Malware Analysis Report

2025-03-15 01:15

Sample ID 240614-clkw9s1gjg
Target a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664
SHA256 a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664
Tags
persistence
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664

Threat Level: Likely malicious

The file a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664 was found to be: Likely malicious.

Malicious Activity Summary

persistence

Sets file execution options in registry

Modifies system executable filetype association

Drops file in System32 directory

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-14 02:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 02:09

Reported

2024-06-14 02:12

Platform

win7-20240221-en

Max time kernel

140s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe"

Signatures

Sets file execution options in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe\debugger = "ntsd -d" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\debugger = "ntsd -d" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZhuDongFangYu.exe C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZhuDongFangYu.exe\debugger = "ntsd -d" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe C:\Windows\SysWOW64\reg.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe " C:\Windows\SysWOW64\cmd.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification \??\c:\Windows\SysWOW64\regedit.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files (x86)\Windows Media Player\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\7-Zip\Uninstall.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Windows Media Player\WMPSideShowGadget.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\Adobe AIR Updater.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\CLVIEW.EXE C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\1033\ONELEV.EXE C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\VideoLAN\VLC\vlc-cache-gen.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\LogTransport2.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\jre\bin\ssvagent.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Java\jre7\bin\policytool.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Games\Hearts\Hearts.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\template.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files (x86)\Windows Media Player\wmlaunch.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Google\Chrome\Application\chrome_proxy.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Windows Defender\MpCmdRun.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files (x86)\Windows Mail\wab.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files (x86)\Windows Media Player\wmpconfig.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Java\jre7\bin\javaws.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Java\jre7\bin\jp2launcher.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\DW\DWTRIG20.EXE C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\bin\jrunscript.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\bin\native2ascii.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Java\jre7\bin\keytool.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files (x86)\Windows Sidebar\sidebar.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Java\jre7\bin\rmid.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Internet Explorer\iediagcmd.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\lib\nbexec64.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Windows Journal\PDIALOG.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Windows Media Player\WMPDMC.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\bin\javac.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\bin\javap.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32Info.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk1.7.0_80\bin\wsgen.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Java\jre7\bin\klist.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\OIS.EXE C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\Wordconv.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files (x86)\Windows Media Player\WMPDMC.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\airappinstaller.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdate.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Java\jre7\bin\ssvagent.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Windows Media Player\setup_wm.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files (x86)\Adobe\Reader 9.0\Reader\reader_sl.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Mozilla Firefox\maintenanceservice.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Google\Chrome\Application\106.0.5249.119\chrome_pwa_launcher.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Java\jre7\bin\jabswitch.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Windows Media Player\wmpenc.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\IEContentService.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\MSTORE.EXE C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files (x86)\Microsoft Office\Office14\WORDICON.EXE C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification \??\c:\Windows\hh.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Windows\notepad.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Windows\splwow64.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Windows\write.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Windows\Boot\PCAT\memtest.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Windows\bfsvc.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Windows\fveupdate.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Windows\HelpPane.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Windows\twunk_16.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Windows\twunk_32.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Windows\winhlp32.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Windows\explorer.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\zipfile\Shell C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe " C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\jpgfile\Shell\Open\Command C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\zipfile\Shell\Open\Command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe " C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\jpgfile C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\zipfile\Shell\Open C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\jpgfile\Shell\Open C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jpgfile\Shell\Open\Command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe " C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.txt C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.txt \ = " exefile" C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe " C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\zipfile C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\zipfile\Shell\Open\Command C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\jpgfile\Shell C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1912 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe C:\Windows\SysWOW64\cmd.exe
PID 1912 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe C:\Windows\SysWOW64\cmd.exe
PID 1912 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe C:\Windows\SysWOW64\cmd.exe
PID 1912 wrote to memory of 2872 N/A C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe C:\Windows\SysWOW64\cmd.exe
PID 1912 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe C:\Windows\SysWOW64\cmd.exe
PID 1912 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe C:\Windows\SysWOW64\cmd.exe
PID 1912 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe C:\Windows\SysWOW64\cmd.exe
PID 1912 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe C:\Windows\SysWOW64\cmd.exe
PID 1912 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe C:\Windows\SysWOW64\cmd.exe
PID 1912 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe C:\Windows\SysWOW64\cmd.exe
PID 1912 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe C:\Windows\SysWOW64\cmd.exe
PID 1912 wrote to memory of 2916 N/A C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe C:\Windows\SysWOW64\cmd.exe
PID 1912 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe C:\Windows\SysWOW64\cmd.exe
PID 1912 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe C:\Windows\SysWOW64\cmd.exe
PID 1912 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe C:\Windows\SysWOW64\cmd.exe
PID 1912 wrote to memory of 448 N/A C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe C:\Windows\SysWOW64\cmd.exe
PID 1912 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe C:\Windows\SysWOW64\cmd.exe
PID 1912 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe C:\Windows\SysWOW64\cmd.exe
PID 1912 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe C:\Windows\SysWOW64\cmd.exe
PID 1912 wrote to memory of 2888 N/A C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe C:\Windows\SysWOW64\cmd.exe
PID 1912 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe C:\Windows\SysWOW64\cmd.exe
PID 1912 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe C:\Windows\SysWOW64\cmd.exe
PID 1912 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe C:\Windows\SysWOW64\cmd.exe
PID 1912 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 3060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2940 wrote to memory of 3060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2940 wrote to memory of 3060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2940 wrote to memory of 3060 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 1912 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe C:\Windows\SysWOW64\cmd.exe
PID 1912 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe C:\Windows\SysWOW64\cmd.exe
PID 1912 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe C:\Windows\SysWOW64\cmd.exe
PID 1912 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe C:\Windows\SysWOW64\cmd.exe
PID 2940 wrote to memory of 2280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2940 wrote to memory of 2280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2940 wrote to memory of 2280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2940 wrote to memory of 2280 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2940 wrote to memory of 3012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2940 wrote to memory of 3012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2940 wrote to memory of 3012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 2940 wrote to memory of 3012 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe

"C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c C:\123.bat

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c assoc .txt = exefile

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ftype comfile=C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ftype zipfile=C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe

C:\Windows\SysWOW64\reg.exe

reg add "hklm\software\microsoft\windows nt\currentversion\Image File Execution Options\ZhuDongFangYu.exe" /v debugger /t reg_sz /d "ntsd -d" /f

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ftype jpgfile=C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ftype txtfile=C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe

C:\Windows\SysWOW64\reg.exe

reg add "hklm\software\microsoft\windows nt\currentversion\Image File Execution Options\360tray.exe" /v debugger /t reg_sz /d "ntsd -d" /f

C:\Windows\SysWOW64\reg.exe

reg add "hklm\software\microsoft\windows nt\currentversion\Image File Execution Options\taskmgr.exe" /v debugger /t reg_sz /d "ntsd -d" /f

Network

N/A

Files

memory/1912-0-0x0000000000400000-0x000000000041D000-memory.dmp

C:\Program Files\7-Zip\7zG.exe

MD5 811d59d9439acf452038bc2cf469a9f0
SHA1 5b81b2e6dd93d65177fea9059aa0ac635966227d
SHA256 358dc3a19ccd14f1209e1c306dbd2de2b024457bc7d09f33981e9ec092a9b007
SHA512 d7d1db56e7c877f1cebfdd2e5f5feaa8c27556ebfc5b7e8e61a9ecd9f63f1f4725cc295bec6aabba0f3926c2011b9b40a37bfc37a6fc03036db6cdf7965f7354

C:\123.bat

MD5 70170ba16a737a438223b88279dc6c85
SHA1 cc066efa0fca9bc9f44013660dea6b28ddfd6a24
SHA256 d3674f4b34a8ca8167160519aa5c66b6024eb09f4cb0c9278bc44370b0efec6a
SHA512 37cc8c954544374d0a1ca4d012c9bd0b47781bc9bb8d0c15a8a95b9934893db3bedee867b984c20edabe54c39574abf7250de433aade6c0d544b8dd2c972c6da

memory/1912-1071-0x0000000000400000-0x000000000041D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 02:09

Reported

2024-06-14 02:12

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe"

Signatures

Sets file execution options in registry

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\360tray.exe\debugger = "ntsd -d" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\debugger = "ntsd -d" C:\Windows\SysWOW64\reg.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZhuDongFangYu.exe C:\Windows\SysWOW64\reg.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ZhuDongFangYu.exe\debugger = "ntsd -d" C:\Windows\SysWOW64\reg.exe N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe " C:\Windows\SysWOW64\cmd.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\Smart Tag\SmartTagInstall.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk-1.8\jre\bin\java.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\VPREVIEW.EXE C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\jsadebugd.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Java\jre-1.8\bin\ktab.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Java\jre-1.8\bin\rmid.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Client\AppVLP.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\kinit.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\native2ascii.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Java\jre-1.8\bin\javacpl.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Java\jre-1.8\bin\kinit.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\msouc.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-001F-0C0A-1000-0000000FF1CE}\misc.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\DATABASECOMPARE.EXE C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\MSOHTMED.EXE C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\XLICONS.EXE C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\servertool.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\SETLANG.EXE C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\dbcicons.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Common Files\microsoft shared\MSInfo\msinfo32.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\jdb.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\jabswitch.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\MSOSYNC.EXE C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\officeappguardwin32.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-006E-0409-1000-0000000FF1CE}\misc.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\idlj.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\msoadfsb.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Google\Chrome\Application\110.0.5481.104\notification_helper.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\ONENOTE.EXE C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\OLicenseHeartbeat.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\protocolhandler.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Java\jre-1.8\bin\tnameserv.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ink\mip.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Java\jre-1.8\bin\java-rmi.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Java\jre-1.8\bin\java.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Java\jre-1.8\bin\orbd.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\javapackager.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\policytool.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Analysis Services\AS OLEDB\140\SQLDumper.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\jconsole.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Java\jre-1.8\bin\jabswitch.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Internet Explorer\ielowutil.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\schemagen.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\SELFCERT.EXE C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\lyncicon.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk-1.8\bin\rmid.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\Office16\ORGCHART.EXE C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A
File opened for modification \??\c:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pptico.exe C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.txt C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\txtfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe " C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\jpgfile\Shell\Open C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\zipfile\Shell\Open\Command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe " C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\comfile\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe " C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.txt \ = " exefile" C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\jpgfile\Shell C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\jpgfile\Shell\Open\Command C:\Windows\SysWOW64\cmd.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\jpgfile\Shell\Open\Command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe " C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\zipfile\Shell C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\zipfile\Shell\Open C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\jpgfile C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\zipfile C:\Windows\SysWOW64\cmd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\zipfile\Shell\Open\Command C:\Windows\SysWOW64\cmd.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2656 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe C:\Windows\SysWOW64\cmd.exe
PID 2656 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe C:\Windows\SysWOW64\cmd.exe
PID 2656 wrote to memory of 3384 N/A C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe C:\Windows\SysWOW64\cmd.exe
PID 2656 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe C:\Windows\SysWOW64\cmd.exe
PID 2656 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe C:\Windows\SysWOW64\cmd.exe
PID 2656 wrote to memory of 4464 N/A C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe C:\Windows\SysWOW64\cmd.exe
PID 2656 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe C:\Windows\SysWOW64\cmd.exe
PID 2656 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe C:\Windows\SysWOW64\cmd.exe
PID 2656 wrote to memory of 3556 N/A C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe C:\Windows\SysWOW64\cmd.exe
PID 2656 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe C:\Windows\SysWOW64\cmd.exe
PID 2656 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe C:\Windows\SysWOW64\cmd.exe
PID 2656 wrote to memory of 4672 N/A C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe C:\Windows\SysWOW64\cmd.exe
PID 2656 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe C:\Windows\SysWOW64\cmd.exe
PID 2656 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe C:\Windows\SysWOW64\cmd.exe
PID 2656 wrote to memory of 4048 N/A C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe C:\Windows\SysWOW64\cmd.exe
PID 2656 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe C:\Windows\SysWOW64\cmd.exe
PID 2656 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe C:\Windows\SysWOW64\cmd.exe
PID 2656 wrote to memory of 4620 N/A C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe C:\Windows\SysWOW64\cmd.exe
PID 2656 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe C:\Windows\SysWOW64\cmd.exe
PID 2656 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe C:\Windows\SysWOW64\cmd.exe
PID 2656 wrote to memory of 5016 N/A C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe C:\Windows\SysWOW64\cmd.exe
PID 4464 wrote to memory of 2152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4464 wrote to memory of 2152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4464 wrote to memory of 2152 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4464 wrote to memory of 4476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4464 wrote to memory of 4476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4464 wrote to memory of 4476 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4464 wrote to memory of 3424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4464 wrote to memory of 3424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4464 wrote to memory of 3424 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe

"C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe"

C:\Windows\SysWOW64\cmd.exe

cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c C:\123.bat

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c assoc .txt = exefile

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ftype comfile=C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ftype zipfile=C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ftype jpgfile=C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe

C:\Windows\SysWOW64\cmd.exe

cmd.exe /c ftype txtfile=C:\Users\Admin\AppData\Local\Temp\a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664.exe

C:\Windows\SysWOW64\reg.exe

reg add "hklm\software\microsoft\windows nt\currentversion\Image File Execution Options\ZhuDongFangYu.exe" /v debugger /t reg_sz /d "ntsd -d" /f

C:\Windows\SysWOW64\reg.exe

reg add "hklm\software\microsoft\windows nt\currentversion\Image File Execution Options\360tray.exe" /v debugger /t reg_sz /d "ntsd -d" /f

C:\Windows\SysWOW64\reg.exe

reg add "hklm\software\microsoft\windows nt\currentversion\Image File Execution Options\taskmgr.exe" /v debugger /t reg_sz /d "ntsd -d" /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/2656-0-0x0000000000400000-0x000000000041D000-memory.dmp

C:\Program Files\7-Zip\7zG.exe

MD5 be56cc5ab8b2ae1bfb1fc14960f778d3
SHA1 5bd5f15424d54905c04eaf3d538683aa9c027811
SHA256 a4c01430bde25f181f5d9cab27c2e4b2b8235507c24f4c11ad8d4436d374c664
SHA512 4fd17498f6a39c5df092d61a34840cde0343892b5a31613e6bb0ba5c92fa3218533a5629732c80330444979815bcf9477bdf8057100980637a0fb34e49b1b2fc

C:\123.bat

MD5 70170ba16a737a438223b88279dc6c85
SHA1 cc066efa0fca9bc9f44013660dea6b28ddfd6a24
SHA256 d3674f4b34a8ca8167160519aa5c66b6024eb09f4cb0c9278bc44370b0efec6a
SHA512 37cc8c954544374d0a1ca4d012c9bd0b47781bc9bb8d0c15a8a95b9934893db3bedee867b984c20edabe54c39574abf7250de433aade6c0d544b8dd2c972c6da

memory/2656-1016-0x0000000000400000-0x000000000041D000-memory.dmp