Malware Analysis Report

2024-11-30 21:49

Sample ID 230206-mw7twsde75
Target e1c771cceb693ea14bbcde32ac1355fc.bin
SHA256 a2f3bb5998f5e8079f4556198531fa771f3b6cfd9cffd8f684e1a30e6191b97a
Tags
remcos ikmerro2023 persistence rat purecrypter downloader loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a2f3bb5998f5e8079f4556198531fa771f3b6cfd9cffd8f684e1a30e6191b97a

Threat Level: Known bad

The file e1c771cceb693ea14bbcde32ac1355fc.bin was found to be: Known bad.

Malicious Activity Summary

remcos ikmerro2023 persistence rat purecrypter downloader loader

Remcos

Detect PureCrypter injector

PureCrypter

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-02-06 10:50

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2023-02-06 10:49

Reported

2023-02-06 10:52

Platform

win10v2004-20220812-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe"

Signatures

Remcos

rat remcos

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation C:\ProgramData\ATM Machine\Explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Explorer = "\"C:\\ProgramData\\ATM Machine\\Explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run\ C:\ProgramData\ATM Machine\Explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Explorer = "\"C:\\ProgramData\\ATM Machine\\Explorer.exe\"" C:\ProgramData\ATM Machine\Explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\ C:\ProgramData\ATM Machine\Explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Software\Microsoft\Windows\CurrentVersion\Run\ C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Explorer = "\"C:\\ProgramData\\ATM Machine\\Explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Explorer = "\"C:\\ProgramData\\ATM Machine\\Explorer.exe\"" C:\ProgramData\ATM Machine\Explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dgtxdkhrpw = "\"C:\\Users\\Admin\\AppData\\Roaming\\Kyjsafxspwa\\Dgtxdkhrpw.exe\"" C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Dgtxdkhrpw = "\"C:\\Users\\Admin\\AppData\\Roaming\\Kyjsafxspwa\\Dgtxdkhrpw.exe\"" C:\ProgramData\ATM Machine\Explorer.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\ATM Machine\Explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\ProgramData\ATM Machine\Explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1496 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1496 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1496 wrote to memory of 4164 N/A C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 1496 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe
PID 1496 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe
PID 1496 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe
PID 1496 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe
PID 1496 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe
PID 1496 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe
PID 1496 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe
PID 1496 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe
PID 1496 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe
PID 1496 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe
PID 1496 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe
PID 1496 wrote to memory of 2636 N/A C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe
PID 2636 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe C:\ProgramData\ATM Machine\Explorer.exe
PID 2636 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe C:\ProgramData\ATM Machine\Explorer.exe
PID 2636 wrote to memory of 2596 N/A C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe C:\ProgramData\ATM Machine\Explorer.exe
PID 2596 wrote to memory of 3128 N/A C:\ProgramData\ATM Machine\Explorer.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2596 wrote to memory of 3128 N/A C:\ProgramData\ATM Machine\Explorer.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2596 wrote to memory of 3128 N/A C:\ProgramData\ATM Machine\Explorer.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2596 wrote to memory of 4656 N/A C:\ProgramData\ATM Machine\Explorer.exe C:\ProgramData\ATM Machine\Explorer.exe
PID 2596 wrote to memory of 4656 N/A C:\ProgramData\ATM Machine\Explorer.exe C:\ProgramData\ATM Machine\Explorer.exe
PID 2596 wrote to memory of 4656 N/A C:\ProgramData\ATM Machine\Explorer.exe C:\ProgramData\ATM Machine\Explorer.exe
PID 2596 wrote to memory of 1780 N/A C:\ProgramData\ATM Machine\Explorer.exe C:\ProgramData\ATM Machine\Explorer.exe
PID 2596 wrote to memory of 1780 N/A C:\ProgramData\ATM Machine\Explorer.exe C:\ProgramData\ATM Machine\Explorer.exe
PID 2596 wrote to memory of 1780 N/A C:\ProgramData\ATM Machine\Explorer.exe C:\ProgramData\ATM Machine\Explorer.exe
PID 2596 wrote to memory of 3968 N/A C:\ProgramData\ATM Machine\Explorer.exe C:\ProgramData\ATM Machine\Explorer.exe
PID 2596 wrote to memory of 3968 N/A C:\ProgramData\ATM Machine\Explorer.exe C:\ProgramData\ATM Machine\Explorer.exe
PID 2596 wrote to memory of 3968 N/A C:\ProgramData\ATM Machine\Explorer.exe C:\ProgramData\ATM Machine\Explorer.exe
PID 2596 wrote to memory of 3968 N/A C:\ProgramData\ATM Machine\Explorer.exe C:\ProgramData\ATM Machine\Explorer.exe
PID 2596 wrote to memory of 3968 N/A C:\ProgramData\ATM Machine\Explorer.exe C:\ProgramData\ATM Machine\Explorer.exe
PID 2596 wrote to memory of 3968 N/A C:\ProgramData\ATM Machine\Explorer.exe C:\ProgramData\ATM Machine\Explorer.exe
PID 2596 wrote to memory of 3968 N/A C:\ProgramData\ATM Machine\Explorer.exe C:\ProgramData\ATM Machine\Explorer.exe
PID 2596 wrote to memory of 3968 N/A C:\ProgramData\ATM Machine\Explorer.exe C:\ProgramData\ATM Machine\Explorer.exe
PID 2596 wrote to memory of 3968 N/A C:\ProgramData\ATM Machine\Explorer.exe C:\ProgramData\ATM Machine\Explorer.exe
PID 2596 wrote to memory of 3968 N/A C:\ProgramData\ATM Machine\Explorer.exe C:\ProgramData\ATM Machine\Explorer.exe
PID 2596 wrote to memory of 3968 N/A C:\ProgramData\ATM Machine\Explorer.exe C:\ProgramData\ATM Machine\Explorer.exe
PID 2596 wrote to memory of 3968 N/A C:\ProgramData\ATM Machine\Explorer.exe C:\ProgramData\ATM Machine\Explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe

"C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==

C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe

C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe

C:\ProgramData\ATM Machine\Explorer.exe

"C:\ProgramData\ATM Machine\Explorer.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==

C:\ProgramData\ATM Machine\Explorer.exe

"C:\ProgramData\ATM Machine\Explorer.exe"

C:\ProgramData\ATM Machine\Explorer.exe

"C:\ProgramData\ATM Machine\Explorer.exe"

C:\ProgramData\ATM Machine\Explorer.exe

"C:\ProgramData\ATM Machine\Explorer.exe"

Network

Country Destination Domain Proto
AU 104.46.162.226:443 tcp
NL 5.2.68.82:1198 tcp
US 67.24.171.254:80 tcp
US 67.24.171.254:80 tcp
US 67.24.171.254:80 tcp
NL 5.2.68.82:1198 tcp
NL 5.2.68.82:1198 tcp
NL 5.2.68.82:1198 tcp
NL 5.2.68.82:1198 tcp
NL 5.2.68.82:1198 tcp
NL 5.2.68.82:1198 tcp
NL 5.2.68.82:1198 tcp
NL 5.2.68.82:1198 tcp
NL 5.2.68.82:1198 tcp
NL 5.2.68.82:1198 tcp
NL 5.2.68.82:1198 tcp
NL 5.2.68.82:1198 tcp
NL 5.2.68.82:1198 tcp
NL 5.2.68.82:1198 tcp
NL 5.2.68.82:1198 tcp
NL 5.2.68.82:1198 tcp
NL 5.2.68.82:1198 tcp
NL 5.2.68.82:1198 tcp
NL 5.2.68.82:1198 tcp
NL 5.2.68.82:1198 tcp
NL 5.2.68.82:1198 tcp
NL 5.2.68.82:1198 tcp
NL 5.2.68.82:1198 tcp
NL 5.2.68.82:1198 tcp
NL 5.2.68.82:1198 tcp
NL 5.2.68.82:1198 tcp
NL 5.2.68.82:1198 tcp
NL 5.2.68.82:1198 tcp
NL 5.2.68.82:1198 tcp
NL 5.2.68.82:1198 tcp
NL 5.2.68.82:1198 tcp

Files

memory/1496-132-0x0000000000570000-0x0000000000802000-memory.dmp

memory/1496-133-0x0000000005460000-0x0000000005482000-memory.dmp

memory/4164-134-0x0000000000000000-mapping.dmp

memory/4164-135-0x00000000052E0000-0x0000000005316000-memory.dmp

memory/4164-136-0x0000000005950000-0x0000000005F78000-memory.dmp

memory/4164-137-0x0000000006180000-0x00000000061E6000-memory.dmp

memory/4164-138-0x00000000061F0000-0x0000000006256000-memory.dmp

memory/4164-139-0x0000000006880000-0x000000000689E000-memory.dmp

memory/4164-140-0x0000000007EE0000-0x000000000855A000-memory.dmp

memory/4164-141-0x0000000006D80000-0x0000000006D9A000-memory.dmp

memory/2636-142-0x0000000000000000-mapping.dmp

memory/2636-143-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2636-144-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2636-145-0x0000000000400000-0x0000000000480000-memory.dmp

memory/2596-146-0x0000000000000000-mapping.dmp

C:\ProgramData\ATM Machine\Explorer.exe

MD5 e1c771cceb693ea14bbcde32ac1355fc
SHA1 bc2da06db4b0cc42595b7761ff990e303441cd99
SHA256 70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9
SHA512 fcbb24d7f938145fb82bd6d1d609a4416d78a9285499078ddabf558cac050319bac06c2b6fccdea3ec558e71c5589fb2bc76c6bee6cb4d02dd2691ded8ef2eff

C:\ProgramData\ATM Machine\Explorer.exe

MD5 e1c771cceb693ea14bbcde32ac1355fc
SHA1 bc2da06db4b0cc42595b7761ff990e303441cd99
SHA256 70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9
SHA512 fcbb24d7f938145fb82bd6d1d609a4416d78a9285499078ddabf558cac050319bac06c2b6fccdea3ec558e71c5589fb2bc76c6bee6cb4d02dd2691ded8ef2eff

memory/2636-148-0x0000000000400000-0x0000000000480000-memory.dmp

memory/3128-150-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 4280e36a29fa31c01e4d8b2ba726a0d8
SHA1 c485c2c9ce0a99747b18d899b71dfa9a64dabe32
SHA256 e2486a1bdcba80dad6dd6210d7374bd70ae196a523c06ceda71370fd3ea78359
SHA512 494fe5f0ade03669e5830bed93c964d69b86629440148d7b0881cf53203fd89443ebff9b4d1ee9d96244f62af6edede622d9eacba37f80f389a0d522e4ad4ea4

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e587085d0b14b3f04eedc15f9f7d703e
SHA1 8e1b85a18e71a321a432463b70846839878b8db4
SHA256 b96cc14efd59e7fe60801bc93a57447cf1ec7d38090d57a41af2bea51855ff36
SHA512 e9796afeb8dd0f8dccd7f3f471f36fc3a95bc24d9d0fa99958986d5fed36eef6bcde09fbd82ad6b489e29d26d3c38d60c5a6ff25689af34877bdf10edf2237f8

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

MD5 06ad34f9739c5159b4d92d702545bd49
SHA1 9152a0d4f153f3f40f7e606be75f81b582ee0c17
SHA256 474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba
SHA512 c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92

C:\Users\Admin\AppData\Roaming\Kyjsafxspwa\Dgtxdkhrpw.exe

MD5 06914d2998f5a97addb2f5f4f93721e8
SHA1 9d71f97ed4a634deae6fe9c4af992309f818c8b1
SHA256 da7c430db04dd9ef9b1dcf1f6134af8e701144ca277bed4f864650b0db199490
SHA512 765620681536be110a084b87d088c2e3d7908855dda7b67a947842f5a66c706e4519ecd599321f6de0d31321f41a581b4e31dc15e6f85d3dee72674868f30fe0

memory/3968-159-0x0000000000000000-mapping.dmp

C:\ProgramData\ATM Machine\Explorer.exe

MD5 e1c771cceb693ea14bbcde32ac1355fc
SHA1 bc2da06db4b0cc42595b7761ff990e303441cd99
SHA256 70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9
SHA512 fcbb24d7f938145fb82bd6d1d609a4416d78a9285499078ddabf558cac050319bac06c2b6fccdea3ec558e71c5589fb2bc76c6bee6cb4d02dd2691ded8ef2eff

memory/1780-157-0x0000000000000000-mapping.dmp

memory/3968-163-0x0000000000400000-0x0000000000480000-memory.dmp

memory/3968-162-0x0000000000400000-0x0000000000480000-memory.dmp

C:\ProgramData\ATM Machine\Explorer.exe

MD5 e1c771cceb693ea14bbcde32ac1355fc
SHA1 bc2da06db4b0cc42595b7761ff990e303441cd99
SHA256 70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9
SHA512 fcbb24d7f938145fb82bd6d1d609a4416d78a9285499078ddabf558cac050319bac06c2b6fccdea3ec558e71c5589fb2bc76c6bee6cb4d02dd2691ded8ef2eff

C:\ProgramData\ATM Machine\Explorer.exe

MD5 e1c771cceb693ea14bbcde32ac1355fc
SHA1 bc2da06db4b0cc42595b7761ff990e303441cd99
SHA256 70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9
SHA512 fcbb24d7f938145fb82bd6d1d609a4416d78a9285499078ddabf558cac050319bac06c2b6fccdea3ec558e71c5589fb2bc76c6bee6cb4d02dd2691ded8ef2eff

memory/4656-155-0x0000000000000000-mapping.dmp

memory/3968-164-0x0000000000400000-0x0000000000480000-memory.dmp

memory/3968-165-0x0000000000400000-0x0000000000480000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2023-02-06 10:49

Reported

2023-02-06 10:52

Platform

win7-20220901-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe"

Signatures

Detect PureCrypter injector

loader
Description Indicator Process Target
N/A N/A N/A N/A

PureCrypter

loader downloader purecrypter

Remcos

rat remcos

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\ATM Machine\Explorer.exe N/A
N/A N/A C:\ProgramData\ATM Machine\Explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dgtxdkhrpw = "\"C:\\Users\\Admin\\AppData\\Roaming\\Kyjsafxspwa\\Dgtxdkhrpw.exe\"" C:\ProgramData\ATM Machine\Explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\ C:\ProgramData\ATM Machine\Explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Explorer = "\"C:\\ProgramData\\ATM Machine\\Explorer.exe\"" C:\ProgramData\ATM Machine\Explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ C:\ProgramData\ATM Machine\Explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Dgtxdkhrpw = "\"C:\\Users\\Admin\\AppData\\Roaming\\Kyjsafxspwa\\Dgtxdkhrpw.exe\"" C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4063495947-34355257-727531523-1000\Software\Microsoft\Windows\CurrentVersion\Run\Explorer = "\"C:\\ProgramData\\ATM Machine\\Explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Explorer = "\"C:\\ProgramData\\ATM Machine\\Explorer.exe\"" C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Explorer = "\"C:\\ProgramData\\ATM Machine\\Explorer.exe\"" C:\ProgramData\ATM Machine\Explorer.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\ATM Machine\Explorer.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\ProgramData\ATM Machine\Explorer.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 860 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 860 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 860 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 860 wrote to memory of 1964 N/A C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 860 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe
PID 860 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe
PID 860 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe
PID 860 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe
PID 860 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe
PID 860 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe
PID 860 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe
PID 860 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe
PID 860 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe
PID 860 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe
PID 860 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe
PID 860 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe
PID 860 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe
PID 532 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe C:\ProgramData\ATM Machine\Explorer.exe
PID 532 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe C:\ProgramData\ATM Machine\Explorer.exe
PID 532 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe C:\ProgramData\ATM Machine\Explorer.exe
PID 532 wrote to memory of 288 N/A C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe C:\ProgramData\ATM Machine\Explorer.exe
PID 288 wrote to memory of 1832 N/A C:\ProgramData\ATM Machine\Explorer.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 288 wrote to memory of 1832 N/A C:\ProgramData\ATM Machine\Explorer.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 288 wrote to memory of 1832 N/A C:\ProgramData\ATM Machine\Explorer.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 288 wrote to memory of 1832 N/A C:\ProgramData\ATM Machine\Explorer.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 288 wrote to memory of 1900 N/A C:\ProgramData\ATM Machine\Explorer.exe C:\ProgramData\ATM Machine\Explorer.exe
PID 288 wrote to memory of 1900 N/A C:\ProgramData\ATM Machine\Explorer.exe C:\ProgramData\ATM Machine\Explorer.exe
PID 288 wrote to memory of 1900 N/A C:\ProgramData\ATM Machine\Explorer.exe C:\ProgramData\ATM Machine\Explorer.exe
PID 288 wrote to memory of 1900 N/A C:\ProgramData\ATM Machine\Explorer.exe C:\ProgramData\ATM Machine\Explorer.exe
PID 288 wrote to memory of 1900 N/A C:\ProgramData\ATM Machine\Explorer.exe C:\ProgramData\ATM Machine\Explorer.exe
PID 288 wrote to memory of 1900 N/A C:\ProgramData\ATM Machine\Explorer.exe C:\ProgramData\ATM Machine\Explorer.exe
PID 288 wrote to memory of 1900 N/A C:\ProgramData\ATM Machine\Explorer.exe C:\ProgramData\ATM Machine\Explorer.exe
PID 288 wrote to memory of 1900 N/A C:\ProgramData\ATM Machine\Explorer.exe C:\ProgramData\ATM Machine\Explorer.exe
PID 288 wrote to memory of 1900 N/A C:\ProgramData\ATM Machine\Explorer.exe C:\ProgramData\ATM Machine\Explorer.exe
PID 288 wrote to memory of 1900 N/A C:\ProgramData\ATM Machine\Explorer.exe C:\ProgramData\ATM Machine\Explorer.exe
PID 288 wrote to memory of 1900 N/A C:\ProgramData\ATM Machine\Explorer.exe C:\ProgramData\ATM Machine\Explorer.exe
PID 288 wrote to memory of 1900 N/A C:\ProgramData\ATM Machine\Explorer.exe C:\ProgramData\ATM Machine\Explorer.exe
PID 288 wrote to memory of 1900 N/A C:\ProgramData\ATM Machine\Explorer.exe C:\ProgramData\ATM Machine\Explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe

"C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==

C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe

C:\Users\Admin\AppData\Local\Temp\70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9.exe

C:\ProgramData\ATM Machine\Explorer.exe

"C:\ProgramData\ATM Machine\Explorer.exe"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMgAwAA==

C:\ProgramData\ATM Machine\Explorer.exe

"C:\ProgramData\ATM Machine\Explorer.exe"

Network

Country Destination Domain Proto
NL 5.2.68.82:1198 tcp
NL 5.2.68.82:1198 tcp
NL 5.2.68.82:1198 tcp
NL 5.2.68.82:1198 tcp
NL 5.2.68.82:1198 tcp
NL 5.2.68.82:1198 tcp
NL 5.2.68.82:1198 tcp
NL 5.2.68.82:1198 tcp
NL 5.2.68.82:1198 tcp
NL 5.2.68.82:1198 tcp
NL 5.2.68.82:1198 tcp
NL 5.2.68.82:1198 tcp
NL 5.2.68.82:1198 tcp
NL 5.2.68.82:1198 tcp
NL 5.2.68.82:1198 tcp
NL 5.2.68.82:1198 tcp
NL 5.2.68.82:1198 tcp
NL 5.2.68.82:1198 tcp
NL 5.2.68.82:1198 tcp
NL 5.2.68.82:1198 tcp
NL 5.2.68.82:1198 tcp
NL 5.2.68.82:1198 tcp
NL 5.2.68.82:1198 tcp
NL 5.2.68.82:1198 tcp
NL 5.2.68.82:1198 tcp
NL 5.2.68.82:1198 tcp
NL 5.2.68.82:1198 tcp

Files

memory/860-54-0x00000000013D0000-0x0000000001662000-memory.dmp

memory/860-55-0x0000000004B70000-0x0000000004E00000-memory.dmp

memory/860-56-0x0000000074DE1000-0x0000000074DE3000-memory.dmp

memory/1964-57-0x0000000000000000-mapping.dmp

memory/1964-59-0x000000006F300000-0x000000006F8AB000-memory.dmp

memory/1964-60-0x000000006F300000-0x000000006F8AB000-memory.dmp

memory/1964-61-0x000000006F300000-0x000000006F8AB000-memory.dmp

memory/860-62-0x0000000005170000-0x00000000051F0000-memory.dmp

memory/532-63-0x0000000000400000-0x0000000000480000-memory.dmp

memory/532-64-0x0000000000400000-0x0000000000480000-memory.dmp

memory/532-66-0x0000000000400000-0x0000000000480000-memory.dmp

memory/532-68-0x0000000000400000-0x0000000000480000-memory.dmp

memory/532-69-0x0000000000400000-0x0000000000480000-memory.dmp

memory/532-70-0x0000000000400000-0x0000000000480000-memory.dmp

memory/532-71-0x0000000000400000-0x0000000000480000-memory.dmp

memory/532-73-0x0000000000400000-0x0000000000480000-memory.dmp

memory/532-75-0x0000000000400000-0x0000000000480000-memory.dmp

memory/532-76-0x0000000000432E48-mapping.dmp

memory/532-79-0x0000000000400000-0x0000000000480000-memory.dmp

\ProgramData\ATM Machine\Explorer.exe

MD5 e1c771cceb693ea14bbcde32ac1355fc
SHA1 bc2da06db4b0cc42595b7761ff990e303441cd99
SHA256 70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9
SHA512 fcbb24d7f938145fb82bd6d1d609a4416d78a9285499078ddabf558cac050319bac06c2b6fccdea3ec558e71c5589fb2bc76c6bee6cb4d02dd2691ded8ef2eff

memory/288-81-0x0000000000000000-mapping.dmp

memory/532-82-0x0000000000400000-0x0000000000480000-memory.dmp

C:\ProgramData\ATM Machine\Explorer.exe

MD5 e1c771cceb693ea14bbcde32ac1355fc
SHA1 bc2da06db4b0cc42595b7761ff990e303441cd99
SHA256 70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9
SHA512 fcbb24d7f938145fb82bd6d1d609a4416d78a9285499078ddabf558cac050319bac06c2b6fccdea3ec558e71c5589fb2bc76c6bee6cb4d02dd2691ded8ef2eff

C:\ProgramData\ATM Machine\Explorer.exe

MD5 e1c771cceb693ea14bbcde32ac1355fc
SHA1 bc2da06db4b0cc42595b7761ff990e303441cd99
SHA256 70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9
SHA512 fcbb24d7f938145fb82bd6d1d609a4416d78a9285499078ddabf558cac050319bac06c2b6fccdea3ec558e71c5589fb2bc76c6bee6cb4d02dd2691ded8ef2eff

memory/288-85-0x00000000012B0000-0x0000000001542000-memory.dmp

memory/1832-87-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

MD5 04089e5de5c781bdb6f45117e8ac662e
SHA1 977f71199dbe464dd25faa9cb346b677745e9451
SHA256 315cfc4994bdccca1845f35b9c2ff58cf1de715e0ae88053ae96bc8920a6edbd
SHA512 a9c69c8fa2406894867556d802a807604a3eb53f5a4e623b1bb94fb27425e43b29a1c8f335a2272dd3ad84ac0e86273f1076cb229b92cafb6c1db2195e721503

memory/1832-90-0x000000006F4C0000-0x000000006FA6B000-memory.dmp

memory/1832-91-0x000000006F4C0000-0x000000006FA6B000-memory.dmp

memory/1832-92-0x000000006F4C0000-0x000000006FA6B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Kyjsafxspwa\Dgtxdkhrpw.exe

MD5 e1c771cceb693ea14bbcde32ac1355fc
SHA1 bc2da06db4b0cc42595b7761ff990e303441cd99
SHA256 70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9
SHA512 fcbb24d7f938145fb82bd6d1d609a4416d78a9285499078ddabf558cac050319bac06c2b6fccdea3ec558e71c5589fb2bc76c6bee6cb4d02dd2691ded8ef2eff

memory/1900-107-0x0000000000432E48-mapping.dmp

C:\ProgramData\ATM Machine\Explorer.exe

MD5 e1c771cceb693ea14bbcde32ac1355fc
SHA1 bc2da06db4b0cc42595b7761ff990e303441cd99
SHA256 70a0d6207bf07b9d71452c71fc65c9b8335d2099796d70a25ec6f2a03090daa9
SHA512 fcbb24d7f938145fb82bd6d1d609a4416d78a9285499078ddabf558cac050319bac06c2b6fccdea3ec558e71c5589fb2bc76c6bee6cb4d02dd2691ded8ef2eff

memory/1900-111-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1900-112-0x0000000000400000-0x0000000000480000-memory.dmp

memory/1900-113-0x0000000000400000-0x0000000000480000-memory.dmp