Malware Analysis Report

2024-11-30 23:19

Sample ID 220415-cky3haghar
Target ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee
SHA256 ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee
Tags
blacknet persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee

Threat Level: Known bad

The file ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee was found to be: Known bad.

Malicious Activity Summary

blacknet persistence trojan

BlackNET

Executes dropped EXE

Checks computer location settings

Adds Run key to start application

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-04-15 02:08

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-04-15 02:08

Reported

2022-04-15 02:18

Platform

win7-20220414-en

Max time kernel

46s

Max time network

51s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee.exe"

Signatures

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee.exe

"C:\Users\Admin\AppData\Local\Temp\ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee.exe"

Network

N/A

Files

memory/2036-54-0x0000000000460000-0x00000000004B6000-memory.dmp

memory/2036-57-0x00000000004F1000-0x00000000004F2000-memory.dmp

memory/2036-59-0x00000000004F1000-0x00000000004F2000-memory.dmp

memory/2036-58-0x00000000004F1000-0x00000000004F2000-memory.dmp

memory/2036-60-0x00000000004F1000-0x00000000004F2000-memory.dmp

memory/2036-61-0x00000000004F1000-0x00000000004F2000-memory.dmp

memory/2036-62-0x00000000004F1000-0x00000000004F2000-memory.dmp

memory/2036-63-0x0000000075521000-0x0000000075523000-memory.dmp

memory/2036-64-0x0000000000460000-0x00000000004B6000-memory.dmp

memory/2036-65-0x0000000000460000-0x00000000004B6000-memory.dmp

memory/2036-66-0x0000000000460000-0x00000000004B6000-memory.dmp

memory/2036-67-0x0000000000460000-0x00000000004B6000-memory.dmp

memory/2036-68-0x0000000000460000-0x00000000004B6000-memory.dmp

memory/2036-70-0x0000000000460000-0x00000000004B6000-memory.dmp

memory/2036-69-0x0000000000460000-0x00000000004B6000-memory.dmp

memory/2036-71-0x0000000000460000-0x00000000004B6000-memory.dmp

memory/2036-72-0x0000000000460000-0x00000000004B6000-memory.dmp

memory/2036-74-0x0000000000460000-0x00000000004B6000-memory.dmp

memory/2036-73-0x0000000000460000-0x00000000004B6000-memory.dmp

memory/2036-75-0x0000000000460000-0x00000000004B6000-memory.dmp

memory/2036-76-0x0000000000460000-0x00000000004B6000-memory.dmp

memory/2036-77-0x0000000000460000-0x00000000004B6000-memory.dmp

memory/2036-78-0x0000000000460000-0x00000000004B6000-memory.dmp

memory/2036-79-0x0000000000460000-0x00000000004B6000-memory.dmp

memory/2036-81-0x0000000000460000-0x00000000004B6000-memory.dmp

memory/2036-82-0x0000000000460000-0x00000000004B6000-memory.dmp

memory/2036-84-0x0000000000460000-0x00000000004B6000-memory.dmp

memory/2036-83-0x0000000000460000-0x00000000004B6000-memory.dmp

memory/2036-86-0x0000000000460000-0x00000000004B6000-memory.dmp

memory/2036-88-0x0000000000460000-0x00000000004B6000-memory.dmp

memory/2036-90-0x0000000000460000-0x00000000004B6000-memory.dmp

memory/2036-91-0x0000000000460000-0x00000000004B6000-memory.dmp

memory/2036-92-0x0000000000460000-0x00000000004B6000-memory.dmp

memory/2036-93-0x0000000000460000-0x00000000004B6000-memory.dmp

memory/2036-95-0x0000000000460000-0x00000000004B6000-memory.dmp

memory/2036-94-0x0000000000460000-0x00000000004B6000-memory.dmp

memory/2036-97-0x0000000000460000-0x00000000004B6000-memory.dmp

memory/2036-96-0x0000000000460000-0x00000000004B6000-memory.dmp

memory/2036-99-0x0000000000460000-0x00000000004B6000-memory.dmp

memory/2036-98-0x0000000000460000-0x00000000004B6000-memory.dmp

memory/2036-100-0x0000000000460000-0x00000000004B6000-memory.dmp

memory/2036-103-0x0000000000460000-0x00000000004B6000-memory.dmp

memory/2036-102-0x0000000000460000-0x00000000004B6000-memory.dmp

memory/2036-104-0x0000000000460000-0x00000000004B6000-memory.dmp

memory/2036-106-0x0000000000460000-0x00000000004B6000-memory.dmp

memory/2036-108-0x0000000000460000-0x00000000004B6000-memory.dmp

memory/2036-107-0x0000000000460000-0x00000000004B6000-memory.dmp

memory/2036-110-0x0000000000460000-0x00000000004B6000-memory.dmp

memory/2036-109-0x0000000000460000-0x00000000004B6000-memory.dmp

memory/2036-111-0x0000000000460000-0x00000000004B6000-memory.dmp

memory/2036-112-0x0000000000460000-0x00000000004B6000-memory.dmp

memory/2036-114-0x0000000000460000-0x00000000004B6000-memory.dmp

memory/2036-115-0x0000000000460000-0x00000000004B6000-memory.dmp

memory/2036-116-0x0000000000460000-0x00000000004B6000-memory.dmp

memory/2036-117-0x0000000000460000-0x00000000004B6000-memory.dmp

memory/2036-113-0x0000000000460000-0x00000000004B6000-memory.dmp

memory/2036-105-0x0000000000460000-0x00000000004B6000-memory.dmp

memory/2036-101-0x0000000000460000-0x00000000004B6000-memory.dmp

memory/2036-89-0x0000000000460000-0x00000000004B6000-memory.dmp

memory/2036-87-0x0000000000460000-0x00000000004B6000-memory.dmp

memory/2036-85-0x0000000000460000-0x00000000004B6000-memory.dmp

memory/2036-80-0x0000000000460000-0x00000000004B6000-memory.dmp

memory/2036-721-0x0000000074650000-0x0000000074BFB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-04-15 02:08

Reported

2022-04-15 02:18

Platform

win10v2004-20220414-en

Max time kernel

60s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee.exe"

Signatures

BlackNET

trojan blacknet

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\530aa54a7f8da22dfa9151c567c09315 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\MyClient\\WindowsUpdate.exe" C:\Users\Admin\AppData\Local\Temp\ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\530aa54a7f8da22dfa9151c567c09315 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Microsoft\\MyClient\\WindowsUpdate.exe" C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\530aa54a7f8da22dfa9151c567c09315 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee.exe" C:\Users\Admin\AppData\Local\Temp\ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee.exe

"C:\Users\Admin\AppData\Local\Temp\ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee.exe"

C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe

"C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 windows-install-update.duckdns.org udp
RU 95.181.172.241:443 windows-install-update.duckdns.org tcp
RU 95.181.172.241:443 windows-install-update.duckdns.org tcp
RU 95.181.172.241:443 windows-install-update.duckdns.org tcp
US 20.189.173.12:443 tcp
US 67.24.25.254:80 tcp
RU 95.181.172.241:443 windows-install-update.duckdns.org tcp
US 8.238.20.126:80 tcp
US 8.238.20.126:80 tcp
US 8.238.20.126:80 tcp
RU 95.181.172.241:443 windows-install-update.duckdns.org tcp
RU 95.181.172.241:443 windows-install-update.duckdns.org tcp
RU 95.181.172.241:443 windows-install-update.duckdns.org tcp
RU 95.181.172.241:443 windows-install-update.duckdns.org tcp
RU 95.181.172.241:443 windows-install-update.duckdns.org tcp
RU 95.181.172.241:443 windows-install-update.duckdns.org tcp
RU 95.181.172.241:443 windows-install-update.duckdns.org tcp
RU 95.181.172.241:443 windows-install-update.duckdns.org tcp
RU 95.181.172.241:443 windows-install-update.duckdns.org tcp
RU 95.181.172.241:443 windows-install-update.duckdns.org tcp
RU 95.181.172.241:443 windows-install-update.duckdns.org tcp
RU 95.181.172.241:443 windows-install-update.duckdns.org tcp
RU 95.181.172.241:443 windows-install-update.duckdns.org tcp
RU 95.181.172.241:443 windows-install-update.duckdns.org tcp
RU 95.181.172.241:443 windows-install-update.duckdns.org tcp
RU 95.181.172.241:443 windows-install-update.duckdns.org tcp
RU 95.181.172.241:443 windows-install-update.duckdns.org tcp
RU 95.181.172.241:443 windows-install-update.duckdns.org tcp
RU 95.181.172.241:443 windows-install-update.duckdns.org tcp
RU 95.181.172.241:443 windows-install-update.duckdns.org tcp
RU 95.181.172.241:443 windows-install-update.duckdns.org tcp
RU 95.181.172.241:443 windows-install-update.duckdns.org tcp
RU 95.181.172.241:443 windows-install-update.duckdns.org tcp
RU 95.181.172.241:443 windows-install-update.duckdns.org tcp
RU 95.181.172.241:443 windows-install-update.duckdns.org tcp
RU 95.181.172.241:443 windows-install-update.duckdns.org tcp
RU 95.181.172.241:443 windows-install-update.duckdns.org tcp
RU 95.181.172.241:443 windows-install-update.duckdns.org tcp
RU 95.181.172.241:443 windows-install-update.duckdns.org tcp
RU 95.181.172.241:443 windows-install-update.duckdns.org tcp
RU 95.181.172.241:443 windows-install-update.duckdns.org tcp
RU 95.181.172.241:443 windows-install-update.duckdns.org tcp
RU 95.181.172.241:443 windows-install-update.duckdns.org tcp
RU 95.181.172.241:443 windows-install-update.duckdns.org tcp
RU 95.181.172.241:443 windows-install-update.duckdns.org tcp
RU 95.181.172.241:443 windows-install-update.duckdns.org tcp
RU 95.181.172.241:443 windows-install-update.duckdns.org tcp
RU 95.181.172.241:443 windows-install-update.duckdns.org tcp
RU 95.181.172.241:443 windows-install-update.duckdns.org tcp
RU 95.181.172.241:443 windows-install-update.duckdns.org tcp
RU 95.181.172.241:443 windows-install-update.duckdns.org tcp
RU 95.181.172.241:443 windows-install-update.duckdns.org tcp
RU 95.181.172.241:443 windows-install-update.duckdns.org tcp
RU 95.181.172.241:443 windows-install-update.duckdns.org tcp
RU 95.181.172.241:443 windows-install-update.duckdns.org tcp
RU 95.181.172.241:443 windows-install-update.duckdns.org tcp

Files

memory/400-130-0x0000000000580000-0x00000000005D6000-memory.dmp

memory/400-135-0x0000000000841000-0x0000000000842000-memory.dmp

memory/400-134-0x0000000000841000-0x0000000000842000-memory.dmp

memory/400-133-0x0000000000841000-0x0000000000842000-memory.dmp

memory/400-136-0x0000000000841000-0x0000000000842000-memory.dmp

memory/400-138-0x0000000000841000-0x0000000000842000-memory.dmp

memory/400-137-0x0000000000841000-0x0000000000842000-memory.dmp

memory/400-139-0x00000000753E0000-0x0000000075991000-memory.dmp

memory/400-140-0x0000000000580000-0x00000000005D6000-memory.dmp

memory/400-141-0x0000000000580000-0x00000000005D6000-memory.dmp

memory/400-142-0x0000000000580000-0x00000000005D6000-memory.dmp

memory/400-143-0x0000000000580000-0x00000000005D6000-memory.dmp

memory/400-144-0x0000000000580000-0x00000000005D6000-memory.dmp

memory/400-145-0x0000000000580000-0x00000000005D6000-memory.dmp

memory/400-146-0x0000000000580000-0x00000000005D6000-memory.dmp

memory/400-147-0x0000000000580000-0x00000000005D6000-memory.dmp

memory/400-148-0x0000000000580000-0x00000000005D6000-memory.dmp

memory/400-150-0x0000000000580000-0x00000000005D6000-memory.dmp

memory/400-151-0x0000000000580000-0x00000000005D6000-memory.dmp

memory/400-152-0x0000000000580000-0x00000000005D6000-memory.dmp

memory/400-153-0x0000000000580000-0x00000000005D6000-memory.dmp

memory/400-149-0x0000000000580000-0x00000000005D6000-memory.dmp

memory/400-154-0x0000000000580000-0x00000000005D6000-memory.dmp

memory/400-155-0x0000000000580000-0x00000000005D6000-memory.dmp

memory/400-156-0x0000000000580000-0x00000000005D6000-memory.dmp

memory/400-157-0x0000000000580000-0x00000000005D6000-memory.dmp

memory/400-158-0x0000000000580000-0x00000000005D6000-memory.dmp

memory/400-159-0x0000000000580000-0x00000000005D6000-memory.dmp

memory/400-160-0x0000000000580000-0x00000000005D6000-memory.dmp

memory/400-161-0x0000000000580000-0x00000000005D6000-memory.dmp

memory/400-162-0x0000000000580000-0x00000000005D6000-memory.dmp

memory/400-163-0x0000000000580000-0x00000000005D6000-memory.dmp

memory/400-165-0x0000000000580000-0x00000000005D6000-memory.dmp

memory/400-164-0x0000000000580000-0x00000000005D6000-memory.dmp

memory/400-166-0x0000000000580000-0x00000000005D6000-memory.dmp

memory/400-167-0x0000000000580000-0x00000000005D6000-memory.dmp

memory/400-168-0x0000000000580000-0x00000000005D6000-memory.dmp

memory/400-169-0x0000000000580000-0x00000000005D6000-memory.dmp

memory/400-170-0x0000000000580000-0x00000000005D6000-memory.dmp

memory/400-171-0x0000000000580000-0x00000000005D6000-memory.dmp

memory/400-172-0x0000000000580000-0x00000000005D6000-memory.dmp

memory/400-173-0x0000000000580000-0x00000000005D6000-memory.dmp

memory/400-174-0x0000000000580000-0x00000000005D6000-memory.dmp

memory/400-175-0x0000000000580000-0x00000000005D6000-memory.dmp

memory/400-176-0x0000000000580000-0x00000000005D6000-memory.dmp

memory/400-178-0x0000000000580000-0x00000000005D6000-memory.dmp

memory/400-177-0x0000000000580000-0x00000000005D6000-memory.dmp

memory/400-179-0x0000000000580000-0x00000000005D6000-memory.dmp

memory/400-180-0x0000000000580000-0x00000000005D6000-memory.dmp

memory/400-181-0x0000000000580000-0x00000000005D6000-memory.dmp

memory/400-182-0x0000000000580000-0x00000000005D6000-memory.dmp

memory/400-183-0x0000000000580000-0x00000000005D6000-memory.dmp

memory/400-184-0x0000000000580000-0x00000000005D6000-memory.dmp

memory/400-185-0x0000000000580000-0x00000000005D6000-memory.dmp

memory/400-186-0x0000000000580000-0x00000000005D6000-memory.dmp

memory/400-187-0x0000000000580000-0x00000000005D6000-memory.dmp

memory/400-188-0x0000000000580000-0x00000000005D6000-memory.dmp

memory/400-189-0x0000000000580000-0x00000000005D6000-memory.dmp

memory/400-190-0x0000000000580000-0x00000000005D6000-memory.dmp

memory/400-191-0x0000000000580000-0x00000000005D6000-memory.dmp

memory/400-192-0x0000000000580000-0x00000000005D6000-memory.dmp

memory/400-193-0x0000000000580000-0x00000000005D6000-memory.dmp

memory/400-194-0x0000000000580000-0x00000000005D6000-memory.dmp

memory/400-1229-0x0000000000DE7000-0x0000000000DE9000-memory.dmp

memory/1664-1230-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe

MD5 08359645bddd0dfb58c44cd2e04031a3
SHA1 3ce31c0da59dd222facd81e2bb3d251165430154
SHA256 ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee
SHA512 8321166bc96199634da034ef79e8f51a3e0dd007bb7dc8cdafb45fba75a9e6713c85ee6d14182d7fc49b9df722eb6bb0a3ae249864defa268716c6d8e85a0400

C:\Users\Admin\AppData\Local\Temp\Microsoft\MyClient\WindowsUpdate.exe

MD5 08359645bddd0dfb58c44cd2e04031a3
SHA1 3ce31c0da59dd222facd81e2bb3d251165430154
SHA256 ad23aa6f1afb2b28998e1b6f17d147763a0486a00ba8b88125c41905a3eab0ee
SHA512 8321166bc96199634da034ef79e8f51a3e0dd007bb7dc8cdafb45fba75a9e6713c85ee6d14182d7fc49b9df722eb6bb0a3ae249864defa268716c6d8e85a0400

memory/1664-1407-0x00000000753E0000-0x0000000075991000-memory.dmp

memory/1664-2332-0x0000000000987000-0x0000000000989000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 89dd6e72358a669b7d6e2348307a7af7
SHA1 0db348f3c6114a45d71f4d218e0e088b71c7bb0a
SHA256 ad34794058212006ae974fcc6a0242598e6d020f08044439e3512773cd402b7e
SHA512 93b8a47686d7491281a0809b138a6244a535302ba0d6b2146849e9888632c72b6223ae8eb7a24f1006aaf57ab947a8f43719cff4837df559e7bf42f52c63856b