6a5be030b045d34e3b54d69cddfd4d427895af4f

memory/3052-3309-0x0000000000400000-0x0000000000436000-memory.dmp

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 b464d3dbe7cbe8f8203697710e8f5c5c
SHA1 17f186c97adb869ea0db82a0aa40a3eec9ed5a69
SHA256 1d2f8ef72d8a7e7e6ee3f95b3ddd834f48f97f042b29d6d2acc424f51d1cc556
SHA512 99742ff8b486e6613524e071350b41d93c51fcbf8135da8022e3219fdb117b031a310617e220d292a5a274d037f52c7ac9990ada5bc65df1abdb527c9e4949f2

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-10 06:29

Reported

2024-06-10 06:38

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

104s

Command Line

C:\Windows\Explorer.EXE

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\uk-ua\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\he-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\nb-no\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\WidevineCdm\_platform_specific\win_x64\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\pt-br\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fr-ma\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\it\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win8-scrollbar\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\fr-ma\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\zh-tw\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\images\themes\dark\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\notificationsUI\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\Images\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Oracle\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagementSource\uk-UA\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\uk\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Car\LTR\contrast-black\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\de-de\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\fr-ma\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\MSBuild\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Snippets\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\FullTrustNotifier.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\images\themes\dark\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\is\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Security\BrowserCore\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\Voices\beeps\beeps\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\images\themes\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\images\themes\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\uk-ua\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\si\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\de\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\win-scrollbar\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sv-se\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\zh-tw\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\meta\art\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\video_filter\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\he-IL\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\contrast-black\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\contrast-black\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\css\core\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\sl-sl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\en-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftOfficeHub_18.1903.1152.0_x64__8wekyb3d8bbwe\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\fi-fi\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\Microsoft Shared\VSTA\Pipeline.v10.0\AddInSideAdapters\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\root\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\root\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\uk-ua\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Getstarted_8.2.22942.0_neutral_split.scale-200_8wekyb3d8bbwe\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\HxTsr.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-white\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\66e7cf0074df6f8113d916150df7020efa7d4331e1fca3a8e8dd970c308b8ddf.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\66e7cf0074df6f8113d916150df7020efa7d4331e1fca3a8e8dd970c308b8ddf.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\vDll.dll C:\Windows\Logo1_.exe N/A

Runs net.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4996 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\66e7cf0074df6f8113d916150df7020efa7d4331e1fca3a8e8dd970c308b8ddf.exe C:\Windows\SysWOW64\cmd.exe
PID 4996 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\66e7cf0074df6f8113d916150df7020efa7d4331e1fca3a8e8dd970c308b8ddf.exe C:\Windows\SysWOW64\cmd.exe
PID 4996 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\66e7cf0074df6f8113d916150df7020efa7d4331e1fca3a8e8dd970c308b8ddf.exe C:\Windows\SysWOW64\cmd.exe
PID 4996 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\66e7cf0074df6f8113d916150df7020efa7d4331e1fca3a8e8dd970c308b8ddf.exe C:\Windows\Logo1_.exe
PID 4996 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\66e7cf0074df6f8113d916150df7020efa7d4331e1fca3a8e8dd970c308b8ddf.exe C:\Windows\Logo1_.exe
PID 4996 wrote to memory of 2400 N/A C:\Users\Admin\AppData\Local\Temp\66e7cf0074df6f8113d916150df7020efa7d4331e1fca3a8e8dd970c308b8ddf.exe C:\Windows\Logo1_.exe
PID 2400 wrote to memory of 4404 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2400 wrote to memory of 4404 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2400 wrote to memory of 4404 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4404 wrote to memory of 1624 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4404 wrote to memory of 1624 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4404 wrote to memory of 1624 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2400 wrote to memory of 3412 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 2400 wrote to memory of 3412 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\66e7cf0074df6f8113d916150df7020efa7d4331e1fca3a8e8dd970c308b8ddf.exe

"C:\Users\Admin\AppData\Local\Temp\66e7cf0074df6f8113d916150df7020efa7d4331e1fca3a8e8dd970c308b8ddf.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a5004.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\66e7cf0074df6f8113d916150df7020efa7d4331e1fca3a8e8dd970c308b8ddf.exe

"C:\Users\Admin\AppData\Local\Temp\66e7cf0074df6f8113d916150df7020efa7d4331e1fca3a8e8dd970c308b8ddf.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

memory/4996-0-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Windows\rundl132.exe

MD5 ba189b5e31c56a2e16e9c7accf623760
SHA1 52470f4d5e556832e9e4ff4625751ae62219d0ee
SHA256 037c1fc35982012dddedd497646d12ef35654415a14d4bbd467dca672954a3ed
SHA512 8da8c08b8af3450f715d2a04b492f2f459a93695bdf7514441705d041d5aba0df6edbb7a5e69e9a8bcbabd9f3c692e2522365ef2e889db3857043118c6df05b0

memory/2400-11-0x0000000000400000-0x0000000000436000-memory.dmp

memory/4996-10-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\66e7cf0074df6f8113d916150df7020efa7d4331e1fca3a8e8dd970c308b8ddf.exe.exe

MD5 ba18e99b3e17adb5b029eaebc457dd89
SHA1 ec0458f3c00d35b323f08d4e1cc2e72899429c38
SHA256 f5ee36de8edf9be2ac2752b219cfdcb7ca1677071b8e116cb876306e9f1b6628
SHA512 1f41929e6f5b555b60c411c7810cbf14e3af26100df5ac4533ec3739a278c1b925687284660efb4868e3741305098e2737836229efc9fe46c97a6057c10e677c

C:\Users\Admin\AppData\Local\Temp\$$a5004.bat

MD5 62019ba06e7040e9d87bba27d275af85
SHA1 a5b867ff91f4b93c4cfc38d982a485a678241f20
SHA256 29ae213d49e96668e3657b7205617964b9ba4b6a3385dab2873be0224cb57403
SHA512 12199f6648b2721d6bcea96fd3f4093419bef848b94929500d8f371a898b771396a3f83fe0a0b804faf8ff01d752748997d57d40427bd4aebd9a16ef77acf4f3

memory/2400-20-0x0000000000400000-0x0000000000436000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-2804150937-2146708401-419095071-1000\_desktop.ini

MD5 60b1ffe4d5892b7ae054738eec1fd425
SHA1 80d4e944617f4132b1c6917345b158f3693f35c8
SHA256 5e9944cc48c7ec641cf7b1b0125f47f26102c371a973612f0583f604bc3900d4
SHA512 7f5c200924dbb5531df997e6a35cb94f36b54f5651284b0d6404f0576301125ef72b410a170fca889d46c033063663cfc7791f9e4c3c30695af069053eee66cc

memory/2400-27-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2400-33-0x0000000000400000-0x0000000000436000-memory.dmp

memory/2400-37-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Program Files\7-Zip\7z.exe

MD5 8d8715c87a2cb853487aea6cd7400bde
SHA1 85bbc8edd7f5a99cf13e75e2df48c0d41e62fa7f
SHA256 d3b5c031761699a91b97afb5aab4c5a651810612ac4caaa38fc9adcf4be95080
SHA512 052307804dec7d1bf2fb99e297ddef910f8d42dcbd4106eb3c84c4a5980e896d936e0f25422dd2ed5190174fc920a18c7e589b18b321bdd57280c67e10f76b59

memory/2400-1231-0x0000000000400000-0x0000000000436000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 9fff503fad7fa1d9cc7453fdf86ff0e0
SHA1 f9b728ba2e8bf2b3a570583f06b0fd7e9fce4ef2
SHA256 826148f8b31a5372a71adf8f51961e1b59de63c8865393feffb99ece5e113147
SHA512 c00773863ea4b6d88ba1c5a9dcfd2f1033e540c854f2f041bb193f367a9153d54d9fcec0c71e4e9834bbe98a6a5be030b045d34e3b54d69cddfd4d427895af4f

memory/2400-4797-0x0000000000400000-0x0000000000436000-memory.dmp

C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

MD5 c168f1400f09b767044170c5c0603287
SHA1 806b134d2145304a602bc358c2664cc266a52aeb
SHA256 05d52614bdae4496eb435a35b3eb91cc424abb582fdaaae8a8f96a3cf34e2676
SHA512 532f698580361daa78290a7871c1a58fd6e9a445ec78224f7b90bea454fb15183eaa9cee1ef9dcf3fb30a56b5fa6e57de67b817fe04cd5bd61ca5e6710f8f9a1

memory/2400-5236-0x0000000000400000-0x0000000000436000-memory.dmp