Malware Analysis Report

2024-10-16 03:24

Sample ID 210917-q3t36afgd7
Target 2f5f29192f5139d83f93361ca855d385fd54adf8a40ee959efa72e6e00b2a0ce
SHA256 2f5f29192f5139d83f93361ca855d385fd54adf8a40ee959efa72e6e00b2a0ce
Tags
babuk ransomware
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2f5f29192f5139d83f93361ca855d385fd54adf8a40ee959efa72e6e00b2a0ce

Threat Level: Known bad

The file 2f5f29192f5139d83f93361ca855d385fd54adf8a40ee959efa72e6e00b2a0ce was found to be: Known bad.

Malicious Activity Summary

babuk ransomware

Babuk Locker

Deletes shadow copies

Modifies extensions of user files

Executes dropped EXE

Loads dropped DLL

Enumerates connected drives

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Interacts with shadow copies

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2021-09-17 13:47

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2021-09-17 13:47

Reported

2021-09-17 13:50

Platform

win7-en-20210916

Max time kernel

76s

Max time network

35s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2f5f29192f5139d83f93361ca855d385fd54adf8a40ee959efa72e6e00b2a0ce.exe"

Signatures

Babuk Locker

ransomware babuk

Deletes shadow copies

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\SkipBlock.tiff C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File renamed C:\Users\Admin\Pictures\ReadOpen.png => C:\Users\Admin\Pictures\ReadOpen.png.babyk C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File opened for modification C:\Users\Admin\Pictures\ReadOpen.png.babyk C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File renamed C:\Users\Admin\Pictures\RepairEdit.tif => C:\Users\Admin\Pictures\RepairEdit.tif.babyk C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File opened for modification C:\Users\Admin\Pictures\RepairEdit.tif.babyk C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File renamed C:\Users\Admin\Pictures\SkipBlock.tiff => C:\Users\Admin\Pictures\SkipBlock.tiff.babyk C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File opened for modification C:\Users\Admin\Pictures\SkipBlock.tiff.babyk C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1868 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\2f5f29192f5139d83f93361ca855d385fd54adf8a40ee959efa72e6e00b2a0ce.exe C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE
PID 1868 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\2f5f29192f5139d83f93361ca855d385fd54adf8a40ee959efa72e6e00b2a0ce.exe C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE
PID 1868 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\2f5f29192f5139d83f93361ca855d385fd54adf8a40ee959efa72e6e00b2a0ce.exe C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE
PID 1868 wrote to memory of 568 N/A C:\Users\Admin\AppData\Local\Temp\2f5f29192f5139d83f93361ca855d385fd54adf8a40ee959efa72e6e00b2a0ce.exe C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE
PID 568 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE C:\Windows\System32\cmd.exe
PID 568 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE C:\Windows\System32\cmd.exe
PID 568 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE C:\Windows\System32\cmd.exe
PID 568 wrote to memory of 1324 N/A C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE C:\Windows\System32\cmd.exe
PID 1324 wrote to memory of 1512 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1324 wrote to memory of 1512 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 1324 wrote to memory of 1512 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 568 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE C:\Windows\System32\cmd.exe
PID 568 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE C:\Windows\System32\cmd.exe
PID 568 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE C:\Windows\System32\cmd.exe
PID 568 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE C:\Windows\System32\cmd.exe
PID 2044 wrote to memory of 692 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2044 wrote to memory of 692 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe
PID 2044 wrote to memory of 692 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\vssadmin.exe

Processes

C:\Users\Admin\AppData\Local\Temp\2f5f29192f5139d83f93361ca855d385fd54adf8a40ee959efa72e6e00b2a0ce.exe

"C:\Users\Admin\AppData\Local\Temp\2f5f29192f5139d83f93361ca855d385fd54adf8a40ee959efa72e6e00b2a0ce.exe"

C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE

"C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Public\Desktop\How To Restore Your Files.txt

Network

N/A

Files

memory/1868-53-0x0000000074AC1000-0x0000000074AC3000-memory.dmp

memory/568-56-0x0000000000000000-mapping.dmp

\Users\Admin\AppData\Local\Temp\E_WIN.EXE

MD5 8d622a6f37a1fb60dec715e05516b508
SHA1 2a002f331c7356fccc2bf42c2ed2f3d3efd7767f
SHA256 e9f18a0183e31653d43ef1124eba7710d9d6d0675b48a715896001fd88526ef9
SHA512 21e5782df789be73861e2c0687a2e01b2a41dfd2c39f56039eda739635ad307a1c3caa06310c5878dc48e6b53ed0714e1130cca70983bbd13c84f306a66254fa

\Users\Admin\AppData\Local\Temp\E_WIN.EXE

MD5 8d622a6f37a1fb60dec715e05516b508
SHA1 2a002f331c7356fccc2bf42c2ed2f3d3efd7767f
SHA256 e9f18a0183e31653d43ef1124eba7710d9d6d0675b48a715896001fd88526ef9
SHA512 21e5782df789be73861e2c0687a2e01b2a41dfd2c39f56039eda739635ad307a1c3caa06310c5878dc48e6b53ed0714e1130cca70983bbd13c84f306a66254fa

C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE

MD5 8d622a6f37a1fb60dec715e05516b508
SHA1 2a002f331c7356fccc2bf42c2ed2f3d3efd7767f
SHA256 e9f18a0183e31653d43ef1124eba7710d9d6d0675b48a715896001fd88526ef9
SHA512 21e5782df789be73861e2c0687a2e01b2a41dfd2c39f56039eda739635ad307a1c3caa06310c5878dc48e6b53ed0714e1130cca70983bbd13c84f306a66254fa

memory/1324-59-0x0000000000000000-mapping.dmp

memory/1512-60-0x0000000000000000-mapping.dmp

memory/2044-61-0x0000000000000000-mapping.dmp

memory/692-62-0x0000000000000000-mapping.dmp

memory/468-63-0x000007FEFB571000-0x000007FEFB573000-memory.dmp

C:\Users\Public\Desktop\How To Restore Your Files.txt

MD5 00a5956169037088a772613dba6f8c79
SHA1 66e27513dd1d87ba64002e834c1cf296198656bb
SHA256 f5d91ab8838d0ad26e364940281e55d2d7be7551671c47cf653b4df80539f3a1
SHA512 47bdd65a129ee40c5f7dd9ef48ccddcc5a1cc6059018de32e4beb6bffe66e5934e42aa33743387cd7d9e95f41310a29cd5d1b113aecbb3c9b8f42531f1cf1bbf

Analysis: behavioral2

Detonation Overview

Submitted

2021-09-17 13:47

Reported

2021-09-17 13:50

Platform

win10v20210408

Max time kernel

96s

Max time network

98s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2f5f29192f5139d83f93361ca855d385fd54adf8a40ee959efa72e6e00b2a0ce.exe"

Signatures

Babuk Locker

ransomware babuk

Deletes shadow copies

ransomware

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A

Modifies extensions of user files

ransomware
Description Indicator Process Target
File opened for modification C:\Users\Admin\Pictures\DenyUnlock.tiff.babyk C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File opened for modification C:\Users\Admin\Pictures\MountStart.png.babyk C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File renamed C:\Users\Admin\Pictures\SendConvertFrom.png => C:\Users\Admin\Pictures\SendConvertFrom.png.babyk C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File renamed C:\Users\Admin\Pictures\StepUnpublish.raw => C:\Users\Admin\Pictures\StepUnpublish.raw.babyk C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File opened for modification C:\Users\Admin\Pictures\SetStep.tiff.babyk C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File renamed C:\Users\Admin\Pictures\MountStart.png => C:\Users\Admin\Pictures\MountStart.png.babyk C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File renamed C:\Users\Admin\Pictures\PushExit.tiff => C:\Users\Admin\Pictures\PushExit.tiff.babyk C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File opened for modification C:\Users\Admin\Pictures\SetUnlock.tiff C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File renamed C:\Users\Admin\Pictures\SetUnlock.tiff => C:\Users\Admin\Pictures\SetUnlock.tiff.babyk C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File opened for modification C:\Users\Admin\Pictures\SendConvertFrom.png.babyk C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File renamed C:\Users\Admin\Pictures\UnprotectApprove.tif => C:\Users\Admin\Pictures\UnprotectApprove.tif.babyk C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File opened for modification C:\Users\Admin\Pictures\StepUnpublish.raw.babyk C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File renamed C:\Users\Admin\Pictures\AddUnlock.tif => C:\Users\Admin\Pictures\AddUnlock.tif.babyk C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File opened for modification C:\Users\Admin\Pictures\AddUnlock.tif.babyk C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File opened for modification C:\Users\Admin\Pictures\DenyUnlock.tiff C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File renamed C:\Users\Admin\Pictures\MoveExport.tif => C:\Users\Admin\Pictures\MoveExport.tif.babyk C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File opened for modification C:\Users\Admin\Pictures\MoveExport.tif.babyk C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File opened for modification C:\Users\Admin\Pictures\PushExit.tiff C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File opened for modification C:\Users\Admin\Pictures\ReadAdd.raw.babyk C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File renamed C:\Users\Admin\Pictures\DenyUnlock.tiff => C:\Users\Admin\Pictures\DenyUnlock.tiff.babyk C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File renamed C:\Users\Admin\Pictures\ReadAdd.raw => C:\Users\Admin\Pictures\ReadAdd.raw.babyk C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File opened for modification C:\Users\Admin\Pictures\PushExit.tiff.babyk C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File opened for modification C:\Users\Admin\Pictures\SetStep.tiff C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File renamed C:\Users\Admin\Pictures\SetStep.tiff => C:\Users\Admin\Pictures\SetStep.tiff.babyk C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File opened for modification C:\Users\Admin\Pictures\SetUnlock.tiff.babyk C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File opened for modification C:\Users\Admin\Pictures\UnprotectApprove.tif.babyk C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File opened (read-only) \??\B: C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File opened (read-only) \??\A: C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A

Enumerates physical storage devices

Interacts with shadow copies

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\vssadmin.exe N/A
N/A N/A C:\Windows\system32\vssadmin.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2f5f29192f5139d83f93361ca855d385fd54adf8a40ee959efa72e6e00b2a0ce.exe

"C:\Users\Admin\AppData\Local\Temp\2f5f29192f5139d83f93361ca855d385fd54adf8a40ee959efa72e6e00b2a0ce.exe"

C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE

"C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c vssadmin.exe delete shadows /all /quiet

C:\Windows\system32\vssadmin.exe

vssadmin.exe delete shadows /all /quiet

Network

Files

memory/696-114-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE

MD5 8d622a6f37a1fb60dec715e05516b508
SHA1 2a002f331c7356fccc2bf42c2ed2f3d3efd7767f
SHA256 e9f18a0183e31653d43ef1124eba7710d9d6d0675b48a715896001fd88526ef9
SHA512 21e5782df789be73861e2c0687a2e01b2a41dfd2c39f56039eda739635ad307a1c3caa06310c5878dc48e6b53ed0714e1130cca70983bbd13c84f306a66254fa

C:\Users\Admin\AppData\Local\Temp\E_WIN.EXE

MD5 8d622a6f37a1fb60dec715e05516b508
SHA1 2a002f331c7356fccc2bf42c2ed2f3d3efd7767f
SHA256 e9f18a0183e31653d43ef1124eba7710d9d6d0675b48a715896001fd88526ef9
SHA512 21e5782df789be73861e2c0687a2e01b2a41dfd2c39f56039eda739635ad307a1c3caa06310c5878dc48e6b53ed0714e1130cca70983bbd13c84f306a66254fa

memory/1184-117-0x0000000000000000-mapping.dmp

memory/1844-118-0x0000000000000000-mapping.dmp

memory/4024-119-0x0000000000000000-mapping.dmp

memory/3960-120-0x0000000000000000-mapping.dmp