Malware Analysis Report

2024-09-11 13:01

Sample ID 240613-2pp3tsxdrl
Target 4d6b9c17d52ea3f41f35feaea2d38598331f18b90df57b322dcb4bf936f9a832
SHA256 4d6b9c17d52ea3f41f35feaea2d38598331f18b90df57b322dcb4bf936f9a832
Tags
evasion trojan
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

4d6b9c17d52ea3f41f35feaea2d38598331f18b90df57b322dcb4bf936f9a832

Threat Level: Shows suspicious behavior

The file 4d6b9c17d52ea3f41f35feaea2d38598331f18b90df57b322dcb4bf936f9a832 was found to be: Shows suspicious behavior.

Malicious Activity Summary

evasion trojan

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Deletes itself

Checks whether UAC is enabled

Enumerates connected drives

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Runs net.exe

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Peripheral Device Discovery
T1120
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-13 22:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 22:45

Reported

2024-06-13 22:48

Platform

win7-20240611-en

Max time kernel

149s

Max time network

121s

Command Line

C:\Windows\Explorer.EXE

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d6b9c17d52ea3f41f35feaea2d38598331f18b90df57b322dcb4bf936f9a832.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps\~f760e72\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps\~f760e72\Au_.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d6b9c17d52ea3f41f35feaea2d38598331f18b90df57b322dcb4bf936f9a832.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps\~f760e72\Au_.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\wps\~f760e72\Au_.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jdk1.7.0_80\bin\jps.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\mux\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\sk\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\STS2\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\RedistList\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Icons\SC_Reader.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\plugins\gui\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.equinox.p2.core.feature_1.3.0.v20140523-0116\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre7\lib\zi\SystemV\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Triedit\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A90000000001}\Setup.exe C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\InfoPathOM\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre7\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\brx\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\zh_CN\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Backgammon\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Solitaire\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Defender\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\Chess\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\ar\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\lt\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\Locales\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\SpeechEngines\Microsoft\TTS20\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Google\Update\Download\{8A69D345-D564-463C-AFF1-A69D9E530F96}\106.0.5249.119\chrome_installer.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\STARTUP\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Google\Chrome\Application\106.0.5249.119\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\1033\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Microsoft Games\More Games\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\ga\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\fi\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\db\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\fr\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Multiplayer\Spades\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\Purble Place\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Microsoft Games\SpiderSolitaire\es-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.feature_1.1.0.v20140827-1444\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\ja\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\AUTOSHAP\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\locale\sw\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\meta_engine\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_zh_4.4.0.v20140623020002\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SATIN\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\MSTORDB.EXE C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\4d6b9c17d52ea3f41f35feaea2d38598331f18b90df57b322dcb4bf936f9a832.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\4d6b9c17d52ea3f41f35feaea2d38598331f18b90df57b322dcb4bf936f9a832.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\vDll.dll C:\Windows\Logo1_.exe N/A

Enumerates physical storage devices

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d6b9c17d52ea3f41f35feaea2d38598331f18b90df57b322dcb4bf936f9a832.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d6b9c17d52ea3f41f35feaea2d38598331f18b90df57b322dcb4bf936f9a832.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps\~f760e72\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps\~f760e72\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps\~f760e72\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps\~f760e72\Au_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps\~f760e72\Au_.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wps\~f760e72\Au_.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps\~f760e72\Au_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1876 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\4d6b9c17d52ea3f41f35feaea2d38598331f18b90df57b322dcb4bf936f9a832.exe C:\Windows\SysWOW64\cmd.exe
PID 1876 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\4d6b9c17d52ea3f41f35feaea2d38598331f18b90df57b322dcb4bf936f9a832.exe C:\Windows\SysWOW64\cmd.exe
PID 1876 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\4d6b9c17d52ea3f41f35feaea2d38598331f18b90df57b322dcb4bf936f9a832.exe C:\Windows\SysWOW64\cmd.exe
PID 1876 wrote to memory of 2968 N/A C:\Users\Admin\AppData\Local\Temp\4d6b9c17d52ea3f41f35feaea2d38598331f18b90df57b322dcb4bf936f9a832.exe C:\Windows\SysWOW64\cmd.exe
PID 1876 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\4d6b9c17d52ea3f41f35feaea2d38598331f18b90df57b322dcb4bf936f9a832.exe C:\Windows\Logo1_.exe
PID 1876 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\4d6b9c17d52ea3f41f35feaea2d38598331f18b90df57b322dcb4bf936f9a832.exe C:\Windows\Logo1_.exe
PID 1876 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\4d6b9c17d52ea3f41f35feaea2d38598331f18b90df57b322dcb4bf936f9a832.exe C:\Windows\Logo1_.exe
PID 1876 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\4d6b9c17d52ea3f41f35feaea2d38598331f18b90df57b322dcb4bf936f9a832.exe C:\Windows\Logo1_.exe
PID 2524 wrote to memory of 2652 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2524 wrote to memory of 2652 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2524 wrote to memory of 2652 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2524 wrote to memory of 2652 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 2968 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\4d6b9c17d52ea3f41f35feaea2d38598331f18b90df57b322dcb4bf936f9a832.exe
PID 2968 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\4d6b9c17d52ea3f41f35feaea2d38598331f18b90df57b322dcb4bf936f9a832.exe
PID 2968 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\4d6b9c17d52ea3f41f35feaea2d38598331f18b90df57b322dcb4bf936f9a832.exe
PID 2652 wrote to memory of 2688 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2652 wrote to memory of 2688 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2652 wrote to memory of 2688 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2652 wrote to memory of 2688 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 2968 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\4d6b9c17d52ea3f41f35feaea2d38598331f18b90df57b322dcb4bf936f9a832.exe
PID 2968 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\4d6b9c17d52ea3f41f35feaea2d38598331f18b90df57b322dcb4bf936f9a832.exe
PID 2968 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\4d6b9c17d52ea3f41f35feaea2d38598331f18b90df57b322dcb4bf936f9a832.exe
PID 2968 wrote to memory of 2564 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\4d6b9c17d52ea3f41f35feaea2d38598331f18b90df57b322dcb4bf936f9a832.exe
PID 2564 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\4d6b9c17d52ea3f41f35feaea2d38598331f18b90df57b322dcb4bf936f9a832.exe C:\Users\Admin\AppData\Local\Temp\wps\~f760e72\Au_.exe
PID 2564 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\4d6b9c17d52ea3f41f35feaea2d38598331f18b90df57b322dcb4bf936f9a832.exe C:\Users\Admin\AppData\Local\Temp\wps\~f760e72\Au_.exe
PID 2564 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\4d6b9c17d52ea3f41f35feaea2d38598331f18b90df57b322dcb4bf936f9a832.exe C:\Users\Admin\AppData\Local\Temp\wps\~f760e72\Au_.exe
PID 2564 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\4d6b9c17d52ea3f41f35feaea2d38598331f18b90df57b322dcb4bf936f9a832.exe C:\Users\Admin\AppData\Local\Temp\wps\~f760e72\Au_.exe
PID 2564 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\4d6b9c17d52ea3f41f35feaea2d38598331f18b90df57b322dcb4bf936f9a832.exe C:\Users\Admin\AppData\Local\Temp\wps\~f760e72\Au_.exe
PID 2564 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\4d6b9c17d52ea3f41f35feaea2d38598331f18b90df57b322dcb4bf936f9a832.exe C:\Users\Admin\AppData\Local\Temp\wps\~f760e72\Au_.exe
PID 2564 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\4d6b9c17d52ea3f41f35feaea2d38598331f18b90df57b322dcb4bf936f9a832.exe C:\Users\Admin\AppData\Local\Temp\wps\~f760e72\Au_.exe
PID 2596 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\wps\~f760e72\Au_.exe C:\Users\Admin\AppData\Local\Temp\wps\~f760e72\Au_.exe
PID 2596 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\wps\~f760e72\Au_.exe C:\Users\Admin\AppData\Local\Temp\wps\~f760e72\Au_.exe
PID 2596 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\wps\~f760e72\Au_.exe C:\Users\Admin\AppData\Local\Temp\wps\~f760e72\Au_.exe
PID 2596 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\wps\~f760e72\Au_.exe C:\Users\Admin\AppData\Local\Temp\wps\~f760e72\Au_.exe
PID 2596 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\wps\~f760e72\Au_.exe C:\Users\Admin\AppData\Local\Temp\wps\~f760e72\Au_.exe
PID 2596 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\wps\~f760e72\Au_.exe C:\Users\Admin\AppData\Local\Temp\wps\~f760e72\Au_.exe
PID 2596 wrote to memory of 2464 N/A C:\Users\Admin\AppData\Local\Temp\wps\~f760e72\Au_.exe C:\Users\Admin\AppData\Local\Temp\wps\~f760e72\Au_.exe
PID 2524 wrote to memory of 1176 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 2524 wrote to memory of 1176 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\4d6b9c17d52ea3f41f35feaea2d38598331f18b90df57b322dcb4bf936f9a832.exe

"C:\Users\Admin\AppData\Local\Temp\4d6b9c17d52ea3f41f35feaea2d38598331f18b90df57b322dcb4bf936f9a832.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\Users\Admin\AppData\Local\Temp\$$aD4A.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\4d6b9c17d52ea3f41f35feaea2d38598331f18b90df57b322dcb4bf936f9a832.exe

"C:\Users\Admin\AppData\Local\Temp\4d6b9c17d52ea3f41f35feaea2d38598331f18b90df57b322dcb4bf936f9a832.exe"

C:\Users\Admin\AppData\Local\Temp\wps\~f760e72\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\wps\~f760e72\Au_.exe" /from="cmd.exe"

C:\Users\Admin\AppData\Local\Temp\wps\~f760e72\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\wps\~f760e72\Au_.exe" -downpower /from=cmd.exe -msgwndname=uninstallsend_message_F760F6C

Network

N/A

Files

memory/1876-0-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$aD4A.bat

MD5 74c05ff9f3e3cf60421a146cb4f38b05
SHA1 6603f5f1f0fc602b44d32531a9fae4210be65510
SHA256 b5ecce857d484ac9eec804cdc3db897de1aff43e59a0a742fa21de863317a048
SHA512 35ee08dc08a120bb9b066b551c892971d6b1cc10915928798055f7bc51f642f1ea97927c1040ea428620bdbcb3e3010ffaf980f59e600d8845a7af8f607329a4

memory/1876-18-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\Logo1_.exe

MD5 111cf05043f7e2167709e32cf4cbb9f6
SHA1 08e30a56078bb7f9b09709212848397e325458a4
SHA256 8aadbbf032420ba38402e5c280b0b2aaeadd1a38d6d4539c9ac6222de98a6553
SHA512 7fca5fefb9a074177057dd4704fa28057ccc68e517795e2acc099cb7ea7cf96c4ae89cc306cae3ea0cc00bd0258c1e0952e550468a608014b225576c038a9c84

memory/1876-17-0x00000000003A0000-0x00000000003D4000-memory.dmp

memory/1876-12-0x00000000003A0000-0x00000000003D4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4d6b9c17d52ea3f41f35feaea2d38598331f18b90df57b322dcb4bf936f9a832.exe.exe

MD5 769d813bd1264fc935208c435d01dab8
SHA1 39b248ceb68f99da75f732b28fbc301b30da1f2a
SHA256 6fa0932639ef8309b4ede207a07e0fe210d95aeae3811af9dbbe74438ac3a69d
SHA512 1d6c756e76b14fdecc75bff3100c34e3753269e70538739d935ab906506be7a5dfe800f682bad6f33137e52ce0357aecd4c0d3f5e4c5afdf675988a878868687

C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpsuninstall.log

MD5 f8dde0de7bb721913e59645288d919d0
SHA1 bcc07f37fd4da3a6a71651090951f98044385681
SHA256 d348813497b828d6f4853a41e15c836775e8a32fb79e26cb8bd4876e1753fbb2
SHA512 5b0be28bb1cdabb96c18c6e7e5b2d7e584bcc3ec0ee53d341cf5ddea615ba7b4a3ff8c4d3f2cb34fcbf7ab4f3b444cbc56340424a71de6c8c123fc277e4329fd

C:\Users\Admin\AppData\Local\tempuninstall.ini

MD5 db40ec764b2e435da14c92b72308ed6e
SHA1 7e95a22b15d20f736d7298bf545e0a73b08e6633
SHA256 859f1c7a7143c049084f7033a6da8bc94d519ec439d668520654f0a4073ed910
SHA512 4ec66c8febce5574dadeaddadec76256a3dd26f9e9dfca40fb57f8fada1e53e05ad2aa8ed743ff6704a5ec2b5cc4238636ee8241f3e04cdbf99a092b09a0ef91

C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpsuninstall.log

MD5 421914a8aa692343770841eee06701f8
SHA1 2a9fabdf028b7e6567b00d383aa80e1e7ba2003d
SHA256 67f6605ca42b09ddd0b33b9276b876976e107f33766b799daa78c8966ad38dcd
SHA512 705645a62bbab796207e0d7deedf2fb200a7c507ea7f3501852d0e1738fb5a4fba70ba5c6536b2222bc6c6951ea2e7f7ce6510784c21233cb011e9c495113ba5

C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpsuninstall.log

MD5 27d68734c8717d38e033fcadc9d0104d
SHA1 2e3fb893f7ae6ca510927262afcb0508624f3635
SHA256 a1866cef46067503116614b4a69d63a4bc99a2ef48aecebc4cdab002a608a8e5
SHA512 f372c353909dadb804e0075f51f598a2cb0d10fe13bd939c57be4b73f6e90f63c1ea913af83a01cd34fd840c8fd72b27c17cfa67d05a6ea9803e1212be586484

C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpsuninstall.log

MD5 faeba5087e417f66a48d8269fb648729
SHA1 10c12739e957c1e9109a24bc72688ad5623c8df1
SHA256 aa5dffc8bdb3eefc0cf993132e3d3342966f727e8f73f001545e7547ee17a69e
SHA512 94cd3d724947f4d1450edbfee25ee13a89bf867c7d5d702a54cff3c33400e318c0d81c66123f17711b38b0ce7498d900883e6933a50628f3cbf72884e2ee80f2

C:\Users\Admin\AppData\Local\Temp\wps\~f761101\uninstall_res\cgpb_fg.png

MD5 364888aa1329fb55f8377c34bc5b29d3
SHA1 6550c415a349c4df242aa219045cc184ba8d65ab
SHA256 28e85a601be919c96086c0ca2e056acd8184ec6f3cb1e35b2b15179b20e9d501
SHA512 8375b365f4e84c6b765213611dcc18eaca2f2a9e75a7d4e187fae3d0d2152d0323bf2922fb9a1ad4f8fcaad2a6d57e8345ce0828762b553fb6473468d08bb445

C:\Users\Admin\AppData\Local\Temp\wps\~f761101\uninstall_res\cgpb_bg.png

MD5 315125d6cb7705306ace3dd71ce50e8e
SHA1 67f4e13ee507ccfa2df855bcf5ebbcdb0aff5d7f
SHA256 f76ec3175357ab52752a09a344278f167ac672da8aa0dad179ef4a8ee9038db9
SHA512 b37eb1d4274eddd8a11854f5cf02f72dad45fa71bc7ca8091ed4f44e423bbb2d023e2f68cc0d6cba1dcacc4e9e34fb280b0147218ec019fff31ebf447e91a259

memory/1176-187-0x00000000030B0000-0x00000000030B1000-memory.dmp

memory/2524-190-0x0000000000400000-0x0000000000434000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-1340930862-1405011213-2821322012-1000\_desktop.ini

MD5 4f2460b507685f7d7bfe6393f335f1c9
SHA1 378d42f114b1515872e58de6662373af31ab8c7b
SHA256 47a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42
SHA512 75dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb

memory/2524-197-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2524-203-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2524-249-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2524-255-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2524-739-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2524-2032-0x0000000000400000-0x0000000000434000-memory.dmp

memory/2524-2172-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 36041519366ab508f645352d7c4095ad
SHA1 a33cbfd3a554a2b216a820e55cad52177c6bbd34
SHA256 242f6ebe3bbac27367298cd98621bfc326be49b68fee9ae21cd339689b7368ce
SHA512 054d1c1835ab5f54ce1054cdd98d37aecf215e0f3086b3912a988c399b0c874b316f768cc90c6cd95799b9566f657bdce292c90633dc849598a18230411db0fb

memory/2524-3492-0x0000000000400000-0x0000000000434000-memory.dmp

C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

MD5 4cfdb20b04aa239d6f9e83084d5d0a77
SHA1 f22863e04cc1fd4435f785993ede165bd8245ac6
SHA256 30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9
SHA512 35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 22:45

Reported

2024-06-13 22:48

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

152s

Command Line

C:\Windows\Explorer.EXE

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\4d6b9c17d52ea3f41f35feaea2d38598331f18b90df57b322dcb4bf936f9a832.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\wps\~e57d2f0\Au_.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d6b9c17d52ea3f41f35feaea2d38598331f18b90df57b322dcb4bf936f9a832.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps\~e57d2f0\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps\~e57d2f0\Au_.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\wps\~e57d2f0\Au_.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\P: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\J: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Z: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\X: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\V: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\U: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\R: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\N: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\E: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Y: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\W: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\O: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\M: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\L: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\K: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\I: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\T: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\Q: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\G: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\S: C:\Windows\Logo1_.exe N/A
File opened (read-only) \??\H: C:\Windows\Logo1_.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\pt-br\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\css\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\root\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\hu-hu\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Common Files\Microsoft Shared\ink\it-IT\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\RedistList\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\lv-LV\View3d\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\tr-tr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\sv-se\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ja-jp\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\nls\zh-cn\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sk-sk\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Resource\TypeSupport\Unicode\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\124.0.2478.80\Extensions\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsFeedbackHub_1.1907.3152.0_x64__8wekyb3d8bbwe\HoloAssets\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\sr\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\plugins\codec\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Windows Photo Viewer\ja-JP\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.30251.0_x64__8wekyb3d8bbwe\AppInstallerElevatedAppServiceClient.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\sl-si\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\lib\amd64\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Microsoft\EdgeCore\124.0.2478.80\VisualElements\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Windows Defender\fr-FR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\fi\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\js\nls\en-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\he-il\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\pt-br\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\cs\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\Java\jdk-1.8\bin\jdb.exe C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Wallet_2.4.18324.0_x64__8wekyb3d8bbwe\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\124.0.2478.80\ResiliencyLinks\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Assets\StoreRating\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.MSPaint_6.1907.29027.0_x64__8wekyb3d8bbwe\Assets\Logos\contrast-white\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\zh-cn\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\da-dk\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\WindowsPowerShell\Modules\PackageManagement\1.0.0.1\DSCResources\MSFT_PackageManagement\de-DE\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\en-ae\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ru-RU\View3d\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\app-center\js\nls\it-it\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\en-gb\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\ca-es\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\de\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsCalculator_10.1906.55.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Microsoft3DViewer_6.1908.2042.0_x64__8wekyb3d8bbwe\Common.View.UWP\Strings\ca-ES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Mozilla Firefox\fonts\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsPowerShell\Modules\PSReadline\2.0.0\it\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\images\themes\dark\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\nb-no\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\uk-ua\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\Java\jre-1.8\bin\dtplugin\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WebpImageExtension_1.0.22753.0_x64__8wekyb3d8bbwe\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Xbox.TCUI_1.23.28002.0_x64__8wekyb3d8bbwe\AppxMetadata\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\ImmersiveVideoPlayback\Content\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\hu-hu\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\dotnet\host\fxr\8.0.2\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Directions\Home\LTR\_desktop.ini C:\Windows\Logo1_.exe N/A
File opened for modification C:\Program Files\VideoLAN\VLC\locale\tt\LC_MESSAGES\_desktop.ini C:\Windows\Logo1_.exe N/A
File created C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\_desktop.ini C:\Windows\Logo1_.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\rundl132.exe C:\Users\Admin\AppData\Local\Temp\4d6b9c17d52ea3f41f35feaea2d38598331f18b90df57b322dcb4bf936f9a832.exe N/A
File created C:\Windows\Logo1_.exe C:\Users\Admin\AppData\Local\Temp\4d6b9c17d52ea3f41f35feaea2d38598331f18b90df57b322dcb4bf936f9a832.exe N/A
File opened for modification C:\Windows\rundl132.exe C:\Windows\Logo1_.exe N/A
File created C:\Windows\vDll.dll C:\Windows\Logo1_.exe N/A

Enumerates physical storage devices

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d6b9c17d52ea3f41f35feaea2d38598331f18b90df57b322dcb4bf936f9a832.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d6b9c17d52ea3f41f35feaea2d38598331f18b90df57b322dcb4bf936f9a832.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d6b9c17d52ea3f41f35feaea2d38598331f18b90df57b322dcb4bf936f9a832.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\4d6b9c17d52ea3f41f35feaea2d38598331f18b90df57b322dcb4bf936f9a832.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps\~e57d2f0\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps\~e57d2f0\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps\~e57d2f0\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps\~e57d2f0\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps\~e57d2f0\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps\~e57d2f0\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps\~e57d2f0\Au_.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps\~e57d2f0\Au_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A
N/A N/A C:\Windows\Logo1_.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps\~e57d2f0\Au_.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\wps\~e57d2f0\Au_.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\wps\~e57d2f0\Au_.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1692 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\4d6b9c17d52ea3f41f35feaea2d38598331f18b90df57b322dcb4bf936f9a832.exe C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\4d6b9c17d52ea3f41f35feaea2d38598331f18b90df57b322dcb4bf936f9a832.exe C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 3132 N/A C:\Users\Admin\AppData\Local\Temp\4d6b9c17d52ea3f41f35feaea2d38598331f18b90df57b322dcb4bf936f9a832.exe C:\Windows\SysWOW64\cmd.exe
PID 1692 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\4d6b9c17d52ea3f41f35feaea2d38598331f18b90df57b322dcb4bf936f9a832.exe C:\Windows\Logo1_.exe
PID 1692 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\4d6b9c17d52ea3f41f35feaea2d38598331f18b90df57b322dcb4bf936f9a832.exe C:\Windows\Logo1_.exe
PID 1692 wrote to memory of 444 N/A C:\Users\Admin\AppData\Local\Temp\4d6b9c17d52ea3f41f35feaea2d38598331f18b90df57b322dcb4bf936f9a832.exe C:\Windows\Logo1_.exe
PID 444 wrote to memory of 1060 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 444 wrote to memory of 1060 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 444 wrote to memory of 1060 N/A C:\Windows\Logo1_.exe C:\Windows\SysWOW64\net.exe
PID 1060 wrote to memory of 3216 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1060 wrote to memory of 3216 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 1060 wrote to memory of 3216 N/A C:\Windows\SysWOW64\net.exe C:\Windows\SysWOW64\net1.exe
PID 3132 wrote to memory of 4592 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\4d6b9c17d52ea3f41f35feaea2d38598331f18b90df57b322dcb4bf936f9a832.exe
PID 3132 wrote to memory of 4592 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\4d6b9c17d52ea3f41f35feaea2d38598331f18b90df57b322dcb4bf936f9a832.exe
PID 3132 wrote to memory of 4592 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\4d6b9c17d52ea3f41f35feaea2d38598331f18b90df57b322dcb4bf936f9a832.exe
PID 4592 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\4d6b9c17d52ea3f41f35feaea2d38598331f18b90df57b322dcb4bf936f9a832.exe C:\Users\Admin\AppData\Local\Temp\wps\~e57d2f0\Au_.exe
PID 4592 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\4d6b9c17d52ea3f41f35feaea2d38598331f18b90df57b322dcb4bf936f9a832.exe C:\Users\Admin\AppData\Local\Temp\wps\~e57d2f0\Au_.exe
PID 4592 wrote to memory of 4540 N/A C:\Users\Admin\AppData\Local\Temp\4d6b9c17d52ea3f41f35feaea2d38598331f18b90df57b322dcb4bf936f9a832.exe C:\Users\Admin\AppData\Local\Temp\wps\~e57d2f0\Au_.exe
PID 4540 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\wps\~e57d2f0\Au_.exe C:\Users\Admin\AppData\Local\Temp\wps\~e57d2f0\Au_.exe
PID 4540 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\wps\~e57d2f0\Au_.exe C:\Users\Admin\AppData\Local\Temp\wps\~e57d2f0\Au_.exe
PID 4540 wrote to memory of 2180 N/A C:\Users\Admin\AppData\Local\Temp\wps\~e57d2f0\Au_.exe C:\Users\Admin\AppData\Local\Temp\wps\~e57d2f0\Au_.exe
PID 444 wrote to memory of 3436 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE
PID 444 wrote to memory of 3436 N/A C:\Windows\Logo1_.exe C:\Windows\Explorer.EXE

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\4d6b9c17d52ea3f41f35feaea2d38598331f18b90df57b322dcb4bf936f9a832.exe

"C:\Users\Admin\AppData\Local\Temp\4d6b9c17d52ea3f41f35feaea2d38598331f18b90df57b322dcb4bf936f9a832.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\$$aD0EC.bat

C:\Windows\Logo1_.exe

C:\Windows\Logo1_.exe

C:\Windows\SysWOW64\net.exe

net stop "Kingsoft AntiVirus Service"

C:\Windows\SysWOW64\net1.exe

C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"

C:\Users\Admin\AppData\Local\Temp\4d6b9c17d52ea3f41f35feaea2d38598331f18b90df57b322dcb4bf936f9a832.exe

"C:\Users\Admin\AppData\Local\Temp\4d6b9c17d52ea3f41f35feaea2d38598331f18b90df57b322dcb4bf936f9a832.exe"

C:\Users\Admin\AppData\Local\Temp\wps\~e57d2f0\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\wps\~e57d2f0\Au_.exe" /from="cmd.exe"

C:\Users\Admin\AppData\Local\Temp\wps\~e57d2f0\Au_.exe

"C:\Users\Admin\AppData\Local\Temp\wps\~e57d2f0\Au_.exe" -downpower /from=cmd.exe -msgwndname=uninstallsend_message_E57D419

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=2668,i,14648456027158448592,4956305794400220180,262144 --variations-seed-version --mojo-platform-channel-handle=3684 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/1692-0-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Windows\Logo1_.exe

MD5 111cf05043f7e2167709e32cf4cbb9f6
SHA1 08e30a56078bb7f9b09709212848397e325458a4
SHA256 8aadbbf032420ba38402e5c280b0b2aaeadd1a38d6d4539c9ac6222de98a6553
SHA512 7fca5fefb9a074177057dd4704fa28057ccc68e517795e2acc099cb7ea7cf96c4ae89cc306cae3ea0cc00bd0258c1e0952e550468a608014b225576c038a9c84

memory/1692-9-0x0000000000400000-0x0000000000434000-memory.dmp

memory/444-12-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\$$aD0EC.bat

MD5 1f4e81bd647b694b8cac7e13000c7e88
SHA1 bea7af19bb5fde22dcb6bda7b5523dedc827879d
SHA256 60a1f22381d70b2e5395f8882a2e9622bee5b0ee56345fae759ff25e2eb91ad4
SHA512 e80538f9232064e91702f22b9eb9d6c43bcdc38e43d6ade5baf64d36d5ad90a34c2d12e3dcccfa3a77a7aa151d3017d6b34e4d4b08e00a40c25f705da64c242c

C:\Users\Admin\AppData\Local\Temp\4d6b9c17d52ea3f41f35feaea2d38598331f18b90df57b322dcb4bf936f9a832.exe.exe

MD5 769d813bd1264fc935208c435d01dab8
SHA1 39b248ceb68f99da75f732b28fbc301b30da1f2a
SHA256 6fa0932639ef8309b4ede207a07e0fe210d95aeae3811af9dbbe74438ac3a69d
SHA512 1d6c756e76b14fdecc75bff3100c34e3753269e70538739d935ab906506be7a5dfe800f682bad6f33137e52ce0357aecd4c0d3f5e4c5afdf675988a878868687

C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpsuninstall.log

MD5 093545202edd750f3c1a5340a2918aba
SHA1 f7f2b740f00e4b9c61d5840555ab5d474a0a2e83
SHA256 21532b3f5c70192dd220ba047291884670ee0b18dc1c7e35dfd31f6e64d87272
SHA512 80d34eddffcb5056b20090fa905cc4406b74ff4691d7ff970f4c281e9f5396cf203038186ae1717040d5a485e9fbcba9bc8ede2c9b03fbaeef0dac42848529e1

C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpsuninstall.log

MD5 bad2a5346e9a14998aa494725bbb7ba3
SHA1 636a1e32d44b5af2f7febfa432d416b686544784
SHA256 c3313f3fab210248e23c1365bec79a72200b05f2bcf93f80b3764377c18ed7e4
SHA512 0e4e0aaaa674b9ea4abd3514d8a0621ac83df2c9933d8c11da7fdccd9a9d294f0ca8b5d43287dbd1e2fb713f2882faa3bd0f08b9b62b8b0d6a82ef4f0378177e

C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpsuninstall.log

MD5 056ae890411f4fb52a8ec6e07729138d
SHA1 6448c47ecdbbf4bfa0173c5fe64665f926f22e74
SHA256 13bc5756da9122ca48a3864bfd644f892f1f503d913fd3ebfaa6bb57aadb2922
SHA512 fbb08e4a57b209201a51bb4f37f1cdbb62d87ef40789fbe293b4f7fb2224cf7ac2dda9efcfa8f2b8f3cffc76581d3ce41524e9874235b40319cbce6f980bab29

C:\Users\Admin\AppData\Local\tempuninstall.ini

MD5 db40ec764b2e435da14c92b72308ed6e
SHA1 7e95a22b15d20f736d7298bf545e0a73b08e6633
SHA256 859f1c7a7143c049084f7033a6da8bc94d519ec439d668520654f0a4073ed910
SHA512 4ec66c8febce5574dadeaddadec76256a3dd26f9e9dfca40fb57f8fada1e53e05ad2aa8ed743ff6704a5ec2b5cc4238636ee8241f3e04cdbf99a092b09a0ef91

C:\Users\Admin\AppData\Roaming\kingsoft\office6\log\setup\wpsuninstall.log

MD5 f74e73e9d1374cb6c2fe703a7bcabe74
SHA1 fce5b1b2ce101d384e4c5e4c28c5e3f3398caab1
SHA256 edd0b5c5cc5eb72a0fba6f3c2f31ba12bae90c0d2c78c8faccbb51b3c717f216
SHA512 cf9c94f3247f3c46bd8ccd6ab69be21df769bc3b48d3cc763706445c5bec5ba3cb67460a72db242bb3930daebc3472850d019e1826547149c58a5a271e8da38e

C:\Users\Admin\AppData\Local\Temp\wps\~e57d4e4\uninstall_res\cgpb_fg.png

MD5 364888aa1329fb55f8377c34bc5b29d3
SHA1 6550c415a349c4df242aa219045cc184ba8d65ab
SHA256 28e85a601be919c96086c0ca2e056acd8184ec6f3cb1e35b2b15179b20e9d501
SHA512 8375b365f4e84c6b765213611dcc18eaca2f2a9e75a7d4e187fae3d0d2152d0323bf2922fb9a1ad4f8fcaad2a6d57e8345ce0828762b553fb6473468d08bb445

C:\Users\Admin\AppData\Local\Temp\wps\~e57d4e4\uninstall_res\cgpb_bg.png

MD5 315125d6cb7705306ace3dd71ce50e8e
SHA1 67f4e13ee507ccfa2df855bcf5ebbcdb0aff5d7f
SHA256 f76ec3175357ab52752a09a344278f167ac672da8aa0dad179ef4a8ee9038db9
SHA512 b37eb1d4274eddd8a11854f5cf02f72dad45fa71bc7ca8091ed4f44e423bbb2d023e2f68cc0d6cba1dcacc4e9e34fb280b0147218ec019fff31ebf447e91a259

memory/444-186-0x0000000000400000-0x0000000000434000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-1181767204-2009306918-3718769404-1000\_desktop.ini

MD5 4f2460b507685f7d7bfe6393f335f1c9
SHA1 378d42f114b1515872e58de6662373af31ab8c7b
SHA256 47a22297ce31d17b0f37251ce63cf2eb146700451caab6dd0aa710d2526c8e42
SHA512 75dcca6b81ac47511b847a5c35be4bddbee425436f7bfd1347115e18b84f52a16a5c517bda0a5f5d0a1f2541aab80d764932d8018538cb112fa3b6c9977e95eb

memory/444-193-0x0000000000400000-0x0000000000434000-memory.dmp

memory/444-200-0x0000000000400000-0x0000000000434000-memory.dmp

memory/444-203-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Program Files\7-Zip\7z.exe

MD5 1549a4bdc2c50ebbbb0eedaa6327ea86
SHA1 6c8292ad1c29485e176caa26612cadb01b818412
SHA256 b734e9f81415f84813857b8762c2bbfda2b3b6302dabfa88ba4ddb15170ba56f
SHA512 18dd4178e70380192a07caf3579814b11f7e57d886186c6f4813bb98f90076ac3b17a766975a62aa3ece78966d38c9f66eb2e8c7c97a3ee67a9bfb4515d6ff6d

memory/444-1403-0x0000000000400000-0x0000000000434000-memory.dmp

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

MD5 36041519366ab508f645352d7c4095ad
SHA1 a33cbfd3a554a2b216a820e55cad52177c6bbd34
SHA256 242f6ebe3bbac27367298cd98621bfc326be49b68fee9ae21cd339689b7368ce
SHA512 054d1c1835ab5f54ce1054cdd98d37aecf215e0f3086b3912a988c399b0c874b316f768cc90c6cd95799b9566f657bdce292c90633dc849598a18230411db0fb

memory/444-5041-0x0000000000400000-0x0000000000434000-memory.dmp

C:\ProgramData\Package Cache\{63880b41-04fc-4f9b-92c4-4455c255eb8c}\windowsdesktop-runtime-8.0.2-win-x64.exe

MD5 2500f702e2b9632127c14e4eaae5d424
SHA1 8726fef12958265214eeb58001c995629834b13a
SHA256 82e5b0001f025ca3b8409c98e4fb06c119c68de1e4ef60a156360cb4ef61d19c
SHA512 f420c62fa1f6897f51dd7a0f0e910fb54ad14d51973a2d4840eeea0448c860bf83493fb1c07be65f731efc39e19f8a99886c8cfd058cee482fe52d255a33a55c

memory/444-5486-0x0000000000400000-0x0000000000434000-memory.dmp