Malware Analysis Report

2024-11-13 16:48

Sample ID 200811-wzavn447yn
Target Electronic_Tracking_INV_#9836582365728523752.exe
SHA256 a1bdc2ca2e359ac7d5c26afb3cd89bb39285b8a8acc5876e691ceb4ba807b704
Tags
buer loader persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a1bdc2ca2e359ac7d5c26afb3cd89bb39285b8a8acc5876e691ceb4ba807b704

Threat Level: Known bad

The file Electronic_Tracking_INV_#9836582365728523752.exe was found to be: Known bad.

Malicious Activity Summary

buer loader persistence

Buer

Modifies WinLogon for persistence

Buer Loader

Executes dropped EXE

Loads dropped DLL

Deletes itself

Suspicious use of SetThreadContext

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2020-08-11 15:48

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2020-08-11 15:48

Reported

2020-08-11 15:50

Platform

win7

Max time kernel

141s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Electronic_Tracking_INV_#9836582365728523752.exe"

Signatures

Buer

loader buer

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\1ff6f9cacff382d10a1a\\gennt.exe\"" C:\ProgramData\1ff6f9cacff382d10a1a\gennt.exe N/A

Buer Loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\1ff6f9cacff382d10a1a\gennt.exe N/A
N/A N/A C:\ProgramData\1ff6f9cacff382d10a1a\gennt.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\1ff6f9cacff382d10a1a\gennt.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\electronic_tracking_inv_#9836582365728523752.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Electronic_Tracking_INV_#9836582365728523752.exe N/A
N/A N/A C:\ProgramData\1ff6f9cacff382d10a1a\gennt.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1124 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\Electronic_Tracking_INV_#9836582365728523752.exe C:\Users\Admin\AppData\Local\Temp\electronic_tracking_inv_#9836582365728523752.exe
PID 1124 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\Electronic_Tracking_INV_#9836582365728523752.exe C:\Users\Admin\AppData\Local\Temp\electronic_tracking_inv_#9836582365728523752.exe
PID 1124 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\Electronic_Tracking_INV_#9836582365728523752.exe C:\Users\Admin\AppData\Local\Temp\electronic_tracking_inv_#9836582365728523752.exe
PID 1124 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\Electronic_Tracking_INV_#9836582365728523752.exe C:\Users\Admin\AppData\Local\Temp\electronic_tracking_inv_#9836582365728523752.exe
PID 1124 wrote to memory of 1172 N/A C:\Users\Admin\AppData\Local\Temp\Electronic_Tracking_INV_#9836582365728523752.exe C:\Users\Admin\AppData\Local\Temp\electronic_tracking_inv_#9836582365728523752.exe
PID 1172 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\electronic_tracking_inv_#9836582365728523752.exe C:\ProgramData\1ff6f9cacff382d10a1a\gennt.exe
PID 1172 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\electronic_tracking_inv_#9836582365728523752.exe C:\ProgramData\1ff6f9cacff382d10a1a\gennt.exe
PID 1172 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\electronic_tracking_inv_#9836582365728523752.exe C:\ProgramData\1ff6f9cacff382d10a1a\gennt.exe
PID 1172 wrote to memory of 1380 N/A C:\Users\Admin\AppData\Local\Temp\electronic_tracking_inv_#9836582365728523752.exe C:\ProgramData\1ff6f9cacff382d10a1a\gennt.exe
PID 1380 wrote to memory of 1820 N/A C:\ProgramData\1ff6f9cacff382d10a1a\gennt.exe C:\ProgramData\1ff6f9cacff382d10a1a\gennt.exe
PID 1380 wrote to memory of 1820 N/A C:\ProgramData\1ff6f9cacff382d10a1a\gennt.exe C:\ProgramData\1ff6f9cacff382d10a1a\gennt.exe
PID 1380 wrote to memory of 1820 N/A C:\ProgramData\1ff6f9cacff382d10a1a\gennt.exe C:\ProgramData\1ff6f9cacff382d10a1a\gennt.exe
PID 1380 wrote to memory of 1820 N/A C:\ProgramData\1ff6f9cacff382d10a1a\gennt.exe C:\ProgramData\1ff6f9cacff382d10a1a\gennt.exe
PID 1380 wrote to memory of 1820 N/A C:\ProgramData\1ff6f9cacff382d10a1a\gennt.exe C:\ProgramData\1ff6f9cacff382d10a1a\gennt.exe
PID 1820 wrote to memory of 1252 N/A C:\ProgramData\1ff6f9cacff382d10a1a\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 1820 wrote to memory of 1252 N/A C:\ProgramData\1ff6f9cacff382d10a1a\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 1820 wrote to memory of 1252 N/A C:\ProgramData\1ff6f9cacff382d10a1a\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 1820 wrote to memory of 1252 N/A C:\ProgramData\1ff6f9cacff382d10a1a\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 1820 wrote to memory of 1252 N/A C:\ProgramData\1ff6f9cacff382d10a1a\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 1820 wrote to memory of 1252 N/A C:\ProgramData\1ff6f9cacff382d10a1a\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 1820 wrote to memory of 1252 N/A C:\ProgramData\1ff6f9cacff382d10a1a\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 1820 wrote to memory of 1252 N/A C:\ProgramData\1ff6f9cacff382d10a1a\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 1820 wrote to memory of 1252 N/A C:\ProgramData\1ff6f9cacff382d10a1a\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 1820 wrote to memory of 1252 N/A C:\ProgramData\1ff6f9cacff382d10a1a\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 1820 wrote to memory of 1252 N/A C:\ProgramData\1ff6f9cacff382d10a1a\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 1820 wrote to memory of 1252 N/A C:\ProgramData\1ff6f9cacff382d10a1a\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 1820 wrote to memory of 1788 N/A C:\ProgramData\1ff6f9cacff382d10a1a\gennt.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1820 wrote to memory of 1788 N/A C:\ProgramData\1ff6f9cacff382d10a1a\gennt.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1820 wrote to memory of 1788 N/A C:\ProgramData\1ff6f9cacff382d10a1a\gennt.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1820 wrote to memory of 1788 N/A C:\ProgramData\1ff6f9cacff382d10a1a\gennt.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Electronic_Tracking_INV_#9836582365728523752.exe

"C:\Users\Admin\AppData\Local\Temp\Electronic_Tracking_INV_#9836582365728523752.exe"

C:\Users\Admin\AppData\Local\Temp\electronic_tracking_inv_#9836582365728523752.exe

"C:\Users\Admin\AppData\Local\Temp\Electronic_Tracking_INV_#9836582365728523752.exe"

C:\ProgramData\1ff6f9cacff382d10a1a\gennt.exe

C:\ProgramData\1ff6f9cacff382d10a1a\gennt.exe "C:\Users\Admin\AppData\Local\Temp\electronic_tracking_inv_#9836582365728523752.exe" ensgJJ

C:\ProgramData\1ff6f9cacff382d10a1a\gennt.exe

C:\ProgramData\1ff6f9cacff382d10a1a\gennt.exe "C:\Users\Admin\AppData\Local\Temp\electronic_tracking_inv_#9836582365728523752.exe" ensgJJ

C:\Windows\SysWOW64\secinit.exe

C:\ProgramData\1ff6f9cacff382d10a1a\gennt.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -Command "& {Add-MpPreference -ExclusionPath C:\ProgramData\1ff6f9cacff382d10a1a}"

Network

N/A

Files

memory/1124-0-0x0000000000100000-0x000000000010F000-memory.dmp

memory/1172-1-0x0000000040000000-0x000000004000C000-memory.dmp

memory/1172-2-0x000000004000303B-mapping.dmp

memory/1172-4-0x0000000040000000-0x000000004000C000-memory.dmp

\ProgramData\1ff6f9cacff382d10a1a\gennt.exe

MD5 64f86981c7450dfd2c3915f213fc6720
SHA1 5410d0e8569f0936b32de3199e8a187d6227fc1f
SHA256 a1bdc2ca2e359ac7d5c26afb3cd89bb39285b8a8acc5876e691ceb4ba807b704
SHA512 02e9e2e41a96a4e0279de44c5cdd7c18a4d08966e0e2ba9979d929f0fa5a902db1ceb3f2eb8a73d97725eed917f9e57d11999a0218f3f286908bf7e731931b22

memory/1380-6-0x0000000000000000-mapping.dmp

C:\ProgramData\1ff6f9cacff382d10a1a\gennt.exe

MD5 64f86981c7450dfd2c3915f213fc6720
SHA1 5410d0e8569f0936b32de3199e8a187d6227fc1f
SHA256 a1bdc2ca2e359ac7d5c26afb3cd89bb39285b8a8acc5876e691ceb4ba807b704
SHA512 02e9e2e41a96a4e0279de44c5cdd7c18a4d08966e0e2ba9979d929f0fa5a902db1ceb3f2eb8a73d97725eed917f9e57d11999a0218f3f286908bf7e731931b22

memory/1380-8-0x00000000000D0000-0x00000000000DF000-memory.dmp

memory/1820-10-0x000000004000303B-mapping.dmp

C:\ProgramData\1ff6f9cacff382d10a1a\gennt.exe

MD5 64f86981c7450dfd2c3915f213fc6720
SHA1 5410d0e8569f0936b32de3199e8a187d6227fc1f
SHA256 a1bdc2ca2e359ac7d5c26afb3cd89bb39285b8a8acc5876e691ceb4ba807b704
SHA512 02e9e2e41a96a4e0279de44c5cdd7c18a4d08966e0e2ba9979d929f0fa5a902db1ceb3f2eb8a73d97725eed917f9e57d11999a0218f3f286908bf7e731931b22

C:\ProgramData\1ff6f9cacff382d10a1a\gennt.exe

MD5 64f86981c7450dfd2c3915f213fc6720
SHA1 5410d0e8569f0936b32de3199e8a187d6227fc1f
SHA256 a1bdc2ca2e359ac7d5c26afb3cd89bb39285b8a8acc5876e691ceb4ba807b704
SHA512 02e9e2e41a96a4e0279de44c5cdd7c18a4d08966e0e2ba9979d929f0fa5a902db1ceb3f2eb8a73d97725eed917f9e57d11999a0218f3f286908bf7e731931b22

memory/1252-15-0x0000000000000000-mapping.dmp

memory/1788-16-0x0000000000000000-mapping.dmp

memory/1788-17-0x0000000073BD0000-0x00000000742BE000-memory.dmp

memory/1788-18-0x0000000002330000-0x0000000002331000-memory.dmp

memory/1788-19-0x0000000004740000-0x0000000004741000-memory.dmp

memory/1788-20-0x0000000004FF0000-0x0000000004FF1000-memory.dmp

memory/1788-21-0x0000000005240000-0x0000000005241000-memory.dmp

memory/1788-24-0x00000000056A0000-0x00000000056A1000-memory.dmp

memory/1788-29-0x0000000006090000-0x0000000006091000-memory.dmp

memory/1788-30-0x0000000006210000-0x0000000006211000-memory.dmp

memory/1788-37-0x00000000061B0000-0x00000000061B1000-memory.dmp

memory/1788-38-0x0000000005610000-0x0000000005611000-memory.dmp

memory/1788-52-0x0000000006300000-0x0000000006301000-memory.dmp

memory/1788-53-0x0000000006310000-0x0000000006311000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2020-08-11 15:48

Reported

2020-08-11 15:50

Platform

win10v200722

Max time kernel

123s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Electronic_Tracking_INV_#9836582365728523752.exe"

Signatures

Buer

loader buer

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\ProgramData\\7d88e65552dcd26d37bf\\gennt.exe\"" C:\ProgramData\7d88e65552dcd26d37bf\gennt.exe N/A

Buer Loader

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\7d88e65552dcd26d37bf\gennt.exe N/A
N/A N/A C:\ProgramData\7d88e65552dcd26d37bf\gennt.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\7d88e65552dcd26d37bf\gennt.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\secinit.exe

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Electronic_Tracking_INV_#9836582365728523752.exe N/A
N/A N/A C:\ProgramData\7d88e65552dcd26d37bf\gennt.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WerFault.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3908 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\Electronic_Tracking_INV_#9836582365728523752.exe C:\Users\Admin\AppData\Local\Temp\electronic_tracking_inv_#9836582365728523752.exe
PID 3908 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\Electronic_Tracking_INV_#9836582365728523752.exe C:\Users\Admin\AppData\Local\Temp\electronic_tracking_inv_#9836582365728523752.exe
PID 3908 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\Electronic_Tracking_INV_#9836582365728523752.exe C:\Users\Admin\AppData\Local\Temp\electronic_tracking_inv_#9836582365728523752.exe
PID 3908 wrote to memory of 3704 N/A C:\Users\Admin\AppData\Local\Temp\Electronic_Tracking_INV_#9836582365728523752.exe C:\Users\Admin\AppData\Local\Temp\electronic_tracking_inv_#9836582365728523752.exe
PID 3704 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\electronic_tracking_inv_#9836582365728523752.exe C:\ProgramData\7d88e65552dcd26d37bf\gennt.exe
PID 3704 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\electronic_tracking_inv_#9836582365728523752.exe C:\ProgramData\7d88e65552dcd26d37bf\gennt.exe
PID 3704 wrote to memory of 2420 N/A C:\Users\Admin\AppData\Local\Temp\electronic_tracking_inv_#9836582365728523752.exe C:\ProgramData\7d88e65552dcd26d37bf\gennt.exe
PID 2420 wrote to memory of 2856 N/A C:\ProgramData\7d88e65552dcd26d37bf\gennt.exe C:\ProgramData\7d88e65552dcd26d37bf\gennt.exe
PID 2420 wrote to memory of 2856 N/A C:\ProgramData\7d88e65552dcd26d37bf\gennt.exe C:\ProgramData\7d88e65552dcd26d37bf\gennt.exe
PID 2420 wrote to memory of 2856 N/A C:\ProgramData\7d88e65552dcd26d37bf\gennt.exe C:\ProgramData\7d88e65552dcd26d37bf\gennt.exe
PID 2420 wrote to memory of 2856 N/A C:\ProgramData\7d88e65552dcd26d37bf\gennt.exe C:\ProgramData\7d88e65552dcd26d37bf\gennt.exe
PID 2856 wrote to memory of 2568 N/A C:\ProgramData\7d88e65552dcd26d37bf\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 2856 wrote to memory of 2568 N/A C:\ProgramData\7d88e65552dcd26d37bf\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 2856 wrote to memory of 2568 N/A C:\ProgramData\7d88e65552dcd26d37bf\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 2856 wrote to memory of 2568 N/A C:\ProgramData\7d88e65552dcd26d37bf\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 2856 wrote to memory of 2568 N/A C:\ProgramData\7d88e65552dcd26d37bf\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 2856 wrote to memory of 2568 N/A C:\ProgramData\7d88e65552dcd26d37bf\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 2856 wrote to memory of 2568 N/A C:\ProgramData\7d88e65552dcd26d37bf\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 2856 wrote to memory of 2568 N/A C:\ProgramData\7d88e65552dcd26d37bf\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 2856 wrote to memory of 2568 N/A C:\ProgramData\7d88e65552dcd26d37bf\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 2856 wrote to memory of 2568 N/A C:\ProgramData\7d88e65552dcd26d37bf\gennt.exe C:\Windows\SysWOW64\secinit.exe
PID 2856 wrote to memory of 2568 N/A C:\ProgramData\7d88e65552dcd26d37bf\gennt.exe C:\Windows\SysWOW64\secinit.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Electronic_Tracking_INV_#9836582365728523752.exe

"C:\Users\Admin\AppData\Local\Temp\Electronic_Tracking_INV_#9836582365728523752.exe"

C:\Users\Admin\AppData\Local\Temp\electronic_tracking_inv_#9836582365728523752.exe

"C:\Users\Admin\AppData\Local\Temp\Electronic_Tracking_INV_#9836582365728523752.exe"

C:\ProgramData\7d88e65552dcd26d37bf\gennt.exe

C:\ProgramData\7d88e65552dcd26d37bf\gennt.exe "C:\Users\Admin\AppData\Local\Temp\electronic_tracking_inv_#9836582365728523752.exe" ensgJJ

C:\ProgramData\7d88e65552dcd26d37bf\gennt.exe

C:\ProgramData\7d88e65552dcd26d37bf\gennt.exe "C:\Users\Admin\AppData\Local\Temp\electronic_tracking_inv_#9836582365728523752.exe" ensgJJ

C:\Windows\SysWOW64\secinit.exe

C:\ProgramData\7d88e65552dcd26d37bf\gennt.exe

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2568 -s 332

Network

Country Destination Domain Proto
N/A 13.107.4.52:80 www.msftconnecttest.com tcp

Files

memory/3908-0-0x0000000000F70000-0x0000000000F7F000-memory.dmp

memory/3704-1-0x0000000040000000-0x000000004000C000-memory.dmp

memory/3704-2-0x000000004000303B-mapping.dmp

memory/3704-4-0x0000000040000000-0x000000004000C000-memory.dmp

memory/2420-5-0x0000000000000000-mapping.dmp

C:\ProgramData\7d88e65552dcd26d37bf\gennt.exe

MD5 64f86981c7450dfd2c3915f213fc6720
SHA1 5410d0e8569f0936b32de3199e8a187d6227fc1f
SHA256 a1bdc2ca2e359ac7d5c26afb3cd89bb39285b8a8acc5876e691ceb4ba807b704
SHA512 02e9e2e41a96a4e0279de44c5cdd7c18a4d08966e0e2ba9979d929f0fa5a902db1ceb3f2eb8a73d97725eed917f9e57d11999a0218f3f286908bf7e731931b22

C:\ProgramData\7d88e65552dcd26d37bf\gennt.exe

MD5 64f86981c7450dfd2c3915f213fc6720
SHA1 5410d0e8569f0936b32de3199e8a187d6227fc1f
SHA256 a1bdc2ca2e359ac7d5c26afb3cd89bb39285b8a8acc5876e691ceb4ba807b704
SHA512 02e9e2e41a96a4e0279de44c5cdd7c18a4d08966e0e2ba9979d929f0fa5a902db1ceb3f2eb8a73d97725eed917f9e57d11999a0218f3f286908bf7e731931b22

memory/2420-8-0x00000000005D0000-0x00000000005DF000-memory.dmp

memory/2856-10-0x000000004000303B-mapping.dmp

C:\ProgramData\7d88e65552dcd26d37bf\gennt.exe

MD5 64f86981c7450dfd2c3915f213fc6720
SHA1 5410d0e8569f0936b32de3199e8a187d6227fc1f
SHA256 a1bdc2ca2e359ac7d5c26afb3cd89bb39285b8a8acc5876e691ceb4ba807b704
SHA512 02e9e2e41a96a4e0279de44c5cdd7c18a4d08966e0e2ba9979d929f0fa5a902db1ceb3f2eb8a73d97725eed917f9e57d11999a0218f3f286908bf7e731931b22

memory/2568-14-0x0000000000000000-mapping.dmp

memory/3820-15-0x0000000004790000-0x0000000004791000-memory.dmp

memory/2568-16-0x0000000000000000-mapping.dmp

memory/2568-17-0x0000000000000000-mapping.dmp

memory/2568-18-0x0000000000000000-mapping.dmp

memory/2568-19-0x0000000000000000-mapping.dmp

memory/2568-20-0x0000000000000000-mapping.dmp

memory/3820-21-0x0000000004F60000-0x0000000004F61000-memory.dmp