Malware Analysis Report

2025-04-14 04:41

Sample ID 240612-3qb32ayhpk
Target 4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c
SHA256 4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c

Threat Level: Shows suspicious behavior

The file 4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c was found to be: Shows suspicious behavior.

Malicious Activity Summary


Deletes itself

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Drops file in Windows directory

Drops file in Program Files directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Runs net.exe

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-12 23:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 23:42

Reported

2024-06-12 23:45

Platform

win7-20240221-en

Max time kernel

150s

Max time network

123s

Command Line

C:\Windows\Explorer.EXE

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\VideoLAN\VLC\locale\ks_IN\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\AddInSideAdapters\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Pets\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre7\lib\ext\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\SpiderSolitaire\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\de\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ca\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Library\SOLVER\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\playlist\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Google\Update\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\SpringGreen\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\TRANSLAT\ENES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office64.WW\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\IRIS\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SAMPLES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Photo Viewer\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\fi\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\ja-JP\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\FreeCell\en-US\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\fonts\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Portable Devices\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows NT\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Photo Viewer\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\EQUATION\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\WATERMAR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ONENOTEM.EXE C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\Hearts\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\fa\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Defender\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\kk\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ug\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\1.7\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\VSTA\Pipeline.v10.0\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\SETLANG.EXE C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Hearts\Hearts.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\modules\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\vDll.dll C:\Windows\Logo1_.exe N/A
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2180 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe C:\Windows\SysWOW64\cmd.exe
PID 2180 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe C:\Windows\SysWOW64\cmd.exe
PID 2180 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe C:\Windows\SysWOW64\cmd.exe
PID 2180 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe C:\Windows\SysWOW64\cmd.exe
PID 2180 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe C:\Windows\Logo1_.exe
PID 2180 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe C:\Windows\Logo1_.exe
PID 2180 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe C:\Windows\Logo1_.exe
PID 2180 wrote to memory of 2548 N/A C:\Users\Admin\AppData\Local\Temp\4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe C:\Windows\Logo1_.exe
PID 2548 wrote to memory of 2556 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2548 wrote to memory of 2556 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2548 wrote to memory of 2556 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2548 wrote to memory of 2556 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2556 wrote to memory of 2724 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2556 wrote to memory of 2724 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2556 wrote to memory of 2724 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2556 wrote to memory of 2724 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2540 wrote to memory of 2752 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe
PID 2540 wrote to memory of 2752 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe
PID 2540 wrote to memory of 2752 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe
PID 2540 wrote to memory of 2752 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe
PID 2548 wrote to memory of 1188 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 2548 wrote to memory of 1188 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe

"C:\Users\Admin\AppData\Local\Temp\4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a2D28.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe

"C:\Users\Admin\AppData\Local\Temp\4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe"

Network

N/A

Files

memory/2180-0-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\rundl132.exe

MD5 d1bd53e7079e1416e563b6787c74f3f8
SHA1 dfbb7850f591cc74bcbe86418b5ef11522e9e7b0
SHA256 b4a3413d2027dc45862a0959c413db5f6b7e932c3c61660c2c3df78804d1db2e
SHA512 bacb9edc071341e8ea9dfd8309126f1bc29dbcc9b0cb4a9212b9ad6f6381bc2aae8f9c300eeb3e17e1519d90456e651270e316497daa5ed0f23b69a10fdd129f

memory/2548-18-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2180-16-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a2D28.bat

MD5 496a9277da55ccb30d99d9f8a103aefa
SHA1 15aea04d2bc7cadd098a3bea05e18b8029323912
SHA256 aded070cafe0cb7f9784737d041f7f4ab77e0bce1ae85891ea1a0800dc2436ad
SHA512 987d851bc6cd8d02d79df25fa0615ca4ef851c1b555446023ab1c2a73f4c72b0e0e7ab31581bf596fff1ec954d1c23294265eac99836ae3e77a5e1d2bc10e798

C:\Users\Admin\AppData\Local\Temp\4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe.exe

MD5 1bd1483a7c02d3c1b41b9b1c267ce18a
SHA1 5106e8b8e4c292ba6aa53e85755e42b721f4d8c7
SHA256 97fe1e3fd8bd54531af1d0ec7a41428a5767ff205e3629deb0e7f6dd1d8e52ce
SHA512 e0380278791f8e0c3c67375e2c9b39f9f4485698565f6f91e70b3223b8232ad842e87ad3b7e1e92c31f0e92d27e6b51102576a6ae788957b5b4e3a1fccc3f925

memory/1188-29-0x00000000024F0000-0x00000000024F1000-memory.dmp

memory/2548-31-0x0000000000400000-0x0000000000434000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-1298544033-3225604241-2703760938-1000\_desktop.ini

MD5 1f206a052c160fd77308863abd810887
SHA1 3b27ec1dc4b51fb7f1793a9ca9bb0d2e53e60eb1
SHA256 45129bd309ca763a88c6bf438896e82b939d6491036658c4512c57f8353938c1
SHA512 bd7857c146b01a49d34d4eb84053353eeb586bee6916426179305d5e2360559adea4040fe2184a3a803943ff4e6526cc38c665f9a808355619628868d53fbed5

memory/2548-38-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2548-44-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2548-90-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2548-96-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2548-579-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2548-1849-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2548-2211-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 f94afa1cae163777a4ead07058d9b026
SHA1 f9076e8e06e3f5eaf76ce771473be0b0045fc3e9
SHA256 cd34b8f29d1c48674d4079c529efef3554200bfcef576bb55a2e3f03ce0f2362
SHA512 54be6fb01f76381ecde1f9cbe7d8d80f23622833bd89e6cfd3506942aa19387acf77c9b96fb6b3375f83158c51c2b6369071a155cb084f2f92cc4ae3286c4f18

memory/2548-3309-0x0000000000400000-0x0000000000434000-memory.dmp

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 4cfdb20b04aa239d6f9e83084d5d0a77
SHA1 f22863e04cc1fd4435f785993ede165bd8245ac6
SHA256 30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9
SHA512 35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 23:42

Reported

2024-06-12 23:45

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

101s

Command Line

C:\Windows\Explorer.EXE

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Reference Assemblies\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\skins\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.BingWeather_4.25.20211.0_x64__8wekyb3d8bbwe\Assets\AppTiles\Spacer\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Work\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nl-nl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\plugins\rhp\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\hu-hu\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\en-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\tr-tr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\assets\Sample Files\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\pl-pl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\tool\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\he-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\ARM\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\Adobe\HelpCfg\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Adobe\Reader\DC\Linguistics\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Office 15\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ne\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\vi\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\fr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\nb-no\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\images\themes\dark\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\amd64\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\plugins\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\cs-cz\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sk-sk\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\dtplugin\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\be-BY\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactNative\Tracing\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Microsoft.UI.Xaml\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\ro-ro\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\pt-BR\View3d\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxSpeechToTextOverlay_1.17.29001.0_neutral_split.scale-100_8wekyb3d8bbwe\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\tr-tr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\en-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\ResiliencyLinks\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\sv-se\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\fr-fr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\en-gb\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Google\Chrome\Application\110.0.5481.104\MEIPreload\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsSoundRecorder_2019.716.2313.0_neutral_~_8wekyb3d8bbwe\microsoft.system.package.metadata\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\es-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\en-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\fa-IR\View3d\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_4.4.8204.0_x64__8wekyb3d8bbwe\loc_archives\en-gb\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\XboxApp.Resource\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\sv-se\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fr-ma\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\ca-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Microsoft.PowerShell.Operation.Validation\1.0.1\Test\Modules\Example1.Diagnostics\Diagnostics\Simple\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\cs-cz\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Photo Viewer\uk-UA\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MicrosoftStickyNotes_3.6.73.0_x64__8wekyb3d8bbwe\Assets\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\ReactAssets\assets\RNApp\app\uwp\images\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\vDll.dll C:\Windows\Logo1_.exe N/A

Runs net.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1604 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe C:\Windows\SysWOW64\cmd.exe
PID 1604 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe C:\Windows\SysWOW64\cmd.exe
PID 1604 wrote to memory of 116 N/A C:\Users\Admin\AppData\Local\Temp\4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe C:\Windows\SysWOW64\cmd.exe
PID 1604 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe C:\Windows\Logo1_.exe
PID 1604 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe C:\Windows\Logo1_.exe
PID 1604 wrote to memory of 436 N/A C:\Users\Admin\AppData\Local\Temp\4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe C:\Windows\Logo1_.exe
PID 436 wrote to memory of 4472 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 436 wrote to memory of 4472 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 436 wrote to memory of 4472 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4472 wrote to memory of 3920 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4472 wrote to memory of 3920 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 4472 wrote to memory of 3920 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 116 wrote to memory of 2728 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe
PID 116 wrote to memory of 2728 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe
PID 436 wrote to memory of 3400 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 436 wrote to memory of 3400 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe

"C:\Users\Admin\AppData\Local\Temp\4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4BFD.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe

"C:\Users\Admin\AppData\Local\Temp\4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe"

Network

Country Destination Domain Proto
US 52.111.227.14:443 tcp

Files

memory/1604-0-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\Logo1_.exe

MD5 d1bd53e7079e1416e563b6787c74f3f8
SHA1 dfbb7850f591cc74bcbe86418b5ef11522e9e7b0
SHA256 b4a3413d2027dc45862a0959c413db5f6b7e932c3c61660c2c3df78804d1db2e
SHA512 bacb9edc071341e8ea9dfd8309126f1bc29dbcc9b0cb4a9212b9ad6f6381bc2aae8f9c300eeb3e17e1519d90456e651270e316497daa5ed0f23b69a10fdd129f

memory/436-13-0x0000000000400000-0x0000000000434000-memory.dmp

memory/1604-9-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a4BFD.bat

MD5 b54edc6369ccd03d5500538b879e526f
SHA1 e117e44892e553db7bafe11d024b97b9d79f7372
SHA256 518488543a3e4ab5a2a1f535b48680af1b94dd1e4e92992c919dcfe6ca1cef64
SHA512 41d2ff530ace2cd8adce60c2e969937e04a80f160e30fd1640cd640e1bca85c6e6c7b5c399be08a8b6e7e05b2ce79c48edb4401fa9e4ad3619aea7edb04a7edb

C:\Users\Admin\AppData\Local\Temp\4f0e4f648fe4146d3e8f42e1da12606cde8c423a35556729d5069e241a0c1b5c.exe.exe

MD5 1bd1483a7c02d3c1b41b9b1c267ce18a
SHA1 5106e8b8e4c292ba6aa53e85755e42b721f4d8c7
SHA256 97fe1e3fd8bd54531af1d0ec7a41428a5767ff205e3629deb0e7f6dd1d8e52ce
SHA512 e0380278791f8e0c3c67375e2c9b39f9f4485698565f6f91e70b3223b8232ad842e87ad3b7e1e92c31f0e92d27e6b51102576a6ae788957b5b4e3a1fccc3f925

memory/436-20-0x0000000000400000-0x0000000000434000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-3558294865-3673844354-2255444939-1000\_desktop.ini

MD5 1f206a052c160fd77308863abd810887
SHA1 3b27ec1dc4b51fb7f1793a9ca9bb0d2e53e60eb1
SHA256 45129bd309ca763a88c6bf438896e82b939d6491036658c4512c57f8353938c1
SHA512 bd7857c146b01a49d34d4eb84053353eeb586bee6916426179305d5e2360559adea4040fe2184a3a803943ff4e6526cc38c665f9a808355619628868d53fbed5

memory/436-27-0x0000000000400000-0x0000000000434000-memory.dmp

memory/436-33-0x0000000000400000-0x0000000000434000-memory.dmp

memory/436-37-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Program Files\DisconnectAdd.exe

MD5 b1d0c7ad56549e53cc860796162d55a5
SHA1 52a94b46b04686ad4cc41b86c61833765aab7d93
SHA256 7c377bc1ae973ebce38c5f3d473227fb647c3ab21957a937e27ea91e2fd96603
SHA512 77ef248a25ac77094a36fa4eca07e512f0b707d08b383829dfca3acb0eb707e446c059f71bab10a6348cab3c8c640fe3a798219107a81bc183296ca6af4f872f

memory/436-1232-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 f94afa1cae163777a4ead07058d9b026
SHA1 f9076e8e06e3f5eaf76ce771473be0b0045fc3e9
SHA256 cd34b8f29d1c48674d4079c529efef3554200bfcef576bb55a2e3f03ce0f2362
SHA512 54be6fb01f76381ecde1f9cbe7d8d80f23622833bd89e6cfd3506942aa19387acf77c9b96fb6b3375f83158c51c2b6369071a155cb084f2f92cc4ae3286c4f18

memory/436-4798-0x0000000000400000-0x0000000000434000-memory.dmp

C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

MD5 2500f702e2b9632127c14e4eaae5d424
SHA1 8726fef12958265214eeb58001c995629834b13a
SHA256 82e5b0001f025ca3b8409c98e4fb06c119c68de1e4ef60a156360cb4ef61d19c
SHA512 f420c62fa1f6897f51dd7a0f0e910fb54ad14d51973a2d4840eeea0448c860bf83493fb1c07be65f731efc39e19f8a99886c8cfd058cee482fe52d255a33a55c

memory/436-5237-0x0000000000400000-0x0000000000434000-memory.dmp