Malware Analysis Report

2024-10-19 08:23

Sample ID 240613-xche1asank
Target baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9
SHA256 baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9

Threat Level: Shows suspicious behavior

The file baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9 was found to be: Shows suspicious behavior.

Malicious Activity Summary


Loads dropped DLL

Deletes itself

Executes dropped EXE

Enumerates connected drives

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Runs net.exe

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 18:42

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 18:42

Reported

2024-06-13 18:44

Platform

win7-20240419-en

Max time kernel

150s

Max time network

119s

Command Line

C:\Windows\Explorer.EXE

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Microsoft Games\Purble Place\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\it\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\ja-JP\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\bn\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Document Parts\1033\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\config\Modules\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre7\bin\rmid.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Defender\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\SaslPrep\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Smart Tag\LISTS\1033\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\ink\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre7\lib\zi\America\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\Mahjong\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\Minesweeper\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\stream_extractor\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\ODeploy.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PAPYRUS\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\FORMS\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\STS2\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\win_x64\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Kentucky\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ast\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLUEPRNT\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Defender\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\modules\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\nl\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\People\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\Multiplayer\Checkers\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\klist.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\META-INF\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre7\lib\cmm\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\images\cursors\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\MSBuild\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\wa\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\setup_wm.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Media Player\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\DVD Maker\Shared\DvdStyles\Travel\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\America\Indiana\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\gu\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\vDll.dll C:\Windows\Logo1_.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3012 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe C:\Windows\SysWOW64\cmd.exe
PID 3012 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe C:\Windows\Logo1_.exe
PID 3012 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe C:\Windows\Logo1_.exe
PID 3012 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe C:\Windows\Logo1_.exe
PID 3012 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe C:\Windows\Logo1_.exe
PID 2812 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe
PID 2812 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe
PID 2812 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe
PID 2812 wrote to memory of 2676 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe
PID 2080 wrote to memory of 2660 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2080 wrote to memory of 2660 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2080 wrote to memory of 2660 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2080 wrote to memory of 2660 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2660 wrote to memory of 2756 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2660 wrote to memory of 2756 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2660 wrote to memory of 2756 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2660 wrote to memory of 2756 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2080 wrote to memory of 1152 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 2080 wrote to memory of 1152 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe

"C:\Users\Admin\AppData\Local\Temp\baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$a1390.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Users\Admin\AppData\Local\Temp\baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe

"C:\Users\Admin\AppData\Local\Temp\baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe"

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

Network

N/A

Files

memory/3012-0-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a1390.bat

MD5 164471303740d63fb439151d662d3b12
SHA1 a0b53746bc5de13c907a7bc02954737673797b5b
SHA256 01da07db47e31cb7f06ea6dc9b5d958823de11e5a2d089b08ed1e0541d66463f
SHA512 d3ebab2fe586736dcee709f3bb0694b8d73f9d27e3bedf026ce22a1c86f3f623db12737f011769ec3e4c69d87e094be63ea90e7b13a36a6f3976462887686cc9

memory/3012-12-0x00000000020F0000-0x0000000002124000-memory.dmp

C:\Windows\Logo1_.exe

MD5 f0eb54d6d17689ab4e229ce122317bbc
SHA1 93a5a82c43c6d4089ccccfc434985a9c3baa1dc4
SHA256 80da141e0ba00151479dedc491ae3a1d967e9e30f06b29a4eda22d6fd1ba03b6
SHA512 cd5c2bc37516daa390924b54f1108551437988303c4ce7aa33c2bb44418e78a7d68d129fa6769a3eae9fb7aa5281730e8282ab75c06a5cb63cc211f88a213f37

memory/3012-18-0x00000000020F0000-0x0000000002124000-memory.dmp

memory/3012-17-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe.exe

MD5 7f3528cd8c220c32eb5453c2e50c2435
SHA1 e7434bb57eec4bbfcb6375ee8c33d5d0a8a1d4e5
SHA256 e83b0a57520815815e5e2e1fb8014f5d340369a2252a1ff97ab67d099c9a4315
SHA512 b73aee0b78051f1b16535282bec757ce516d3a25d9af67cd358100663f352a9a571a6413846a46b96f3ac5b3137bfac418941c79e87ff7b58d41cdaa73051d6f

memory/1152-30-0x0000000002AF0000-0x0000000002AF1000-memory.dmp

memory/2080-34-0x0000000000400000-0x0000000000434000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-481678230-3773327859-3495911762-1000\_desktop.ini

MD5 4f2460b507685f7d7bfe6393f335f1c9
SHA1 378d42f114b1515872e58de6662373af31ab8c7b
SHA256 47a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42
SHA512 75dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb

memory/2080-41-0x0000000000400000-0x0000000000434000-memory.dmp

memory/3012-42-0x00000000020F0000-0x0000000002124000-memory.dmp

memory/2080-48-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2080-94-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2080-100-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2080-477-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2080-1877-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 412c84a84ee1f753aab61983dab81871
SHA1 3ff6d44a264e52f0bc0c644fe399ec99bf9ef013
SHA256 1cfea775593e7ce2c698a171a33c7e21fb545e2c67ba6c47777d8e461ac8f1c4
SHA512 3c52c6534a62bf11eedc332810e04d8854392f546f33736cc88fdaaf9fba0744269bbfd4e75545c0b50f6d0556bb3b855df407bc54e6c5a54f4cbbe5f9b07dd9

memory/2080-3337-0x0000000000400000-0x0000000000434000-memory.dmp

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 99ea9b604a7a734d3087fa6159684c42
SHA1 709fa1068ad4d560fe03e05b68056f1b0bedbfc8
SHA256 3f733f9e6fec7c4165ca8ba41eb23f604a248babe794c4ad2c6c3ce8032aab1c
SHA512 7af8008c7e187f925c62efc97e1891a7a38d089302dba39fbde137fb895e0592847ed0982c824c2075be8e6b95b6ce165ecb848ab85adf53779ebef613410fbb

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 18:42

Reported

2024-06-13 18:44

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

51s

Command Line

C:\Windows\Explorer.EXE

Signatures

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\root\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\km\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\mk\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\zu\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\ca-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\pl-pl\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fr-fr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Google\Chrome\Application\chrome.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\tnameserv.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\file_types\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\fi-fi\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Calculator\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\de\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Place\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\sv-se\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\pt-br\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\sq-AL\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-white\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ca-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\nb-no\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\Services\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre8\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Mozilla Firefox\gmp-clearkey\0.1\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\da\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\cs-cz\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\mk-MK\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Windows.Photos_2019.19071.12548.0_x64__8wekyb3d8bbwe\Lumia.MagicEdit\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\nl-nl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Fonts\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\plugins\rhp\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ca-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\walk-through\js\nls\fi-fi\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\Download\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\modules\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Tracker\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\jre\lib\applet\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\Viewpoints\Light\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_neutral_split.scale-100_kzf8qxf38zg5c\Assets\Images\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.XboxApp_48.49.31001.0_x64__8wekyb3d8bbwe\Toolkit\Images\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\ja\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\sk-sk\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\ko-kr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\zh-tw\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\bg\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\lt\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\tr\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Car\RTL\contrast-white\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\nl-nl\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\root\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sv-se\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\hu-hu\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sl-si\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk-1.8\include\win32\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Reference Assemblies\Microsoft\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\SecondaryTiles\Collections\contrast-black\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\Place\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\vDll.dll C:\Windows\Logo1_.exe N/A
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe N/A

Runs net.exe

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 972 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe C:\Windows\SysWOW64\cmd.exe
PID 972 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe C:\Windows\SysWOW64\cmd.exe
PID 972 wrote to memory of 2352 N/A C:\Users\Admin\AppData\Local\Temp\baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe C:\Windows\SysWOW64\cmd.exe
PID 972 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe C:\Windows\Logo1_.exe
PID 972 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe C:\Windows\Logo1_.exe
PID 972 wrote to memory of 4788 N/A C:\Users\Admin\AppData\Local\Temp\baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe C:\Windows\Logo1_.exe
PID 4788 wrote to memory of 620 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4788 wrote to memory of 620 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 4788 wrote to memory of 620 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 620 wrote to memory of 2796 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 620 wrote to memory of 2796 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 620 wrote to memory of 2796 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2352 wrote to memory of 2000 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe
PID 2352 wrote to memory of 2000 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe
PID 2352 wrote to memory of 2000 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe
PID 4788 wrote to memory of 3404 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 4788 wrote to memory of 3404 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe

"C:\Users\Admin\AppData\Local\Temp\baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$a4268.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe

"C:\Users\Admin\AppData\Local\Temp\baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe"

Network

Files

memory/972-0-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\Logo1_.exe

MD5 f0eb54d6d17689ab4e229ce122317bbc
SHA1 93a5a82c43c6d4089ccccfc434985a9c3baa1dc4
SHA256 80da141e0ba00151479dedc491ae3a1d967e9e30f06b29a4eda22d6fd1ba03b6
SHA512 cd5c2bc37516daa390924b54f1108551437988303c4ce7aa33c2bb44418e78a7d68d129fa6769a3eae9fb7aa5281730e8282ab75c06a5cb63cc211f88a213f37

memory/972-8-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4788-10-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$a4268.bat

MD5 645d6f0b64166a20914803773469f65d
SHA1 999a31422dff925f3d1277afc14d84fed4cea4f8
SHA256 9c5277c6044ab4203d90b20dcf36220197bcf7828c245829b888f0cf47f31e04
SHA512 4fa983bbe691a1f7be876b212e43af3e4457460931ee35cb4f1a897f7b60db8f42943a887667d7b0b7a7e554f184afd6574c116e9f18b244e36459aeb2b83f87

C:\Users\Admin\AppData\Local\Temp\baae1b5d1e75efbde5bbc7312d95d9bd1b62dc85f65ffed6333307d07240cee9.exe.exe

MD5 7f3528cd8c220c32eb5453c2e50c2435
SHA1 e7434bb57eec4bbfcb6375ee8c33d5d0a8a1d4e5
SHA256 e83b0a57520815815e5e2e1fb8014f5d340369a2252a1ff97ab67d099c9a4315
SHA512 b73aee0b78051f1b16535282bec757ce516d3a25d9af67cd358100663f352a9a571a6413846a46b96f3ac5b3137bfac418941c79e87ff7b58d41cdaa73051d6f

memory/4788-19-0x0000000000400000-0x0000000000434000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-4124900551-4068476067-3491212533-1000\_desktop.ini

MD5 4f2460b507685f7d7bfe6393f335f1c9
SHA1 378d42f114b1515872e58de6662373af31ab8c7b
SHA256 47a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42
SHA512 75dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb

memory/4788-26-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4788-32-0x0000000000400000-0x0000000000434000-memory.dmp

memory/4788-36-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Program Files\7-Zip\7z.exe

MD5 ae4a0b79964b8785cfae2eb5fa11e34a
SHA1 5c14a9bc200fa19b4863aa8aed3e8356a3a5ae9d
SHA256 dc35631c1a06060be298409e2cf36395641714e2e7edf18de0fdf41794cbcf7e
SHA512 9e8e01d697d8c404894981ab54a602cb2d1d0c4ed75736382edff6b2c1260da9ffa692cc13790a63e775356976e39f699af226ce53e05bea94d285cb3d952fb5

memory/4788-1230-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 412c84a84ee1f753aab61983dab81871
SHA1 3ff6d44a264e52f0bc0c644fe399ec99bf9ef013
SHA256 1cfea775593e7ce2c698a171a33c7e21fb545e2c67ba6c47777d8e461ac8f1c4
SHA512 3c52c6534a62bf11eedc332810e04d8854392f546f33736cc88fdaaf9fba0744269bbfd4e75545c0b50f6d0556bb3b855df407bc54e6c5a54f4cbbe5f9b07dd9

memory/4788-4796-0x0000000000400000-0x0000000000434000-memory.dmp

C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

MD5 53ee62011469b286a2a1b5658c86b9bf
SHA1 9bdac0b23b0a965947c780c6a6b48fc7122f9ade
SHA256 7125735e4e8595f1c17ff3235bc65dacabc2ec874b29ac7ba8eddd80ad10b3c0
SHA512 c9c24e578da0a38048e71548fac66465bcb624e971f745bba559e8c49fd621752e718d4c983a90a97277407bb23348ca109436e1eeebef030c3b599c712ff236

memory/4788-5235-0x0000000000400000-0x0000000000434000-memory.dmp