Analysis Overview
SHA256
9005a39c203e068daa077fe244e2608d36852dbef6f6ce8b28cc5cc015b89b1b
Threat Level: Known bad
The file 98e3648add4ab0724ebeb54eb720e8ad97ad52b0 was found to be: Known bad.
Malicious Activity Summary
Vjw0rm
Blocklisted process makes network request
Executes dropped EXE
Drops startup file
Loads dropped DLL
Checks computer location settings
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
Enumerates physical storage devices
Program crash
Suspicious behavior: GetForegroundWindowSpam
Modifies Internet Explorer settings
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-17 19:11
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-17 19:11
Reported
2023-01-17 19:15
Platform
win7-20221111-en
Max time kernel
202s
Max time network
207s
Command Line
Signatures
Vjw0rm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3406023954-474543476-3319432036-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TzTlSUHDie.js | C:\Windows\System32\wscript.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TzTlSUHDie.js | C:\Windows\System32\wscript.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
Reads user/profile data of web browsers
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1788 set thread context of 1264 | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | C:\Windows\Explorer.EXE |
| PID 1788 set thread context of 1264 | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | C:\Windows\Explorer.EXE |
| PID 1832 set thread context of 1264 | N/A | C:\Windows\SysWOW64\wscript.exe | C:\Windows\Explorer.EXE |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \Registry\User\S-1-5-21-3406023954-474543476-3319432036-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 | C:\Windows\SysWOW64\wscript.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\wscript.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\98e3648add4ab0724ebeb54eb720e8ad97ad52b0.js
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\TzTlSUHDie.js"
C:\Users\Admin\AppData\Local\Temp\bin.exe
"C:\Users\Admin\AppData\Local\Temp\bin.exe"
C:\Windows\SysWOW64\msdt.exe
"C:\Windows\SysWOW64\msdt.exe"
C:\Windows\SysWOW64\raserver.exe
"C:\Windows\SysWOW64\raserver.exe"
C:\Windows\SysWOW64\wscript.exe
"C:\Windows\SysWOW64\wscript.exe"
C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | javaautorun.duia.ro | udp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 8.8.8.8:53 | www.ambilis.com | udp |
| N/A | 199.59.243.222:80 | www.ambilis.com | tcp |
| N/A | 8.8.8.8:53 | www.sqlite.org | udp |
| N/A | 45.33.6.223:80 | www.sqlite.org | tcp |
| N/A | 45.33.6.223:80 | www.sqlite.org | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 8.8.8.8:53 | www.theedenpublicschool.com | udp |
| N/A | 162.214.81.26:80 | www.theedenpublicschool.com | tcp |
| N/A | 162.214.81.26:80 | www.theedenpublicschool.com | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 8.8.8.8:53 | www.ecomicsvilla.com | udp |
| N/A | 198.252.102.191:80 | www.ecomicsvilla.com | tcp |
| N/A | 198.252.102.191:80 | www.ecomicsvilla.com | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 8.8.8.8:53 | www.boltag.xyz | udp |
| N/A | 199.192.31.98:80 | www.boltag.xyz | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 199.192.31.98:80 | www.boltag.xyz | tcp |
| N/A | 8.8.8.8:53 | www.f1253.com | udp |
| N/A | 34.92.178.239:80 | www.f1253.com | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 34.92.178.239:80 | www.f1253.com | tcp |
Files
memory/1152-54-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\TzTlSUHDie.js
| MD5 | 90c052e2282de1c12470fc54d62681d9 |
| SHA1 | ea069b254dde1f6cad46afedf55c69d4516a0d7a |
| SHA256 | be62476863ca538e76f33e4758a5a5af8609d681026c4e325d8d667470aa9097 |
| SHA512 | 73661062644236fcd76f689a8271f5f2c875468fbfdd4a4431a2b419c8bc093129345ee9b83d4f87eaa389a1ff12e776ba5d0d5845899931e1b72c32d4cb5ea7 |
memory/1788-56-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\bin.exe
| MD5 | f9fdfca55156f35ea48a17947d091f4d |
| SHA1 | 15f10040cf10535deed5ca028150ed847a585d01 |
| SHA256 | 7258963be005d6914901a62c591c56427553f62537f86d70965af16dae57c0d0 |
| SHA512 | 53caa12467706839406c40e8e8a925a67f8c51ddc6abb0bf7db8ca61e03af09714cc954e959c89dae91fb45c07fc113a076e0ab34806933ca7deed520113c302 |
memory/1152-58-0x000007FEFC201000-0x000007FEFC203000-memory.dmp
memory/1788-59-0x00000000011A0000-0x00000000011CF000-memory.dmp
memory/1788-60-0x00000000011A0000-0x00000000011CF000-memory.dmp
memory/1788-61-0x00000000008A0000-0x0000000000BA3000-memory.dmp
memory/1264-63-0x0000000004BB0000-0x0000000004C91000-memory.dmp
memory/1788-62-0x0000000000110000-0x0000000000120000-memory.dmp
memory/1788-64-0x00000000001D0000-0x00000000001E0000-memory.dmp
memory/1264-65-0x0000000004A70000-0x0000000004B2C000-memory.dmp
memory/1832-66-0x0000000000000000-mapping.dmp
memory/1788-67-0x00000000011A0000-0x00000000011CF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\bin.exe
| MD5 | f9fdfca55156f35ea48a17947d091f4d |
| SHA1 | 15f10040cf10535deed5ca028150ed847a585d01 |
| SHA256 | 7258963be005d6914901a62c591c56427553f62537f86d70965af16dae57c0d0 |
| SHA512 | 53caa12467706839406c40e8e8a925a67f8c51ddc6abb0bf7db8ca61e03af09714cc954e959c89dae91fb45c07fc113a076e0ab34806933ca7deed520113c302 |
memory/1832-69-0x0000000000B20000-0x0000000000B46000-memory.dmp
memory/1832-70-0x00000000020E0000-0x00000000023E3000-memory.dmp
memory/1832-71-0x0000000000070000-0x000000000009D000-memory.dmp
memory/1264-72-0x0000000004A70000-0x0000000004B2C000-memory.dmp
memory/1832-73-0x0000000000890000-0x000000000091F000-memory.dmp
memory/1264-74-0x00000000066B0000-0x0000000006769000-memory.dmp
memory/1832-75-0x0000000075DF1000-0x0000000075DF3000-memory.dmp
memory/1264-76-0x00000000066B0000-0x0000000006769000-memory.dmp
\Users\Admin\AppData\Local\Temp\sqlite3.dll
| MD5 | 1eb6acf76a15b74b38333af47dc1218d |
| SHA1 | a3fbc817f59b6a8899dc338cc15a75cdd17dfff1 |
| SHA256 | a5ef3a78eb333b0e6dca194ea711dcbb036119a788ecfe125f05176fb0fb70a3 |
| SHA512 | 717931aa928de150abbb70d523c7dbd472bfa6c511ab55e0b50df8d9661d33635156ed7b750285fa383cdd4064f225ea022f0bead3e066ee2beba84ef5731c15 |
Analysis: behavioral2
Detonation Overview
Submitted
2023-01-17 19:11
Reported
2023-01-17 19:15
Platform
win10v2004-20221111-en
Max time kernel
205s
Max time network
209s
Command Line
Signatures
Vjw0rm
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\System32\wscript.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TzTlSUHDie.js | C:\Windows\System32\wscript.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TzTlSUHDie.js | C:\Windows\System32\wscript.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1112 set thread context of 2720 | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | C:\Windows\Explorer.EXE |
| PID 4560 set thread context of 2720 | N/A | C:\Windows\SysWOW64\msiexec.exe | C:\Windows\Explorer.EXE |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Program Files\Mozilla Firefox\Firefox.exe |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \Registry\User\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\bin.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Explorer.EXE | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\98e3648add4ab0724ebeb54eb720e8ad97ad52b0.js
C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\TzTlSUHDie.js"
C:\Users\Admin\AppData\Local\Temp\bin.exe
"C:\Users\Admin\AppData\Local\Temp\bin.exe"
C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\SysWOW64\msiexec.exe"
C:\Program Files\Mozilla Firefox\Firefox.exe
"C:\Program Files\Mozilla Firefox\Firefox.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 440 -p 3048 -ip 3048
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3048 -s 124
Network
| Country | Destination | Domain | Proto |
| N/A | 93.184.221.240:80 | tcp | |
| N/A | 104.80.225.205:443 | tcp | |
| N/A | 20.50.201.200:443 | tcp | |
| N/A | 8.8.8.8:53 | javaautorun.duia.ro | udp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 8.8.8.8:53 | www.ambilis.com | udp |
| N/A | 199.59.243.222:80 | www.ambilis.com | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 8.8.8.8:53 | www.theedenpublicschool.com | udp |
| N/A | 162.214.81.26:80 | www.theedenpublicschool.com | tcp |
| N/A | 194.5.98.109:5443 | javaautorun.duia.ro | tcp |
| N/A | 67.26.109.254:80 | tcp |
Files
memory/4332-132-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Roaming\TzTlSUHDie.js
| MD5 | 90c052e2282de1c12470fc54d62681d9 |
| SHA1 | ea069b254dde1f6cad46afedf55c69d4516a0d7a |
| SHA256 | be62476863ca538e76f33e4758a5a5af8609d681026c4e325d8d667470aa9097 |
| SHA512 | 73661062644236fcd76f689a8271f5f2c875468fbfdd4a4431a2b419c8bc093129345ee9b83d4f87eaa389a1ff12e776ba5d0d5845899931e1b72c32d4cb5ea7 |
memory/1112-134-0x0000000000000000-mapping.dmp
C:\Users\Admin\AppData\Local\Temp\bin.exe
| MD5 | f9fdfca55156f35ea48a17947d091f4d |
| SHA1 | 15f10040cf10535deed5ca028150ed847a585d01 |
| SHA256 | 7258963be005d6914901a62c591c56427553f62537f86d70965af16dae57c0d0 |
| SHA512 | 53caa12467706839406c40e8e8a925a67f8c51ddc6abb0bf7db8ca61e03af09714cc954e959c89dae91fb45c07fc113a076e0ab34806933ca7deed520113c302 |
C:\Users\Admin\AppData\Local\Temp\bin.exe
| MD5 | f9fdfca55156f35ea48a17947d091f4d |
| SHA1 | 15f10040cf10535deed5ca028150ed847a585d01 |
| SHA256 | 7258963be005d6914901a62c591c56427553f62537f86d70965af16dae57c0d0 |
| SHA512 | 53caa12467706839406c40e8e8a925a67f8c51ddc6abb0bf7db8ca61e03af09714cc954e959c89dae91fb45c07fc113a076e0ab34806933ca7deed520113c302 |
memory/1112-137-0x0000000000980000-0x00000000009AF000-memory.dmp
memory/1112-138-0x00000000013C0000-0x000000000170A000-memory.dmp
memory/2720-140-0x0000000003060000-0x000000000312F000-memory.dmp
memory/1112-139-0x00000000009F0000-0x0000000000A00000-memory.dmp
memory/4560-141-0x0000000000000000-mapping.dmp
memory/1112-142-0x0000000000980000-0x00000000009AF000-memory.dmp
memory/4560-144-0x0000000000AF0000-0x0000000000B1D000-memory.dmp
memory/4560-143-0x0000000000610000-0x0000000000622000-memory.dmp
memory/4560-145-0x0000000002A90000-0x0000000002DDA000-memory.dmp
memory/4560-146-0x0000000002820000-0x00000000028AF000-memory.dmp
memory/2720-147-0x0000000003440000-0x00000000034E8000-memory.dmp
memory/4560-148-0x0000000000AF0000-0x0000000000B1D000-memory.dmp
memory/2720-149-0x0000000003440000-0x00000000034E8000-memory.dmp