Malware Analysis Report

2025-01-03 09:25

Sample ID 240620-p91nvashnn
Target 2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker
SHA256 3784958f665b395183bb891240fddd8f99493ae8be96f55901880ea7e7bddb02
Tags
evasion trojan bootkit persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

3784958f665b395183bb891240fddd8f99493ae8be96f55901880ea7e7bddb02

Threat Level: Shows suspicious behavior

The file 2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker was found to be: Shows suspicious behavior.

Malicious Activity Summary

evasion trojan bootkit persistence

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Checks whether UAC is enabled

Writes to the Master Boot Record (MBR)

Checks for VirtualBox DLLs, possible anti-VM trick

Modifies system certificate store

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-20 13:02

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 13:02

Reported

2024-06-20 13:05

Platform

win7-20240419-en

Max time kernel

121s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\023C80D550F2FE11888DE5056327327A\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\023C80D550F2FE11888DE5056327327A\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\023C80D550F2FE11888DE5056327327A\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\023C80D550F2FE11888DE5056327327A\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\023C80D550F2FE11888DE5056327327A\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\023C80D550F2FE11888DE5056327327A\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\023C80D550F2FE11888DE5056327327A\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\023C80D550F2FE11888DE5056327327A\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\023C80D550F2FE11888DE5056327327A\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\023C80D550F2FE11888DE5056327327A\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\023C80D550F2FE11888DE5056327327A\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\023C80D550F2FE11888DE5056327327A\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\023C80D550F2FE11888DE5056327327A\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\023C80D550F2FE11888DE5056327327A\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\023C80D550F2FE11888DE5056327327A\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\023C80D550F2FE11888DE5056327327A\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\023C80D550F2FE11888DE5056327327A\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\023C80D550F2FE11888DE5056327327A\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\023C80D550F2FE11888DE5056327327A\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\023C80D550F2FE11888DE5056327327A\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\023C80D550F2FE11888DE5056327327A\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\023C80D550F2FE11888DE5056327327A\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\023C80D550F2FE11888DE5056327327A\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\023C80D550F2FE11888DE5056327327A\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\023C80D550F2FE11888DE5056327327A\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\023C80D550F2FE11888DE5056327327A\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\023C80D550F2FE11888DE5056327327A\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\023C80D550F2FE11888DE5056327327A\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\023C80D550F2FE11888DE5056327327A\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\023C80D550F2FE11888DE5056327327A\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\023C80D550F2FE11888DE5056327327A\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\023C80D550F2FE11888DE5056327327A\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\023C80D550F2FE11888DE5056327327A\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\023C80D550F2FE11888DE5056327327A\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\023C80D550F2FE11888DE5056327327A\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\023C80D550F2FE11888DE5056327327A\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\023C80D550F2FE11888DE5056327327A\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\023C80D550F2FE11888DE5056327327A\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\023C80D550F2FE11888DE5056327327A\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\temp\023C80D550F2FE11888DE5056327327A\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Windows\temp\023C80D550F2FE11888DE5056327327A\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Windows\temp\023C80D550F2FE11888DE5056327327A\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2396 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe C:\Windows\temp\023C80D550F2FE11888DE5056327327A\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe
PID 2396 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe C:\Windows\temp\023C80D550F2FE11888DE5056327327A\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe
PID 2396 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe C:\Windows\temp\023C80D550F2FE11888DE5056327327A\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe
PID 2396 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe C:\Windows\temp\023C80D550F2FE11888DE5056327327A\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe
PID 2396 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe C:\Windows\temp\023C80D550F2FE11888DE5056327327A\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe
PID 2396 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe C:\Windows\temp\023C80D550F2FE11888DE5056327327A\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe
PID 2396 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe C:\Windows\temp\023C80D550F2FE11888DE5056327327A\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe"

C:\Windows\temp\023C80D550F2FE11888DE5056327327A\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe

"C:\Windows\temp\023C80D550F2FE11888DE5056327327A\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe" -initialNonSecureSetupPath="C:\Users\Admin\AppData\Local\Temp\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ds.kaspersky.com udp
CH 82.202.184.184:443 ds.kaspersky.com tcp
US 8.8.8.8:53 crl.kaspersky.com udp
FR 212.73.221.196:80 crl.kaspersky.com tcp
US 8.8.8.8:53 dm.s.kaspersky-labs.com udp
DE 130.117.190.147:443 dm.s.kaspersky-labs.com tcp
DE 130.117.190.147:443 dm.s.kaspersky-labs.com tcp
DE 130.117.190.147:443 dm.s.kaspersky-labs.com tcp
DE 130.117.190.147:443 dm.s.kaspersky-labs.com tcp
DE 130.117.190.147:443 dm.s.kaspersky-labs.com tcp
DE 130.117.190.147:443 dm.s.kaspersky-labs.com tcp
DE 130.117.190.147:443 dm.s.kaspersky-labs.com tcp

Files

memory/2396-2-0x0000000077570000-0x0000000077580000-memory.dmp

memory/2396-0-0x0000000077570000-0x0000000077580000-memory.dmp

memory/2396-1-0x0000000077570000-0x0000000077580000-memory.dmp

\Windows\Temp\023C80D550F2FE11888DE5056327327A\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe

MD5 602db6d99b3daffef5eaef8e3b13593d
SHA1 1a7677e5682345531592df57d5de6b4d22293f3a
SHA256 3784958f665b395183bb891240fddd8f99493ae8be96f55901880ea7e7bddb02
SHA512 7ef6e292fc023ad8fde3b5cc37cb05d44a360e02a44518dfbccd9b22cdebc10838dfa8b86aacf1dc061b629fa943f7ae5475bf0a5cdff85128454c3eea93dbc3

memory/1400-10-0x0000000077560000-0x0000000077570000-memory.dmp

memory/1400-9-0x0000000077560000-0x0000000077570000-memory.dmp

memory/1400-8-0x0000000077560000-0x0000000077570000-memory.dmp

\Users\Admin\AppData\Local\Temp\0DD522D550F2FE11888DE5056327327A\setup.dll

MD5 816f9b62aeeca708661dcd72da3ecb74
SHA1 c26a9bca4382009e61177598bb50f69fb88e88c3
SHA256 3d7dd3e6ae9e4ef059f56f4eabcd8bdb519a2a1fe4cc5219c7a1efc1d554c4e7
SHA512 53a2a3ceda1560f51fd006efedbc2adc8c8110cf8942c72e4d93ced56d693be70002c3fb1ba3503c88c22cf344dc4a64191b3bf729bcbef9cce8b8cbcbc900cc

memory/1400-40-0x000000007319E000-0x000000007319F000-memory.dmp

memory/1400-44-0x0000000000730000-0x000000000073E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\0DD522D550F2FE11888DE5056327327A\kl.setup.ui.interoplayer.dll

MD5 baf69d3c6977161e0c2b631b3f9958d4
SHA1 a1b2982c11811c4e5f6bce95f3072a855d11c369
SHA256 e6392d0cf3a5984034ca0b346476d7482243550ddd0c65a8c0ff2f03a15867bc
SHA512 2fb765d07638d239b666d4043f9ae75e91dc271ddf399dfe5bfd1c894bcabb95e6e965b478f5208687d9ebaa18cdafd6fc3400cd47694fd9db4ac30f3f1d5839

memory/1400-47-0x0000000073190000-0x000000007387E000-memory.dmp

\Users\Admin\AppData\Local\Temp\0DD522D550F2FE11888DE5056327327A\kl.setup.ui.dll

MD5 1bebc399a1b31eabc3361169df0316d1
SHA1 56091143fafa680dc65dd5f2b5d6fafa94590041
SHA256 894914e74da8c8faf8bb9b34e0f9b586db3cb248c3f6edb715a7cb8c930dd66b
SHA512 d0d1fb7e23391a352f6bb3d5756dbbcd5a3558e0c477b265453931940a223dfa31cafe20232a9d08fbb127158bce325dd8b769e7bb62907be89019cd3f02f1ac

memory/1400-51-0x0000000003AD0000-0x0000000003B16000-memory.dmp

memory/1400-52-0x0000000073190000-0x000000007387E000-memory.dmp

\Users\Admin\AppData\Local\Temp\0DD522D550F2FE11888DE5056327327A\kl.ui.framework.dll

MD5 2ad2ab4f8517da8e2efdfed22ad49f1e
SHA1 55916e3e5c4c40cf2e5644fbad07baf31459673e
SHA256 6efe8efc6701c80d59ad33bd139aeca1b47a27f49d3ccc16ed01a49da9bfc2e7
SHA512 12800c7d475af627c98cecb6e6c2de8247094166126978e24bd8be3f7193828781e853ee10b3133c989d625f0e2860ce4551369d864748b70db4ec220c515bbd

memory/1400-82-0x0000000006210000-0x0000000006252000-memory.dmp

memory/1400-86-0x0000000002D70000-0x0000000002D86000-memory.dmp

\Users\Admin\AppData\Local\Temp\0DD522D550F2FE11888DE5056327327A\kl.ui.framework.uikit.dll

MD5 18defb1e3b7460f592a8ca61e4b40ff0
SHA1 8f8f7d7d1ee8a048d162603cc21a0f4c40b9036b
SHA256 02a884babc5584fec80b227eb1c52dc800c516f1117ff9637617ad84c632da9d
SHA512 7cbdc0c113a0c7ff9628674a8a23f4224290455d4a9a41a66889d01baf1f28b0175197c3078a791ecf6b2052c3fdfc35cf38cfae5bf5917bde80f82499d40b12

memory/1400-94-0x00000000083E0000-0x00000000086A0000-memory.dmp

memory/1400-90-0x00000000066E0000-0x0000000006728000-memory.dmp

\Users\Admin\AppData\Local\Temp\0DD522D550F2FE11888DE5056327327A\kl.ui.framework.localization.dll

MD5 079ac68d4beb2ab9602d754b09ff652b
SHA1 90032834cc5cffd0b00119e4e38b5f4c5f877e4c
SHA256 9377c35b19c30ee75c010b1e592796daf1d3493b397ef9d61a1c63a5ab30a88e
SHA512 53782adc516950888ec69b21e744fe4d7f8567223e7c067e362800c78e3621dc148d5aa19f6011962bece1ada3691ef1ef40838a8072480c54aeedb2f4e0c9b9

\Users\Admin\AppData\Local\Temp\0DD522D550F2FE11888DE5056327327A\kl.setup.ui.core.dll

MD5 2c8f5ec07cb84d844e3fdee32b2a8e00
SHA1 2e27daffed27a7e6ee3adc50eef1710da318ca32
SHA256 8d5bd8184fbc3f79ea9edc2c25e1a5a935514518c3fba89bde308c06722375f9
SHA512 ef37109b456a68d55dee8a45340e25cb9901909b30f9f882f62060951bec20d838561dbe5ebe0480aa2feb668c6ffbb2137ed2f69cd3d6337c6f38cf395f6eca

C:\Users\Admin\AppData\Local\Temp\0DD522D550F2FE11888DE5056327327A\kl.setup.ui.visuals.dll

MD5 6181240bc579d2dfb176a1ca260f5a90
SHA1 eb13b6cd4a242c8399396795d1863954b8d79507
SHA256 b07c4d99d4cbb62b31a425e60c993b809c7043518a9ef0b7b561abd180a1b768
SHA512 f5bb4bdd05836c494a560dc9aa16d62d29b90df7c5854d4a97b8e274890dd1476de955637237867a666c1f08785f5dc06d571e023b124530ee87cf6fdb98689f

C:\Users\Admin\AppData\Local\Temp\0DD522D550F2FE11888DE5056327327A\kl.ui.framework.uikit.b2c.dll

MD5 445e34aa976419cae54e13ede8d41ce5
SHA1 98ca3ee808f97ae16970b0fcefd3387bd07278eb
SHA256 a255bb5dfaa685d7443dbc8bb7fca71417c8f0b1f617ade7077ee437a23a9b24
SHA512 86b4084cf781d4efbb814fce3ed6ca48addbf4c15c5ed3630673350cf65056a80e2a9bc00581a45ae370a64f0bc720d506622eccd9d7ef170814faab1cce14c4

memory/1400-117-0x0000000007F50000-0x0000000007FEE000-memory.dmp

memory/1400-111-0x0000000008000000-0x000000000809E000-memory.dmp

memory/1400-103-0x0000000007D40000-0x0000000007DAA000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

memory/1400-98-0x0000000007D40000-0x0000000007DAA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Tar1378.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

memory/1400-184-0x0000000005E00000-0x0000000005E34000-memory.dmp

\Users\Admin\AppData\Local\Temp\0DD522D550F2FE11888DE5056327327A\sharpvectorrenderingwpf.dll

MD5 faec58e7785c287a7c688f274207048d
SHA1 66c038c720035b7212a7d3733da4520e3b95d63b
SHA256 4c76dd0441a8021a308be24cf0c1957bee280451abcc1467acf47f1a6f7f5dce
SHA512 9269a91a5bab01f076d8e9fde2991463fb224dc6382f8cde3a118e83cb35bdf580b4ea7686f2ea767a2a9c04650222edfc3a8b2569978b734c51b7135915448e

\Users\Admin\AppData\Local\Temp\0DD522D550F2FE11888DE5056327327A\sharpvectorconverterswpf.dll

MD5 a56a73b39703d5ff85b5cf12f9b00009
SHA1 e6448c87f969e19ae4c6514d69d8286d26a2b5db
SHA256 bb5966185017d904d2d7fd952bcc6d5c19fdf6bbbe34ab29c63a3784cd1074c7
SHA512 7fa07a1fcc0735186ee71b3c123b1c4076f04dba5ad319588ea695ef117ab7c39918593e4ee42f18cbd3fe01d043e896981ca6f07293fc2fb0a9bce5d66992b5

memory/1400-188-0x0000000005C80000-0x0000000005CA2000-memory.dmp

\Users\Admin\AppData\Local\Temp\0DD522D550F2FE11888DE5056327327A\sharpvectorcore.dll

MD5 24e3b7177eeabdf085a01796b49c8e55
SHA1 6916a0bb98892252f59692fd0405e6da62af0f8b
SHA256 eab963926cf2d62b575c6f33804372fea04db328b2b3f0adfb45fee3f27e5386
SHA512 5e377e609673f3d84e22d070012578b8a18fce848a3815d9da05e10043d3e9fde8070094d1841acb44a4f876d8741e371a5fbcc86cce80cdf826131370a41e64

\Users\Admin\AppData\Local\Temp\0DD522D550F2FE11888DE5056327327A\sharpvectormodel.dll

MD5 225a73e5a0cf87453832b578db6daddb
SHA1 a36717a1b2c7eb2ba160fec5fa80e48b9e57c4ac
SHA256 0499708762c56b9339c980e731ffab294e9b18362af3dcb4ad4481f1c7bd60c1
SHA512 565ee2105bd626650857e0e6f9c8f7d87a68c3ec41923de119a3b710038a4785e16ccf79feb4c1c4f8a308f682163089228ac4ac81295cea754ae1189311c965

memory/1400-196-0x00000000070E0000-0x00000000071DA000-memory.dmp

memory/1400-204-0x00000000061C0000-0x00000000061CE000-memory.dmp

\Users\Admin\AppData\Local\Temp\0DD522D550F2FE11888DE5056327327A\sharpvectordom.dll

MD5 e4f6efef27708458ecda4ee22edf3cef
SHA1 07ccb5fa980dead816737ad83802cbfed18e4a4f
SHA256 413e485d8dd07231d70107d86ee1a17ce705517aed8346b4701747d1fdbfdfc3
SHA512 4920e508304df14041df1189938a1102e4a71e2e57ac4b9b804b6b0405c89c8292012a5ff4dae21268204ed6d9b56a279f4ce18d709074d1cba71cc9d5e11a1d

memory/1400-208-0x00000000062E0000-0x00000000062F2000-memory.dmp

\Users\Admin\AppData\Local\Temp\0DD522D550F2FE11888DE5056327327A\sharpvectorruntimewpf.dll

MD5 0e203d24d04e89779638dd70d5335b39
SHA1 98ffc3718c6e34bd6d696bbcce605db666f99b01
SHA256 f15b5199850b8ed98d2202972ada759823a17893a68d60ca3a0f76ee31aeb204
SHA512 a07f54cce2add948340807b8ecf430e72c07032332046e5dd05d9da90f7d732921c0ff628592ff0710914ec9d9b7188b46377e1594a9f9809a107a022de1cfee

memory/1400-200-0x00000000060A0000-0x00000000060BC000-memory.dmp

memory/1400-217-0x0000000073190000-0x000000007387E000-memory.dmp

\Users\Admin\AppData\Local\Temp\0DD522D550F2FE11888DE5056327327A\sharpvectorcss.dll

MD5 726d04bbe783a3510b18a491adac05c0
SHA1 11a01c68204dd80b32c01dcdb2e51f5b0ee34d98
SHA256 639e091c9e87986eaf9fe00f0f401834e14878ebc48084697fd4307713a065ca
SHA512 90592ddef83b6640cf8f28f0818098f95acc4139c7b3f5e8afa63bb873530be1613d42ee02dae12160737ee612187fc0139e19ee4a7f1abb3fec1fcaee1ae297

memory/1400-218-0x0000000073190000-0x000000007387E000-memory.dmp

memory/1400-192-0x0000000006020000-0x0000000006052000-memory.dmp

memory/1400-180-0x0000000003B20000-0x0000000003B2A000-memory.dmp

memory/1400-241-0x0000000073190000-0x000000007387E000-memory.dmp

memory/1400-242-0x0000000073190000-0x000000007387E000-memory.dmp

memory/1400-243-0x0000000073190000-0x000000007387E000-memory.dmp

memory/1400-244-0x000000007319E000-0x000000007319F000-memory.dmp

memory/1400-245-0x0000000073190000-0x000000007387E000-memory.dmp

memory/1400-246-0x0000000003B20000-0x0000000003B2A000-memory.dmp

memory/1400-247-0x0000000073190000-0x000000007387E000-memory.dmp

memory/1400-248-0x0000000073190000-0x000000007387E000-memory.dmp

memory/1400-249-0x0000000073190000-0x000000007387E000-memory.dmp

memory/1400-250-0x0000000073190000-0x000000007387E000-memory.dmp

memory/1400-251-0x0000000073190000-0x000000007387E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 13:02

Reported

2024-06-20 13:05

Platform

win10v2004-20240508-en

Max time kernel

64s

Max time network

64s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Windows\temp\BC7D96C550F2FE115991EF552E6FC5FC\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\temp\BC7D96C550F2FE115991EF552E6FC5FC\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\BC7D96C550F2FE115991EF552E6FC5FC\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\BC7D96C550F2FE115991EF552E6FC5FC\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\BC7D96C550F2FE115991EF552E6FC5FC\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\BC7D96C550F2FE115991EF552E6FC5FC\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\BC7D96C550F2FE115991EF552E6FC5FC\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\BC7D96C550F2FE115991EF552E6FC5FC\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\BC7D96C550F2FE115991EF552E6FC5FC\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\BC7D96C550F2FE115991EF552E6FC5FC\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\BC7D96C550F2FE115991EF552E6FC5FC\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\BC7D96C550F2FE115991EF552E6FC5FC\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\BC7D96C550F2FE115991EF552E6FC5FC\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\BC7D96C550F2FE115991EF552E6FC5FC\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\BC7D96C550F2FE115991EF552E6FC5FC\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\BC7D96C550F2FE115991EF552E6FC5FC\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\BC7D96C550F2FE115991EF552E6FC5FC\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\BC7D96C550F2FE115991EF552E6FC5FC\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\BC7D96C550F2FE115991EF552E6FC5FC\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\BC7D96C550F2FE115991EF552E6FC5FC\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\BC7D96C550F2FE115991EF552E6FC5FC\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\BC7D96C550F2FE115991EF552E6FC5FC\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\BC7D96C550F2FE115991EF552E6FC5FC\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\BC7D96C550F2FE115991EF552E6FC5FC\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\BC7D96C550F2FE115991EF552E6FC5FC\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\BC7D96C550F2FE115991EF552E6FC5FC\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\BC7D96C550F2FE115991EF552E6FC5FC\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\BC7D96C550F2FE115991EF552E6FC5FC\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\BC7D96C550F2FE115991EF552E6FC5FC\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\BC7D96C550F2FE115991EF552E6FC5FC\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\BC7D96C550F2FE115991EF552E6FC5FC\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\BC7D96C550F2FE115991EF552E6FC5FC\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\BC7D96C550F2FE115991EF552E6FC5FC\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\BC7D96C550F2FE115991EF552E6FC5FC\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\BC7D96C550F2FE115991EF552E6FC5FC\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\BC7D96C550F2FE115991EF552E6FC5FC\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\BC7D96C550F2FE115991EF552E6FC5FC\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\BC7D96C550F2FE115991EF552E6FC5FC\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\BC7D96C550F2FE115991EF552E6FC5FC\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A
N/A N/A C:\Windows\temp\BC7D96C550F2FE115991EF552E6FC5FC\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\temp\BC7D96C550F2FE115991EF552E6FC5FC\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\temp\BC7D96C550F2FE115991EF552E6FC5FC\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A

Checks for VirtualBox DLLs, possible anti-VM trick

Description Indicator Process Target
File opened (read-only) \??\VBoxMiniRdrDN C:\Windows\temp\BC7D96C550F2FE115991EF552E6FC5FC\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe"

C:\Windows\temp\BC7D96C550F2FE115991EF552E6FC5FC\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe

"C:\Windows\temp\BC7D96C550F2FE115991EF552E6FC5FC\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe" -initialNonSecureSetupPath="C:\Users\Admin\AppData\Local\Temp\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 ds.kaspersky.com udp
US 8.8.8.8:53 dm.s.kaspersky-labs.com udp
US 8.8.8.8:53 ds.kaspersky.com udp
US 8.8.8.8:53 dm.s.kaspersky-labs.com udp
US 8.8.8.8:53 ds.kaspersky.com udp
US 8.8.8.8:53 dm.s.kaspersky-labs.com udp
US 8.8.8.8:53 dm.kaspersky-labs.com udp

Files

memory/1660-0-0x00000000773D0000-0x00000000773E0000-memory.dmp

memory/1660-2-0x00000000773D0000-0x00000000773E0000-memory.dmp

memory/1660-1-0x00000000773D0000-0x00000000773E0000-memory.dmp

memory/1660-3-0x0000000077292000-0x0000000077293000-memory.dmp

C:\Windows\Temp\BC7D96C550F2FE115991EF552E6FC5FC\2024-06-20_602db6d99b3daffef5eaef8e3b13593d_avoslocker.exe

MD5 602db6d99b3daffef5eaef8e3b13593d
SHA1 1a7677e5682345531592df57d5de6b4d22293f3a
SHA256 3784958f665b395183bb891240fddd8f99493ae8be96f55901880ea7e7bddb02
SHA512 7ef6e292fc023ad8fde3b5cc37cb05d44a360e02a44518dfbccd9b22cdebc10838dfa8b86aacf1dc061b629fa943f7ae5475bf0a5cdff85128454c3eea93dbc3

memory/4592-9-0x00000000773E0000-0x00000000773F0000-memory.dmp

memory/4592-8-0x00000000773E0000-0x00000000773F0000-memory.dmp

memory/4592-7-0x00000000773E0000-0x00000000773F0000-memory.dmp

memory/4592-10-0x0000000077292000-0x0000000077293000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\195768C550F2FE115991EF552E6FC5FC\setup.dll

MD5 816f9b62aeeca708661dcd72da3ecb74
SHA1 c26a9bca4382009e61177598bb50f69fb88e88c3
SHA256 3d7dd3e6ae9e4ef059f56f4eabcd8bdb519a2a1fe4cc5219c7a1efc1d554c4e7
SHA512 53a2a3ceda1560f51fd006efedbc2adc8c8110cf8942c72e4d93ced56d693be70002c3fb1ba3503c88c22cf344dc4a64191b3bf729bcbef9cce8b8cbcbc900cc

memory/4592-40-0x0000000073A2E000-0x0000000073A2F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\195768C550F2FE115991EF552E6FC5FC\kl.setup.ui.interoplayer.dll

MD5 baf69d3c6977161e0c2b631b3f9958d4
SHA1 a1b2982c11811c4e5f6bce95f3072a855d11c369
SHA256 e6392d0cf3a5984034ca0b346476d7482243550ddd0c65a8c0ff2f03a15867bc
SHA512 2fb765d07638d239b666d4043f9ae75e91dc271ddf399dfe5bfd1c894bcabb95e6e965b478f5208687d9ebaa18cdafd6fc3400cd47694fd9db4ac30f3f1d5839

memory/4592-44-0x0000000003E20000-0x0000000003E2E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\195768C550F2FE115991EF552E6FC5FC\kl.setup.ui.dll

MD5 1bebc399a1b31eabc3361169df0316d1
SHA1 56091143fafa680dc65dd5f2b5d6fafa94590041
SHA256 894914e74da8c8faf8bb9b34e0f9b586db3cb248c3f6edb715a7cb8c930dd66b
SHA512 d0d1fb7e23391a352f6bb3d5756dbbcd5a3558e0c477b265453931940a223dfa31cafe20232a9d08fbb127158bce325dd8b769e7bb62907be89019cd3f02f1ac

memory/4592-47-0x0000000073A20000-0x00000000741D0000-memory.dmp

memory/4592-51-0x00000000063D0000-0x0000000006416000-memory.dmp

memory/4592-52-0x0000000073A20000-0x00000000741D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\195768C550F2FE115991EF552E6FC5FC\kl.ui.framework.dll

MD5 2ad2ab4f8517da8e2efdfed22ad49f1e
SHA1 55916e3e5c4c40cf2e5644fbad07baf31459673e
SHA256 6efe8efc6701c80d59ad33bd139aeca1b47a27f49d3ccc16ed01a49da9bfc2e7
SHA512 12800c7d475af627c98cecb6e6c2de8247094166126978e24bd8be3f7193828781e853ee10b3133c989d625f0e2860ce4551369d864748b70db4ec220c515bbd

memory/4592-82-0x0000000006CD0000-0x0000000006D12000-memory.dmp

memory/4592-86-0x0000000007150000-0x0000000007166000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\195768C550F2FE115991EF552E6FC5FC\kl.setup.ui.core.dll

MD5 2c8f5ec07cb84d844e3fdee32b2a8e00
SHA1 2e27daffed27a7e6ee3adc50eef1710da318ca32
SHA256 8d5bd8184fbc3f79ea9edc2c25e1a5a935514518c3fba89bde308c06722375f9
SHA512 ef37109b456a68d55dee8a45340e25cb9901909b30f9f882f62060951bec20d838561dbe5ebe0480aa2feb668c6ffbb2137ed2f69cd3d6337c6f38cf395f6eca

memory/4592-90-0x00000000074C0000-0x0000000007508000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\195768C550F2FE115991EF552E6FC5FC\kl.ui.framework.localization.dll

MD5 079ac68d4beb2ab9602d754b09ff652b
SHA1 90032834cc5cffd0b00119e4e38b5f4c5f877e4c
SHA256 9377c35b19c30ee75c010b1e592796daf1d3493b397ef9d61a1c63a5ab30a88e
SHA512 53782adc516950888ec69b21e744fe4d7f8567223e7c067e362800c78e3621dc148d5aa19f6011962bece1ada3691ef1ef40838a8072480c54aeedb2f4e0c9b9

C:\Users\Admin\AppData\Local\Temp\195768C550F2FE115991EF552E6FC5FC\kl.ui.framework.uikit.dll

MD5 18defb1e3b7460f592a8ca61e4b40ff0
SHA1 8f8f7d7d1ee8a048d162603cc21a0f4c40b9036b
SHA256 02a884babc5584fec80b227eb1c52dc800c516f1117ff9637617ad84c632da9d
SHA512 7cbdc0c113a0c7ff9628674a8a23f4224290455d4a9a41a66889d01baf1f28b0175197c3078a791ecf6b2052c3fdfc35cf38cfae5bf5917bde80f82499d40b12

memory/4592-94-0x00000000077D0000-0x0000000007A90000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\195768C550F2FE115991EF552E6FC5FC\kl.setup.ui.visuals.dll

MD5 6181240bc579d2dfb176a1ca260f5a90
SHA1 eb13b6cd4a242c8399396795d1863954b8d79507
SHA256 b07c4d99d4cbb62b31a425e60c993b809c7043518a9ef0b7b561abd180a1b768
SHA512 f5bb4bdd05836c494a560dc9aa16d62d29b90df7c5854d4a97b8e274890dd1476de955637237867a666c1f08785f5dc06d571e023b124530ee87cf6fdb98689f

memory/4592-109-0x0000000007F80000-0x000000000801E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\195768C550F2FE115991EF552E6FC5FC\kl.ui.framework.uikit.b2c.dll

MD5 445e34aa976419cae54e13ede8d41ce5
SHA1 98ca3ee808f97ae16970b0fcefd3387bd07278eb
SHA256 a255bb5dfaa685d7443dbc8bb7fca71417c8f0b1f617ade7077ee437a23a9b24
SHA512 86b4084cf781d4efbb814fce3ed6ca48addbf4c15c5ed3630673350cf65056a80e2a9bc00581a45ae370a64f0bc720d506622eccd9d7ef170814faab1cce14c4

memory/4592-105-0x0000000073A20000-0x00000000741D0000-memory.dmp

memory/4592-98-0x0000000007E70000-0x0000000007EDA000-memory.dmp

memory/4592-116-0x0000000073A20000-0x00000000741D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\195768C550F2FE115991EF552E6FC5FC\sharpvectorrenderingwpf.dll

MD5 faec58e7785c287a7c688f274207048d
SHA1 66c038c720035b7212a7d3733da4520e3b95d63b
SHA256 4c76dd0441a8021a308be24cf0c1957bee280451abcc1467acf47f1a6f7f5dce
SHA512 9269a91a5bab01f076d8e9fde2991463fb224dc6382f8cde3a118e83cb35bdf580b4ea7686f2ea767a2a9c04650222edfc3a8b2569978b734c51b7135915448e

memory/4592-125-0x0000000008320000-0x0000000008342000-memory.dmp

memory/4592-126-0x00000000083F0000-0x0000000008482000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\195768C550F2FE115991EF552E6FC5FC\sharpvectormodel.dll

MD5 225a73e5a0cf87453832b578db6daddb
SHA1 a36717a1b2c7eb2ba160fec5fa80e48b9e57c4ac
SHA256 0499708762c56b9339c980e731ffab294e9b18362af3dcb4ad4481f1c7bd60c1
SHA512 565ee2105bd626650857e0e6f9c8f7d87a68c3ec41923de119a3b710038a4785e16ccf79feb4c1c4f8a308f682163089228ac4ac81295cea754ae1189311c965

memory/4592-138-0x00000000084F0000-0x000000000850C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\195768C550F2FE115991EF552E6FC5FC\sharpvectorcss.dll

MD5 726d04bbe783a3510b18a491adac05c0
SHA1 11a01c68204dd80b32c01dcdb2e51f5b0ee34d98
SHA256 639e091c9e87986eaf9fe00f0f401834e14878ebc48084697fd4307713a065ca
SHA512 90592ddef83b6640cf8f28f0818098f95acc4139c7b3f5e8afa63bb873530be1613d42ee02dae12160737ee612187fc0139e19ee4a7f1abb3fec1fcaee1ae297

memory/4592-134-0x0000000008880000-0x000000000897A000-memory.dmp

memory/4592-130-0x0000000008490000-0x00000000084C2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\195768C550F2FE115991EF552E6FC5FC\sharpvectorcore.dll

MD5 24e3b7177eeabdf085a01796b49c8e55
SHA1 6916a0bb98892252f59692fd0405e6da62af0f8b
SHA256 eab963926cf2d62b575c6f33804372fea04db328b2b3f0adfb45fee3f27e5386
SHA512 5e377e609673f3d84e22d070012578b8a18fce848a3815d9da05e10043d3e9fde8070094d1841acb44a4f876d8741e371a5fbcc86cce80cdf826131370a41e64

C:\Users\Admin\AppData\Local\Temp\195768C550F2FE115991EF552E6FC5FC\sharpvectorconverterswpf.dll

MD5 a56a73b39703d5ff85b5cf12f9b00009
SHA1 e6448c87f969e19ae4c6514d69d8286d26a2b5db
SHA256 bb5966185017d904d2d7fd952bcc6d5c19fdf6bbbe34ab29c63a3784cd1074c7
SHA512 7fa07a1fcc0735186ee71b3c123b1c4076f04dba5ad319588ea695ef117ab7c39918593e4ee42f18cbd3fe01d043e896981ca6f07293fc2fb0a9bce5d66992b5

memory/4592-121-0x00000000082E0000-0x0000000008314000-memory.dmp

memory/4592-142-0x00000000084D0000-0x00000000084DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\195768C550F2FE115991EF552E6FC5FC\sharpvectordom.dll

MD5 e4f6efef27708458ecda4ee22edf3cef
SHA1 07ccb5fa980dead816737ad83802cbfed18e4a4f
SHA256 413e485d8dd07231d70107d86ee1a17ce705517aed8346b4701747d1fdbfdfc3
SHA512 4920e508304df14041df1189938a1102e4a71e2e57ac4b9b804b6b0405c89c8292012a5ff4dae21268204ed6d9b56a279f4ce18d709074d1cba71cc9d5e11a1d

memory/4592-146-0x0000000008780000-0x0000000008792000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\195768C550F2FE115991EF552E6FC5FC\sharpvectorruntimewpf.dll

MD5 0e203d24d04e89779638dd70d5335b39
SHA1 98ffc3718c6e34bd6d696bbcce605db666f99b01
SHA256 f15b5199850b8ed98d2202972ada759823a17893a68d60ca3a0f76ee31aeb204
SHA512 a07f54cce2add948340807b8ecf430e72c07032332046e5dd05d9da90f7d732921c0ff628592ff0710914ec9d9b7188b46377e1594a9f9809a107a022de1cfee

memory/4592-157-0x000000000C7B0000-0x000000000C7BE000-memory.dmp

memory/4592-156-0x000000000C7F0000-0x000000000C828000-memory.dmp

memory/4592-158-0x0000000073A2E000-0x0000000073A2F000-memory.dmp

memory/4592-159-0x0000000073A20000-0x00000000741D0000-memory.dmp

memory/4592-160-0x0000000073A20000-0x00000000741D0000-memory.dmp

memory/4592-161-0x0000000073A20000-0x00000000741D0000-memory.dmp

memory/4592-162-0x0000000073A20000-0x00000000741D0000-memory.dmp

memory/4592-164-0x0000000006880000-0x0000000006888000-memory.dmp