Analysis Overview
SHA256
490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe
Threat Level: Shows suspicious behavior
The file 490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe was found to be: Shows suspicious behavior.
Malicious Activity Summary
Drops startup file
Executes dropped EXE
Reads user/profile data of web browsers
Deletes itself
Loads dropped DLL
Enumerates connected drives
Drops file in Windows directory
Drops file in Program Files directory
Unsigned PE
System Location Discovery: System Language Discovery
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-27 22:19
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-27 22:19
Reported
2024-10-27 22:23
Platform
win7-20240903-en
Max time kernel
149s
Max time network
123s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Logo1_.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Reads user/profile data of web browsers
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\E: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\Logo1_.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Microsoft Games\Mahjong\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Windows Mail\wab.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\Providers\Proximity\11.00\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\js\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\Java\jre7\lib\ext\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\plugins\video_chroma\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Photo Viewer\fr-FR\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\css\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\js\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins3d\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Document Themes 14\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\DVD Maker\Shared\DvdStyles\HueCycle\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\java-rmi.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\SpeechEngines\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\ne\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Windows Defender\fr-FR\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\plug_ins\VDKHome\ENU\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Resource\TypeSupport\Unicode\Mappings\win\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\el\LC_MESSAGES\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\fur\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\css\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\DESIGNER\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\AXIS\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\PROFILE\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\microsoft shared\Web Server Extensions\14\BIN\1033\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Internet Explorer\it-IT\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\ja\LC_MESSAGES\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\CANYON\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\Triedit\fr-FR\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\css\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\fi\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\th\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\EXPEDITN\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\p2\org.eclipse.equinox.p2.engine\profileRegistry\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre7\bin\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\js\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Windows NT\TableTextService\fr-FR\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\firefox.exe | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Uninstall Information\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\skins\fonts\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\ja-JP\js\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Games\Multiplayer\Spades\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\nn\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ICE\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\rundl132.exe | C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe | N/A |
| File created | C:\Windows\Logo1_.exe | C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe | N/A |
| File opened for modification | C:\Windows\rundl132.exe | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Windows\Dll.dll | C:\Windows\Logo1_.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Logo1_.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe
"C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe"
C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
C:\Windows\SysWOW64\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\$$aBBD0.bat
C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe
"C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe"
C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
Network
Files
memory/2672-0-0x0000000000400000-0x000000000043F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\$$aBBD0.bat
| MD5 | 4bcc391fd80bd35dd7f5eb40e21b4dfb |
| SHA1 | 7622ac27611a3fd37b82d5b5211c8cb31f37c94c |
| SHA256 | 15e28876d33525737f335e831057684c9f99655fc4a3e6fba1d5fbc3adc05f07 |
| SHA512 | 12fdb3670b6e489986a50acbef8694e4b7888c8832c49d633126b6742a0b8fe6fa0e947659f2d37c49025587215762ab157555fcb8d0135b0b86f6ddbd9f6586 |
memory/2672-19-0x0000000000230000-0x000000000026F000-memory.dmp
memory/2672-18-0x0000000000400000-0x000000000043F000-memory.dmp
memory/2672-17-0x0000000000230000-0x000000000026F000-memory.dmp
C:\Windows\Logo1_.exe
| MD5 | a41e528e57375acc788aa848f3b18b58 |
| SHA1 | 1df9561f65e3e8e3e987d6b79e202e84f2048b21 |
| SHA256 | 032f6fb6838bbec15be24649eac0293fdc0c6d8794e94aa7a1cb0015587f9401 |
| SHA512 | dfc5b341eef7c2d2930063d29ccc284afd480701d5184d3bf9b0ed9d6c508adb2fb6f9091b767a26917c2b73e920d1125fd1f3d68cfa847c2589f5fdfe0716dc |
memory/2264-20-0x0000000000400000-0x000000000043F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe
| MD5 | 87912631f20ab91421228cd219922519 |
| SHA1 | 71a90e384de55c6f5257466e53f6c0add270a01d |
| SHA256 | fcfdb5e2601430a674f599e054f65471e42cb18f8484aa8d8eb38f0c6f4e9c6d |
| SHA512 | 0843a6a6a1e7e6d394db8d939e5e11ddfbed917e262dcb41fddee490d7e1657d45edd93fa2e734a6d8419b2f935ef53c0185d626a83ef1e7d53db8e261f8fc8a |
memory/1112-29-0x0000000002550000-0x0000000002551000-memory.dmp
memory/2264-33-0x0000000000400000-0x000000000043F000-memory.dmp
F:\$RECYCLE.BIN\S-1-5-21-2872745919-2748461613-2989606286-1000\_desktop.ini
| MD5 | 718bfb92f559ca14a82c7a2cb2c8215c |
| SHA1 | 9f17457d0b5980e5a634208930802e20799ee8d6 |
| SHA256 | 3d2fb0ad016be8c2bf29e6b47092e95fb2913f89927c45261dde2f9072b746d6 |
| SHA512 | b612293b28c691823ee89ecda9759567949b1801a9491288a54e505941c4daf1f9f49e358b226fa3b4876b8052ba5c17ccefe71f1b24cc9e1daecd906087ce3e |
C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe
| MD5 | 534ef4a4f5354acf40536ea526912070 |
| SHA1 | e4c6ddc3832ec07c2db4584257e17c6e15324704 |
| SHA256 | 46808cf6fde182857713a967752a528b768377f864af055f38b3bef291a10bd8 |
| SHA512 | a7332b3aa32570f3bcf03d99d1dc2dbee9070dec74141e71c12be6ba6ec137ffcbe4ce93721857b36a3e61909c713241196d51f79480ea2a0c58fc9300b4c467 |
memory/2264-3003-0x0000000000400000-0x000000000043F000-memory.dmp
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe
| MD5 | 13689a976739ee578cca7c130b7fef1a |
| SHA1 | fc996cec103246b14384ca0d44f6dda9263e8287 |
| SHA256 | b834be980b6259818c6bab3ea0c7dce63605f3ffdc3609c7d8969f08e149a22a |
| SHA512 | ea0bdbc66ab6b830721433d7f85db4ae4e8c05afa3b72e13553f331b669b1ffe3917fad2426b6f5b21b674a7e1d88474633143c82825a6ea57b7e16778c8654f |
memory/2264-4193-0x0000000000400000-0x000000000043F000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-27 22:19
Reported
2024-10-27 22:23
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Logo1_.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe | N/A |
Reads user/profile data of web browsers
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\Z: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\Logo1_.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\Logo1_.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Microsoft Office\root\Templates\1033\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\16\Stationery\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\root\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\uk-ua\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Common Files\Microsoft Shared\VC\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\dotnet\host\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\home\js\nls\ja-jp\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\eu-es\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\Windows Multimedia Platform\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\kab\LC_MESSAGES\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Examples\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\en-gb\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\da-dk\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\ja-jp\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\cs-cz\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\fr-fr\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\es\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\images\themes\dark\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\he-il\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Windows Photo Viewer\de-DE\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\de\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\VBA\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\tr-tr\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\nl-nl\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\Java\jdk-1.8\lib\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\lua\meta\art\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\es-ES\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\app\dev\nls\fi-fi\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\ja-jp\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\sl-si\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\images\themes\dark\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\ne\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\it-it\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\img\themes\dark\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files-select\css\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\hr-hr\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\hu-hu\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\REFINED\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\cs-cz\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\es-es\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\es-es\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\plugins\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\fr-ma\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\LEVEL\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk-1.8\bin\javadoc.exe | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUEPRNT\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EXPEDITN\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\mr\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\VideoLAN\VLC\locale\sk\LC_MESSAGES\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\zh-tw\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\images\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ru\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\PlayReadyCdm\_platform_specific\win_x64\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\locale\fr\LC_MESSAGES\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\css\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ro-ro\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\SubsetList\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\it-it\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\images\themes\dark\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\en-il\_desktop.ini | C:\Windows\Logo1_.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\Dll.dll | C:\Windows\Logo1_.exe | N/A |
| File created | C:\Windows\rundl132.exe | C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe | N/A |
| File created | C:\Windows\Logo1_.exe | C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe | N/A |
| File opened for modification | C:\Windows\rundl132.exe | C:\Windows\Logo1_.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Logo1_.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\net1.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe
"C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe"
C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aAA2A.bat
C:\Windows\Logo1_.exe
C:\Windows\Logo1_.exe
C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe
"C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe"
C:\Windows\SysWOW64\net.exe
net stop "Kingsoft AntiVirus Service"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | udp |
Files
memory/2072-0-0x0000000000400000-0x000000000043F000-memory.dmp
C:\Windows\Logo1_.exe
| MD5 | a41e528e57375acc788aa848f3b18b58 |
| SHA1 | 1df9561f65e3e8e3e987d6b79e202e84f2048b21 |
| SHA256 | 032f6fb6838bbec15be24649eac0293fdc0c6d8794e94aa7a1cb0015587f9401 |
| SHA512 | dfc5b341eef7c2d2930063d29ccc284afd480701d5184d3bf9b0ed9d6c508adb2fb6f9091b767a26917c2b73e920d1125fd1f3d68cfa847c2589f5fdfe0716dc |
memory/4904-8-0x0000000000400000-0x000000000043F000-memory.dmp
memory/2072-11-0x0000000000400000-0x000000000043F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\$$aAA2A.bat
| MD5 | 341d740dc31a2e2f9b2fe286b43a6dcf |
| SHA1 | 7ee75f9826087438558ac75088516dc9fa3e1203 |
| SHA256 | ce812040f1b3895ea64900c28c86a84a0449088a4292516e64e6bd9ffddced2a |
| SHA512 | ade75e1caba9b4d8d269014e1d50d01c2d565d3ffa3c8e10e980a83a4857f1e537e2f6849e60a37007ef6d9f65d1e0ca3349ebef2213bba3f1c8260078e808f6 |
C:\Users\Admin\AppData\Local\Temp\490557c719236120c320147ee2c01e78147fcf3ceb4b7da1effb0574e2358ebe.exe.exe
| MD5 | 87912631f20ab91421228cd219922519 |
| SHA1 | 71a90e384de55c6f5257466e53f6c0add270a01d |
| SHA256 | fcfdb5e2601430a674f599e054f65471e42cb18f8484aa8d8eb38f0c6f4e9c6d |
| SHA512 | 0843a6a6a1e7e6d394db8d939e5e11ddfbed917e262dcb41fddee490d7e1657d45edd93fa2e734a6d8419b2f935ef53c0185d626a83ef1e7d53db8e261f8fc8a |
memory/4904-18-0x0000000000400000-0x000000000043F000-memory.dmp
F:\$RECYCLE.BIN\S-1-5-21-3227495264-2217614367-4027411560-1000\_desktop.ini
| MD5 | 718bfb92f559ca14a82c7a2cb2c8215c |
| SHA1 | 9f17457d0b5980e5a634208930802e20799ee8d6 |
| SHA256 | 3d2fb0ad016be8c2bf29e6b47092e95fb2913f89927c45261dde2f9072b746d6 |
| SHA512 | b612293b28c691823ee89ecda9759567949b1801a9491288a54e505941c4daf1f9f49e358b226fa3b4876b8052ba5c17ccefe71f1b24cc9e1daecd906087ce3e |
C:\Program Files\7-Zip\7z.exe
| MD5 | 9e2a3e0665ab03f40860cec92bce41ee |
| SHA1 | 141107aea8f388ba91b9d8273d88ff493bb1e77e |
| SHA256 | c4553458773fbe2d86c511ff78ce6a0f00afe20eeb13140e1303cbd7b75f69a4 |
| SHA512 | f9d58891fdeeace650d01f7a562fd75ac58e77466b211d0fe90c98bb3b6396f7df90f0a3005b5398e0593c19e4edf75c951e1bd79c228d29e47c2c59b960e414 |
memory/4904-2748-0x0000000000400000-0x000000000043F000-memory.dmp
C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe
| MD5 | 2c74d440eaf8f4d9ebdaf431fed2102d |
| SHA1 | 4281804bdd247899a12a2ddfc4eedcd5bc313fbe |
| SHA256 | e7585e15f53b58e02b39c07512e32717fa17c8fcfec1bb510e24b6a626e8de27 |
| SHA512 | 1c031c965728641c9011dd85edd7ba401fc7835274ad0a3d2a60a494ec6596ba39968face346a2196ecc28967f11091fe9fce78032d425ef4dce5223d33a3aa9 |
C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe
| MD5 | e0725f04ef2eb236cf23dbdc14d512a5 |
| SHA1 | ef9875c8bd15d6c9cdcb0a4025470fae9e0d00b2 |
| SHA256 | ca3e9560c3c22fbb4efc142647d6918fe315dda96b5e00c9f0431f55ca97bcaa |
| SHA512 | 2dacc3b71e320017826ef563affec0c895cdda9cd293b6814df20aefa5d936e6fbed1d387f9224e533f473243ecb6ea5865d0919f56459c6c3e014e07d241a4e |
memory/4904-8784-0x0000000000400000-0x000000000043F000-memory.dmp