Malware Analysis Report

2025-01-02 06:59

Sample ID 221001-1c92sshfhn
Target ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd
SHA256 ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd
Tags
r77 rootkit upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd

Threat Level: Known bad

The file ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd was found to be: Known bad.

Malicious Activity Summary

r77 rootkit upx

R77 family

r77

r77 rootkit payload

Executes dropped EXE

UPX packed file

Loads dropped DLL

Suspicious use of AdjustPrivilegeToken

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-10-01 21:31

Signatures

R77 family

r77

r77 rootkit payload

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2022-10-01 21:31

Reported

2022-10-01 21:35

Platform

win10v2004-20220812-en

Max time kernel

191s

Max time network

190s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe"

Signatures

r77

rootkit r77

r77 rootkit payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe

"C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe"

C:\Users\Admin\AppData\Local\Temp\a.exe

C:\Users\Admin\AppData\Local\Temp\\a.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 f.7.6.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.7.0.0.0.0.3.0.1.3.0.6.2.ip6.arpa udp
GB 51.132.193.104:443 tcp
US 8.8.8.8:53 wwa.lanzous.com udp
US 69.16.230.226:443 wwa.lanzous.com tcp
NL 87.248.202.1:80 tcp
NL 87.248.202.1:80 tcp
US 8.8.8.8:53 flingtrainer.com udp
US 172.67.177.160:443 flingtrainer.com tcp
NL 8.238.23.254:80 tcp
BE 67.27.153.126:80 tcp

Files

memory/4960-132-0x0000000010000000-0x000000001003F000-memory.dmp

memory/4960-133-0x0000000010000000-0x000000001003F000-memory.dmp

memory/4960-134-0x0000000010000000-0x000000001003F000-memory.dmp

memory/4960-136-0x0000000010000000-0x000000001003F000-memory.dmp

memory/4960-140-0x0000000010000000-0x000000001003F000-memory.dmp

memory/4960-142-0x0000000010000000-0x000000001003F000-memory.dmp

memory/4960-138-0x0000000010000000-0x000000001003F000-memory.dmp

memory/4960-146-0x0000000010000000-0x000000001003F000-memory.dmp

memory/4960-144-0x0000000010000000-0x000000001003F000-memory.dmp

memory/4960-148-0x0000000010000000-0x000000001003F000-memory.dmp

memory/4960-152-0x0000000010000000-0x000000001003F000-memory.dmp

memory/4960-150-0x0000000010000000-0x000000001003F000-memory.dmp

memory/4960-154-0x0000000010000000-0x000000001003F000-memory.dmp

memory/4960-156-0x0000000010000000-0x000000001003F000-memory.dmp

memory/4960-162-0x0000000010000000-0x000000001003F000-memory.dmp

memory/4960-164-0x0000000010000000-0x000000001003F000-memory.dmp

memory/4960-168-0x0000000010000000-0x000000001003F000-memory.dmp

memory/4960-170-0x0000000010000000-0x000000001003F000-memory.dmp

memory/4960-172-0x0000000010000000-0x000000001003F000-memory.dmp

memory/4960-166-0x0000000010000000-0x000000001003F000-memory.dmp

memory/4960-174-0x0000000010000000-0x000000001003F000-memory.dmp

memory/4960-160-0x0000000010000000-0x000000001003F000-memory.dmp

memory/4960-158-0x0000000010000000-0x000000001003F000-memory.dmp

memory/4960-175-0x0000000010000000-0x000000001003F000-memory.dmp

memory/2312-176-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\a.exe

MD5 75af6cf8ac44a8dc4136ea679c292511
SHA1 74c7b0327d5fa311dbbfc9658965326507162c29
SHA256 539304ee93b2f6872d2474d7a217986864f82e0acfd8f1a73fb8d303ec6e72f1
SHA512 ff53a23d32ae9da3fc19c1ba84dcf2146e1c63c20c8d53cc51281f0588b8e91101d102bd536d822c1b1e2578d7b7ce7007d364e7a4737ba135a4c66343df78e8

C:\Users\Admin\AppData\Local\Temp\a.exe

MD5 75af6cf8ac44a8dc4136ea679c292511
SHA1 74c7b0327d5fa311dbbfc9658965326507162c29
SHA256 539304ee93b2f6872d2474d7a217986864f82e0acfd8f1a73fb8d303ec6e72f1
SHA512 ff53a23d32ae9da3fc19c1ba84dcf2146e1c63c20c8d53cc51281f0588b8e91101d102bd536d822c1b1e2578d7b7ce7007d364e7a4737ba135a4c66343df78e8

memory/2312-179-0x0000027F54930000-0x0000027F54962000-memory.dmp

memory/2312-180-0x00007FFAD9BA0000-0x00007FFADA661000-memory.dmp

memory/2312-181-0x0000027F76350000-0x0000027F76358000-memory.dmp

memory/2312-182-0x0000027F74FB0000-0x0000027F74FE8000-memory.dmp

memory/2312-183-0x0000027F74F80000-0x0000027F74F8E000-memory.dmp

memory/2312-184-0x00007FFAD9BA0000-0x00007FFADA661000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2022-10-01 21:31

Reported

2022-10-01 21:34

Platform

win7-20220901-en

Max time kernel

154s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe"

Signatures

r77

rootkit r77

r77 rootkit payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe

"C:\Users\Admin\AppData\Local\Temp\ce8fa9dbe4da6788a1af959875494e429c9d328ce7aa288d2c1698593982bdbd.exe"

C:\Users\Admin\AppData\Local\Temp\a.exe

C:\Users\Admin\AppData\Local\Temp\\a.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 wwa.lanzous.com udp
US 69.16.230.226:443 wwa.lanzous.com tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 96.16.53.134:80 apps.identrust.com tcp
US 8.8.8.8:53 flingtrainer.com udp
US 172.67.177.160:443 flingtrainer.com tcp
US 172.67.177.160:443 flingtrainer.com tcp

Files

memory/1492-54-0x0000000076BA1000-0x0000000076BA3000-memory.dmp

memory/1492-55-0x0000000010000000-0x000000001003F000-memory.dmp

memory/1492-56-0x0000000010000000-0x000000001003F000-memory.dmp

memory/1492-57-0x0000000010000000-0x000000001003F000-memory.dmp

memory/1492-59-0x0000000010000000-0x000000001003F000-memory.dmp

memory/1492-61-0x0000000010000000-0x000000001003F000-memory.dmp

memory/1492-63-0x0000000010000000-0x000000001003F000-memory.dmp

memory/1492-65-0x0000000010000000-0x000000001003F000-memory.dmp

memory/1492-67-0x0000000010000000-0x000000001003F000-memory.dmp

memory/1492-69-0x0000000010000000-0x000000001003F000-memory.dmp

memory/1492-71-0x0000000010000000-0x000000001003F000-memory.dmp

memory/1492-73-0x0000000010000000-0x000000001003F000-memory.dmp

memory/1492-75-0x0000000010000000-0x000000001003F000-memory.dmp

memory/1492-79-0x0000000010000000-0x000000001003F000-memory.dmp

memory/1492-77-0x0000000010000000-0x000000001003F000-memory.dmp

memory/1492-83-0x0000000010000000-0x000000001003F000-memory.dmp

memory/1492-85-0x0000000010000000-0x000000001003F000-memory.dmp

memory/1492-89-0x0000000010000000-0x000000001003F000-memory.dmp

memory/1492-91-0x0000000010000000-0x000000001003F000-memory.dmp

memory/1492-93-0x0000000010000000-0x000000001003F000-memory.dmp

memory/1492-95-0x0000000010000000-0x000000001003F000-memory.dmp

memory/1492-97-0x0000000010000000-0x000000001003F000-memory.dmp

memory/1492-87-0x0000000010000000-0x000000001003F000-memory.dmp

memory/1492-81-0x0000000010000000-0x000000001003F000-memory.dmp

\Users\Admin\AppData\Local\Temp\a.exe

MD5 75af6cf8ac44a8dc4136ea679c292511
SHA1 74c7b0327d5fa311dbbfc9658965326507162c29
SHA256 539304ee93b2f6872d2474d7a217986864f82e0acfd8f1a73fb8d303ec6e72f1
SHA512 ff53a23d32ae9da3fc19c1ba84dcf2146e1c63c20c8d53cc51281f0588b8e91101d102bd536d822c1b1e2578d7b7ce7007d364e7a4737ba135a4c66343df78e8

memory/932-99-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\a.exe

MD5 75af6cf8ac44a8dc4136ea679c292511
SHA1 74c7b0327d5fa311dbbfc9658965326507162c29
SHA256 539304ee93b2f6872d2474d7a217986864f82e0acfd8f1a73fb8d303ec6e72f1
SHA512 ff53a23d32ae9da3fc19c1ba84dcf2146e1c63c20c8d53cc51281f0588b8e91101d102bd536d822c1b1e2578d7b7ce7007d364e7a4737ba135a4c66343df78e8

memory/932-101-0x00000000021A0000-0x00000000021D2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a.exe

MD5 75af6cf8ac44a8dc4136ea679c292511
SHA1 74c7b0327d5fa311dbbfc9658965326507162c29
SHA256 539304ee93b2f6872d2474d7a217986864f82e0acfd8f1a73fb8d303ec6e72f1
SHA512 ff53a23d32ae9da3fc19c1ba84dcf2146e1c63c20c8d53cc51281f0588b8e91101d102bd536d822c1b1e2578d7b7ce7007d364e7a4737ba135a4c66343df78e8

\Users\Admin\AppData\Local\Temp\a.exe

MD5 75af6cf8ac44a8dc4136ea679c292511
SHA1 74c7b0327d5fa311dbbfc9658965326507162c29
SHA256 539304ee93b2f6872d2474d7a217986864f82e0acfd8f1a73fb8d303ec6e72f1
SHA512 ff53a23d32ae9da3fc19c1ba84dcf2146e1c63c20c8d53cc51281f0588b8e91101d102bd536d822c1b1e2578d7b7ce7007d364e7a4737ba135a4c66343df78e8

memory/932-104-0x0000000000380000-0x000000000038A000-memory.dmp

memory/932-105-0x0000000000380000-0x000000000038A000-memory.dmp

memory/932-106-0x000000001AC4A000-0x000000001AC69000-memory.dmp

memory/1492-107-0x0000000010000000-0x000000001003F000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 d15aaa7c9be910a9898260767e2490e1
SHA1 2090c53f8d9fc3fbdbafd3a1e4dc25520eb74388
SHA256 f8ebaaf487cba0c81a17c8cd680bdd2dd8e90d2114ecc54844cffc0cc647848e
SHA512 7e1c1a683914b961b5cc2fe5e4ae288b60bab43bfaa21ce4972772aa0589615c19f57e672e1d93e50a7ed7b76fbd2f1b421089dcaed277120b93f8e91b18af94

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f927e4414952d3fb23da0955ababe27c
SHA1 63afc365645ab89e4a01046899662db8a5ed6862
SHA256 6ce79fd79c3e2ef7f42bc3157e453c62633208d06741face39caad73fadb3e90
SHA512 9164d36632f8489ebe0bc535d1fd6adde6eaf20ae620cb268490c0c328da2f354486ad7e2a9ac239dd24c5942a90d7f4d02b1de4c2beade1e12e1f4a7d7c7e28

memory/932-110-0x0000000000380000-0x000000000038A000-memory.dmp

memory/932-111-0x0000000000380000-0x000000000038A000-memory.dmp

memory/932-112-0x000000001AC4A000-0x000000001AC69000-memory.dmp