Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows7_x64 -
resource
win7v20201028 -
submitted
06-01-2021 02:04
Static task
static1
Behavioral task
behavioral1
Sample
c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
Resource
win10v20201028
General
-
Target
c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
-
Size
262KB
-
MD5
53e7b9e873404afdd22cdeba41b4e1c9
-
SHA1
18b1a19f826e9d48d5776f6e3c279547f3ff517d
-
SHA256
c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec
-
SHA512
ccc0af85ea847c45d11e213030e6b3224503c22fe70519049095b1d84cbf61e50c72ab370a03e456338127b52d462826248a6413706ab900afac16adf1deb9dd
Malware Config
Extracted
C:\Users\Admin\AppData\Local\Temp\readme-warning.txt
makop
moloch_helpdesk@tutanota.com
moloch_helpdesk@protonmail.ch
Signatures
-
Makop
Ransomware family discovered by @VK_Intel in early 2020.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Processes:
wbadmin.exepid process 1308 wbadmin.exe -
Loads dropped DLL 4 IoCs
Processes:
c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exec34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exec34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exec34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exepid process 1676 c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe 1696 c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe 948 c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe 1092 c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3825035466-2522850611-591511364-1000\Software\Microsoft\Windows\CurrentVersion\Run\1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe\"" c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Suspicious use of SetThreadContext 4 IoCs
Processes:
c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exec34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exec34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exec34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exedescription pid process target process PID 1676 set thread context of 1692 1676 c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe PID 1696 set thread context of 220 1696 c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe PID 948 set thread context of 1588 948 c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe PID 1092 set thread context of 1960 1092 c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe -
Drops file in Program Files directory 9680 IoCs
Processes:
c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exedescription ioc process File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00623_.WMF c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\OIS_COL.HXC c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\LayeredTitles\NavigationUp_ButtonGraphic.png c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\management\jmxremote.access c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.e4.rcp_1.3.100.v20141007-2033\feature.properties c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\README.html c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-modules-startup.xml c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Indian\Mahe c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe File opened for modification C:\Program Files\MountRename.pub c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\sql2000.xsl c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Desert\HEADER.GIF c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\ERROR.GIF c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-icons_222222_256x240.png c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe File created C:\Program Files\VideoLAN\VLC\lua\playlist\readme-warning.txt c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0202045.JPG c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0293832.WMF c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\HH00681_.WMF c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\ink\hwruksh.dat c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe File opened for modification C:\Program Files\Common Files\Microsoft Shared\Stationery\Seyes.emf c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\18.png c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\GRPHFLT\MS.CGM c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0153518.WMF c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0309598.JPG c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsHomePageScript.js c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\org-netbeans-modules-keyring.jar c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe File opened for modification C:\Program Files\Windows Media Player\Media Renderer\RenderingControl.xml c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\init.js c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BS00078_.WMF c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\EXCEL_K_COL.HXK c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\UrbanLetter.Dotx c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\images\diner_m.png c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\(120DPI)grayStateIcon.png c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01172_.WMF c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0384900.JPG c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.sat4j.core_2.3.5.v201308161310.jar c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe File created C:\Program Files\VideoLAN\VLC\locale\as_IN\LC_MESSAGES\readme-warning.txt c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe File opened for modification C:\Program Files\Windows Media Player\Media Renderer\DMR_120.png c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO00828_.WMF c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\Computers\computericon.jpg c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\STS2\tab_off.gif c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\images\corner.png c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-sendopts.xml c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\modules\locale\com-sun-tools-visualvm-sampler_zh_CN.jar c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\css\ui-lightness\images\ui-bg_flat_10_000000_40x100.png c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\BD05119_.WMF c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD15023_.GIF c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\VIEW.JS c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\images\next_rest.png c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.jface.databinding.nl_zh_4.4.0.v20140623020002.jar c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\America\Edmonton c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD00407_.WMF c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01585_.WMF c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\1033\CodeFile.zip c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\UCT c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Etc\GMT-7 c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SONORA\THMBNAIL.PNG c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsFormTemplateRTL.html c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099154.JPG c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\14.png c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\30.png c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\images\calendar_ring_docked.png c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0237228.WMF c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PUBBA\MSPUB1A.BDR c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\LoanAmortization.xltx c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe -
Interacts with shadow copies 2 TTPs 1 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exepid process 1080 vssadmin.exe -
Processes:
c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exepid process 1692 c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe -
Suspicious behavior: MapViewOfSection 4 IoCs
Processes:
c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exec34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exec34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exec34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exepid process 1676 c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe 1696 c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe 948 c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe 1092 c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
vssvc.exewbengine.exeWMIC.exedescription pid process Token: SeBackupPrivilege 1956 vssvc.exe Token: SeRestorePrivilege 1956 vssvc.exe Token: SeAuditPrivilege 1956 vssvc.exe Token: SeBackupPrivilege 1740 wbengine.exe Token: SeRestorePrivilege 1740 wbengine.exe Token: SeSecurityPrivilege 1740 wbengine.exe Token: SeIncreaseQuotaPrivilege 1424 WMIC.exe Token: SeSecurityPrivilege 1424 WMIC.exe Token: SeTakeOwnershipPrivilege 1424 WMIC.exe Token: SeLoadDriverPrivilege 1424 WMIC.exe Token: SeSystemProfilePrivilege 1424 WMIC.exe Token: SeSystemtimePrivilege 1424 WMIC.exe Token: SeProfSingleProcessPrivilege 1424 WMIC.exe Token: SeIncBasePriorityPrivilege 1424 WMIC.exe Token: SeCreatePagefilePrivilege 1424 WMIC.exe Token: SeBackupPrivilege 1424 WMIC.exe Token: SeRestorePrivilege 1424 WMIC.exe Token: SeShutdownPrivilege 1424 WMIC.exe Token: SeDebugPrivilege 1424 WMIC.exe Token: SeSystemEnvironmentPrivilege 1424 WMIC.exe Token: SeRemoteShutdownPrivilege 1424 WMIC.exe Token: SeUndockPrivilege 1424 WMIC.exe Token: SeManageVolumePrivilege 1424 WMIC.exe Token: 33 1424 WMIC.exe Token: 34 1424 WMIC.exe Token: 35 1424 WMIC.exe Token: SeIncreaseQuotaPrivilege 1424 WMIC.exe Token: SeSecurityPrivilege 1424 WMIC.exe Token: SeTakeOwnershipPrivilege 1424 WMIC.exe Token: SeLoadDriverPrivilege 1424 WMIC.exe Token: SeSystemProfilePrivilege 1424 WMIC.exe Token: SeSystemtimePrivilege 1424 WMIC.exe Token: SeProfSingleProcessPrivilege 1424 WMIC.exe Token: SeIncBasePriorityPrivilege 1424 WMIC.exe Token: SeCreatePagefilePrivilege 1424 WMIC.exe Token: SeBackupPrivilege 1424 WMIC.exe Token: SeRestorePrivilege 1424 WMIC.exe Token: SeShutdownPrivilege 1424 WMIC.exe Token: SeDebugPrivilege 1424 WMIC.exe Token: SeSystemEnvironmentPrivilege 1424 WMIC.exe Token: SeRemoteShutdownPrivilege 1424 WMIC.exe Token: SeUndockPrivilege 1424 WMIC.exe Token: SeManageVolumePrivilege 1424 WMIC.exe Token: 33 1424 WMIC.exe Token: 34 1424 WMIC.exe Token: 35 1424 WMIC.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exec34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.execmd.exec34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exec34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exec34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exedescription pid process target process PID 1676 wrote to memory of 1692 1676 c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe PID 1676 wrote to memory of 1692 1676 c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe PID 1676 wrote to memory of 1692 1676 c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe PID 1676 wrote to memory of 1692 1676 c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe PID 1676 wrote to memory of 1692 1676 c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe PID 1692 wrote to memory of 1652 1692 c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe cmd.exe PID 1692 wrote to memory of 1652 1692 c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe cmd.exe PID 1692 wrote to memory of 1652 1692 c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe cmd.exe PID 1692 wrote to memory of 1652 1692 c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe cmd.exe PID 1652 wrote to memory of 1080 1652 cmd.exe vssadmin.exe PID 1652 wrote to memory of 1080 1652 cmd.exe vssadmin.exe PID 1652 wrote to memory of 1080 1652 cmd.exe vssadmin.exe PID 1652 wrote to memory of 1308 1652 cmd.exe wbadmin.exe PID 1652 wrote to memory of 1308 1652 cmd.exe wbadmin.exe PID 1652 wrote to memory of 1308 1652 cmd.exe wbadmin.exe PID 1652 wrote to memory of 1424 1652 cmd.exe WMIC.exe PID 1652 wrote to memory of 1424 1652 cmd.exe WMIC.exe PID 1652 wrote to memory of 1424 1652 cmd.exe WMIC.exe PID 1696 wrote to memory of 220 1696 c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe PID 1696 wrote to memory of 220 1696 c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe PID 1696 wrote to memory of 220 1696 c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe PID 1696 wrote to memory of 220 1696 c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe PID 1696 wrote to memory of 220 1696 c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe PID 948 wrote to memory of 1588 948 c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe PID 948 wrote to memory of 1588 948 c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe PID 948 wrote to memory of 1588 948 c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe PID 948 wrote to memory of 1588 948 c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe PID 948 wrote to memory of 1588 948 c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe PID 1092 wrote to memory of 1960 1092 c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe PID 1092 wrote to memory of 1960 1092 c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe PID 1092 wrote to memory of 1960 1092 c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe PID 1092 wrote to memory of 1960 1092 c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe PID 1092 wrote to memory of 1960 1092 c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe"C:\Users\Admin\AppData\Local\Temp\c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe"C:\Users\Admin\AppData\Local\Temp\c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe"2⤵
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe"C:\Users\Admin\AppData\Local\Temp\c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe" n16923⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe"C:\Users\Admin\AppData\Local\Temp\c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe" n16924⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\system32\cmd.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\vssadmin.exevssadmin delete shadows /all /quiet4⤵
- Interacts with shadow copies
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet4⤵
- Deletes backup catalog
-
C:\Windows\System32\Wbem\WMIC.exewmic shadowcopy delete4⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe"C:\Users\Admin\AppData\Local\Temp\c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe" n16923⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe"C:\Users\Admin\AppData\Local\Temp\c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe" n16924⤵
-
C:\Users\Admin\AppData\Local\Temp\c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe"C:\Users\Admin\AppData\Local\Temp\c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe" n16923⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe"C:\Users\Admin\AppData\Local\Temp\c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec.bin.exe" n16924⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\827763568MD5
807ba49982736128dc602cfef746d6a6
SHA1e084136ab87bd1663f6a30c55508336a21db58d6
SHA2568ac5afa9b069b96cd38b83acf893acc5cd6639d2a76c2f7bae45ae6859c40895
SHA5124ca14b355e047dd7dcaeeb6579fcf1f6a38f35739069fb9af47b2fa8de0725815ca10e1c2aba27d7bea2d5f7ac765bd49210fb5ec1af10e9e775d42aa5668116
-
C:\Users\Admin\AppData\Roaming\827763568MD5
bc251d6a9f3408d4a2ff3add1d27ad3d
SHA199091c8e7a4ce7df879e157ddfba12d60095b1a9
SHA2566e74f04c654aac5a0660ec5db3bfc2fa1ac1dc8a5f3fe683f36bcf8b049abd31
SHA51223b91b23223432e345b38ceb5bcb0396f166cb079992491df275df1904dfa2c9e2f359a4c6bfba11de01d8df1ff777d0f9ed6921ada99ae44e38cb739747a995
-
C:\Users\Admin\AppData\Roaming\827763568MD5
47be810a8daee4d2db2731c4822b4f8c
SHA134e6da2951af2203610013a580d10467d1ec135f
SHA2561ea6731de8dcf467a848e25acb785a27a5cb27988aff016413f09a7039d1a602
SHA51269047eca5e69d3d4d03f2eeeed94bcfb8cf3adc522216c2854afc8a65004c6f303e18b0ba97ed3d1851d83d99290e7b52d574cfdfaefa3a5fb85c14e21afedfe
-
C:\Users\Admin\AppData\Roaming\827763568MD5
7ba6d1fd4f3d61539d62e71bb591d486
SHA157f76c7a639559ac60e49bb1e0f4036c8b2213d7
SHA256264f5288b4c1efbc677dea6cb64b8b163a29f384111686de1691d26796a2825d
SHA512e93f018f2c8867e2d3904e414043c1ea5c4039c45aa9dd5930c137667a7ace1c379bd6d0016dc1b77d842b7e85d17a12e30c6dbc02954306d4e8f29c12b7db2c
-
C:\Users\Admin\AppData\Roaming\827763568MD5
bc251d6a9f3408d4a2ff3add1d27ad3d
SHA199091c8e7a4ce7df879e157ddfba12d60095b1a9
SHA2566e74f04c654aac5a0660ec5db3bfc2fa1ac1dc8a5f3fe683f36bcf8b049abd31
SHA51223b91b23223432e345b38ceb5bcb0396f166cb079992491df275df1904dfa2c9e2f359a4c6bfba11de01d8df1ff777d0f9ed6921ada99ae44e38cb739747a995
-
\Users\Admin\AppData\Local\Temp\nsc37D3.tmp\System.dllMD5
fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
\Users\Admin\AppData\Local\Temp\nsn1508.tmp\System.dllMD5
fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
\Users\Admin\AppData\Local\Temp\nsy7975.tmp\System.dllMD5
fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
\Users\Admin\AppData\Local\Temp\nsyF3F1.tmp\System.dllMD5
fccff8cb7a1067e23fd2e2b63971a8e1
SHA130e2a9e137c1223a78a0f7b0bf96a1c361976d91
SHA2566fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e
SHA512f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c
-
memory/216-16-0x000007FEF6340000-0x000007FEF65BA000-memory.dmpFilesize
2.5MB
-
memory/220-13-0x0000000000405A20-mapping.dmp
-
memory/1080-7-0x0000000000000000-mapping.dmp
-
memory/1308-10-0x0000000000000000-mapping.dmp
-
memory/1424-11-0x0000000000000000-mapping.dmp
-
memory/1588-20-0x0000000000405A20-mapping.dmp
-
memory/1652-6-0x0000000000000000-mapping.dmp
-
memory/1692-4-0x0000000000405A20-mapping.dmp
-
memory/1692-5-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1692-3-0x0000000000400000-0x000000000041E000-memory.dmpFilesize
120KB
-
memory/1960-26-0x0000000000405A20-mapping.dmp