Malware Analysis Report

2025-01-02 02:06

Sample ID 220724-zn3w7agaa9
Target b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12
SHA256 b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12
Tags
adwind agenttesla collection keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12

Threat Level: Known bad

The file b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12 was found to be: Known bad.

Malicious Activity Summary

adwind agenttesla collection keylogger persistence spyware stealer trojan

AgentTesla

AdWind

Reads user/profile data of web browsers

Checks computer location settings

Reads user/profile data of local email clients

Accesses Microsoft Outlook profiles

Looks up external IP address via web service

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

outlook_win_path

outlook_office_path

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-07-24 20:52

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-07-24 20:52

Reported

2022-07-25 17:44

Platform

win7-20220718-en

Max time kernel

143s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe"

Signatures

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1616 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe C:\Users\Admin\AppData\Local\Temp\b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe
PID 1616 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe C:\Users\Admin\AppData\Local\Temp\b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe
PID 1616 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe C:\Users\Admin\AppData\Local\Temp\b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe
PID 1616 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe C:\Users\Admin\AppData\Local\Temp\b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe
PID 1616 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe C:\Users\Admin\AppData\Local\Temp\b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe
PID 1616 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe C:\Users\Admin\AppData\Local\Temp\b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe
PID 1616 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe C:\Users\Admin\AppData\Local\Temp\b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe
PID 1616 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe C:\Users\Admin\AppData\Local\Temp\b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe
PID 1616 wrote to memory of 1236 N/A C:\Users\Admin\AppData\Local\Temp\b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe C:\Users\Admin\AppData\Local\Temp\b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe

"C:\Users\Admin\AppData\Local\Temp\b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe"

C:\Users\Admin\AppData\Local\Temp\b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe

"C:\Users\Admin\AppData\Local\Temp\b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe"

C:\Program Files\Java\jre7\bin\javaw.exe

"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tsd.jar"

Network

Country Destination Domain Proto
US 8.8.8.8:53 checkip.dyndns.org udp
JP 132.226.8.169:80 checkip.dyndns.org tcp

Files

memory/1616-54-0x00000000003D0000-0x0000000000556000-memory.dmp

memory/1616-55-0x0000000000230000-0x0000000000240000-memory.dmp

memory/1616-56-0x00000000758B1000-0x00000000758B3000-memory.dmp

memory/1236-57-0x0000000000400000-0x00000000004D6000-memory.dmp

memory/1236-58-0x00000000004D0CFE-mapping.dmp

memory/1236-59-0x00000000000C0000-0x0000000000196000-memory.dmp

memory/1236-60-0x00000000000C0000-0x0000000000196000-memory.dmp

memory/1236-64-0x00000000000C0000-0x0000000000196000-memory.dmp

memory/1236-67-0x00000000000C0000-0x0000000000196000-memory.dmp

memory/336-69-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tsd.jar

MD5 7da7000ca39ce69997bbcad56fa8d180
SHA1 5178465612c87a838fdfaa03b2148baf05a71768
SHA256 9d817b32fd59dbbe3a17f0c73d4be0b3301df89be5389bb2e81532bda93e34f8
SHA512 5999a976b75bbc457c1b38fa6e0f8149e9ffeedf3e5895d9b4478ffa94d53bf8d38b1df8aa8238423f6eb5b89c0a4bb36fa342033c6597214d12c6def53887d4

memory/336-70-0x000007FEFB761000-0x000007FEFB763000-memory.dmp

memory/336-81-0x0000000002190000-0x0000000005190000-memory.dmp

memory/1236-82-0x0000000002210000-0x000000000221A000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-07-24 20:52

Reported

2022-07-25 17:43

Platform

win10v2004-20220721-en

Max time kernel

97s

Max time network

133s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe"

Signatures

AdWind

trojan adwind

AgentTesla

keylogger trojan stealer spyware agenttesla

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe N/A

Reads user/profile data of local email clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MyOtApp = "C:\\Users\\Admin\\AppData\\Roaming\\MyOtApp\\MyOtApp.exe" C:\Users\Admin\AppData\Local\Temp\b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A checkip.dyndns.org N/A N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1660 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe C:\Users\Admin\AppData\Local\Temp\b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe
PID 1660 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe C:\Users\Admin\AppData\Local\Temp\b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe
PID 1660 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe C:\Users\Admin\AppData\Local\Temp\b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe
PID 1660 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe C:\Users\Admin\AppData\Local\Temp\b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe
PID 1660 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe C:\Users\Admin\AppData\Local\Temp\b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe
PID 1660 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe C:\Users\Admin\AppData\Local\Temp\b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe
PID 1660 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe C:\Users\Admin\AppData\Local\Temp\b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe
PID 1660 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe C:\Users\Admin\AppData\Local\Temp\b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe
PID 3372 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
PID 3372 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
PID 3868 wrote to memory of 1020 N/A C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe C:\Program Files\Java\jre1.8.0_66\bin\java.exe
PID 3868 wrote to memory of 1020 N/A C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe C:\Program Files\Java\jre1.8.0_66\bin\java.exe
PID 3868 wrote to memory of 3348 N/A C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe C:\Windows\SYSTEM32\cmd.exe
PID 3868 wrote to memory of 3348 N/A C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe C:\Windows\SYSTEM32\cmd.exe
PID 1020 wrote to memory of 2424 N/A C:\Program Files\Java\jre1.8.0_66\bin\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 1020 wrote to memory of 2424 N/A C:\Program Files\Java\jre1.8.0_66\bin\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 2424 wrote to memory of 1788 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\cscript.exe
PID 2424 wrote to memory of 1788 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\cscript.exe
PID 3348 wrote to memory of 2096 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\cscript.exe
PID 3348 wrote to memory of 2096 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\cscript.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2660308776-3705150086-26593515-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Local\Temp\b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe

"C:\Users\Admin\AppData\Local\Temp\b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe"

C:\Users\Admin\AppData\Local\Temp\b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe

"C:\Users\Admin\AppData\Local\Temp\b35c1336a3500ec63601bbf1ea7e62740eaa2dae4ae37dd2f4d3f55fd60aec12.exe"

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe

"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tsd.jar"

C:\Program Files\Java\jre1.8.0_66\bin\java.exe

"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.81210737950390797014276406410368221.class

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive3668966769008928747.vbs

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7723461666724738664.vbs

C:\Windows\system32\cscript.exe

cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive3668966769008928747.vbs

C:\Windows\system32\cscript.exe

cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7723461666724738664.vbs

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive6215090486660275181.vbs

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive3385685279513011713.vbs

C:\Windows\system32\cscript.exe

cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive6215090486660275181.vbs

C:\Windows\system32\cscript.exe

cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive3385685279513011713.vbs

Network

Country Destination Domain Proto
FR 2.18.109.224:443 tcp
FR 40.79.141.152:443 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 93.184.221.240:80 tcp
US 8.8.8.8:53 checkip.dyndns.org udp
JP 132.226.8.169:80 checkip.dyndns.org tcp

Files

memory/1660-130-0x0000000000BA0000-0x0000000000D26000-memory.dmp

memory/1660-131-0x0000000005BC0000-0x0000000006164000-memory.dmp

memory/1660-132-0x00000000056F0000-0x0000000005782000-memory.dmp

memory/1660-133-0x00000000057F0000-0x00000000057FA000-memory.dmp

memory/1660-134-0x00000000093F0000-0x000000000948C000-memory.dmp

memory/3372-135-0x0000000000000000-mapping.dmp

memory/3372-136-0x0000000000400000-0x00000000004D6000-memory.dmp

memory/3372-137-0x0000000005E80000-0x0000000005EE6000-memory.dmp

memory/3868-138-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\tsd.jar

MD5 7da7000ca39ce69997bbcad56fa8d180
SHA1 5178465612c87a838fdfaa03b2148baf05a71768
SHA256 9d817b32fd59dbbe3a17f0c73d4be0b3301df89be5389bb2e81532bda93e34f8
SHA512 5999a976b75bbc457c1b38fa6e0f8149e9ffeedf3e5895d9b4478ffa94d53bf8d38b1df8aa8238423f6eb5b89c0a4bb36fa342033c6597214d12c6def53887d4

memory/3372-144-0x0000000007220000-0x0000000007270000-memory.dmp

memory/3868-145-0x0000000002680000-0x0000000003680000-memory.dmp

memory/1020-151-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\_0.81210737950390797014276406410368221.class

MD5 781fb531354d6f291f1ccab48da6d39f
SHA1 9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68
SHA256 97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9
SHA512 3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

MD5 0a1228956e0d1c1c755f99f391926803
SHA1 dec0714c7e8174d497261c5ee32367f585152d25
SHA256 75cd23ba0792d4409f0a8fab0712019a1b22c7067ec0f5cbfa6683902c155925
SHA512 7426ebf1bc14a0f63bfca9a91233fa8ccf71853d3ecc38dd68f36c015fedb1a5b83622625b26685b25e19b6ac863bb355065c46fbbcc40d11d0fdc0be93b5385

memory/1020-163-0x0000000002D40000-0x0000000003D40000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2660308776-3705150086-26593515-1000\83aa4cc77f591dfc2374580bbd95f6ba_b975079f-5511-47c1-a87a-f7cd913ae83c

MD5 c8366ae350e7019aefc9d1e6e6a498c6
SHA1 5731d8a3e6568a5f2dfbbc87e3db9637df280b61
SHA256 11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238
SHA512 33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

memory/3868-173-0x0000000002680000-0x0000000003680000-memory.dmp

memory/3868-176-0x0000000002680000-0x0000000003680000-memory.dmp

memory/3348-180-0x0000000000000000-mapping.dmp

memory/2424-181-0x0000000000000000-mapping.dmp

memory/1788-182-0x0000000000000000-mapping.dmp

memory/2096-183-0x0000000000000000-mapping.dmp

memory/1020-184-0x0000000002D40000-0x0000000003D40000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Retrive3668966769008928747.vbs

MD5 3bdfd33017806b85949b6faa7d4b98e4
SHA1 f92844fee69ef98db6e68931adfaa9a0a0f8ce66
SHA256 9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6
SHA512 ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429

C:\Users\Admin\AppData\Local\Temp\Retrive7723461666724738664.vbs

MD5 3bdfd33017806b85949b6faa7d4b98e4
SHA1 f92844fee69ef98db6e68931adfaa9a0a0f8ce66
SHA256 9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6
SHA512 ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429

memory/3112-187-0x0000000000000000-mapping.dmp

memory/3868-189-0x0000000002680000-0x0000000003680000-memory.dmp

memory/1448-188-0x0000000000000000-mapping.dmp

memory/4324-190-0x0000000000000000-mapping.dmp

memory/4008-191-0x0000000000000000-mapping.dmp