Malware Analysis Report

2024-09-22 16:45

Sample ID 230630-xem39sec84
Target SecuriteInfo.com.Trojan.Generic.33993308.27608.29847.exe
SHA256 a1c7a2331009bf0cac46f57a5446d3c969161c435c67ac4a1b98c0a4ce712787
Tags
darkvnc persistence rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a1c7a2331009bf0cac46f57a5446d3c969161c435c67ac4a1b98c0a4ce712787

Threat Level: Known bad

The file SecuriteInfo.com.Trojan.Generic.33993308.27608.29847.exe was found to be: Known bad.

Malicious Activity Summary

darkvnc persistence rat

DarkVNC

DarkVNC payload

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Suspicious behavior: MapViewOfSection

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V6

Analysis: static1

Detonation Overview

Reported

2023-06-30 18:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-30 18:46

Reported

2023-06-30 18:48

Platform

win7-20230621-en

Max time kernel

101s

Max time network

102s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Generic.33993308.27608.29847.exe"

Signatures

DarkVNC

rat darkvnc

DarkVNC payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Generic.33993308.27608.29847.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Generic.33993308.27608.29847.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2044 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Generic.33993308.27608.29847.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe
PID 2044 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Generic.33993308.27608.29847.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe
PID 2044 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Generic.33993308.27608.29847.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe
PID 2044 wrote to memory of 2040 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Generic.33993308.27608.29847.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe
PID 2040 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe
PID 2040 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe
PID 2040 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe
PID 2040 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe
PID 2040 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe
PID 2040 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe
PID 2040 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe
PID 2040 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe
PID 2040 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe
PID 2040 wrote to memory of 1084 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe
PID 1084 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe C:\Windows\system32\svchost.exe
PID 1084 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe C:\Windows\system32\svchost.exe
PID 1084 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe C:\Windows\system32\svchost.exe
PID 1084 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe C:\Windows\system32\svchost.exe
PID 1084 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe C:\Windows\system32\svchost.exe
PID 1084 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe C:\Windows\system32\svchost.exe
PID 1084 wrote to memory of 1740 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe C:\Windows\system32\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Generic.33993308.27608.29847.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Generic.33993308.27608.29847.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k

Network

Country Destination Domain Proto
RU 5.42.66.3:80 5.42.66.3 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe

MD5 450d8900f699a7730d0219ab789fc7b2
SHA1 713a63d0321c51b0c91347d407ece92d8800c0aa
SHA256 383e4ef893f9e4a573ba5ff801d150f2d401e7badb2d18ba47698991eb3750b1
SHA512 82f2046e059923c3c1be7e82af6947b7b62c5056ae60e15675103dbd911ee9b703f0537e863f782251df7ed8a1ce2d10db173055341ae8e945a4b846df7c8418

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe

MD5 450d8900f699a7730d0219ab789fc7b2
SHA1 713a63d0321c51b0c91347d407ece92d8800c0aa
SHA256 383e4ef893f9e4a573ba5ff801d150f2d401e7badb2d18ba47698991eb3750b1
SHA512 82f2046e059923c3c1be7e82af6947b7b62c5056ae60e15675103dbd911ee9b703f0537e863f782251df7ed8a1ce2d10db173055341ae8e945a4b846df7c8418

memory/2040-60-0x0000000000870000-0x00000000014B4000-memory.dmp

memory/2040-61-0x0000000005860000-0x00000000058A0000-memory.dmp

memory/2040-62-0x0000000005860000-0x00000000058A0000-memory.dmp

memory/2040-63-0x0000000006470000-0x000000000654E000-memory.dmp

memory/2040-64-0x0000000006470000-0x0000000006548000-memory.dmp

memory/2040-65-0x0000000006470000-0x0000000006548000-memory.dmp

memory/2040-67-0x0000000006470000-0x0000000006548000-memory.dmp

memory/2040-69-0x0000000006470000-0x0000000006548000-memory.dmp

memory/2040-71-0x0000000006470000-0x0000000006548000-memory.dmp

memory/2040-73-0x0000000006470000-0x0000000006548000-memory.dmp

memory/2040-75-0x0000000006470000-0x0000000006548000-memory.dmp

memory/2040-77-0x0000000006470000-0x0000000006548000-memory.dmp

memory/2040-79-0x0000000006470000-0x0000000006548000-memory.dmp

memory/2040-81-0x0000000006470000-0x0000000006548000-memory.dmp

memory/2040-83-0x0000000006470000-0x0000000006548000-memory.dmp

memory/2040-85-0x0000000006470000-0x0000000006548000-memory.dmp

memory/2040-87-0x0000000006470000-0x0000000006548000-memory.dmp

memory/2040-89-0x0000000006470000-0x0000000006548000-memory.dmp

memory/2040-91-0x0000000006470000-0x0000000006548000-memory.dmp

memory/2040-93-0x0000000006470000-0x0000000006548000-memory.dmp

memory/2040-95-0x0000000006470000-0x0000000006548000-memory.dmp

memory/2040-97-0x0000000006470000-0x0000000006548000-memory.dmp

memory/2040-99-0x0000000006470000-0x0000000006548000-memory.dmp

memory/2040-101-0x0000000006470000-0x0000000006548000-memory.dmp

memory/2040-103-0x0000000006470000-0x0000000006548000-memory.dmp

memory/2040-105-0x0000000006470000-0x0000000006548000-memory.dmp

memory/2040-107-0x0000000006470000-0x0000000006548000-memory.dmp

memory/2040-109-0x0000000006470000-0x0000000006548000-memory.dmp

memory/2040-111-0x0000000006470000-0x0000000006548000-memory.dmp

memory/2040-113-0x0000000006470000-0x0000000006548000-memory.dmp

memory/2040-115-0x0000000006470000-0x0000000006548000-memory.dmp

memory/2040-117-0x0000000006470000-0x0000000006548000-memory.dmp

memory/2040-119-0x0000000006470000-0x0000000006548000-memory.dmp

memory/2040-121-0x0000000006470000-0x0000000006548000-memory.dmp

memory/2040-123-0x0000000006470000-0x0000000006548000-memory.dmp

memory/2040-125-0x0000000006470000-0x0000000006548000-memory.dmp

memory/2040-127-0x0000000006470000-0x0000000006548000-memory.dmp

memory/2040-986-0x0000000000810000-0x0000000000811000-memory.dmp

memory/2040-987-0x00000000059A0000-0x0000000005A08000-memory.dmp

memory/2040-988-0x0000000004E80000-0x0000000004ECC000-memory.dmp

\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe

MD5 450d8900f699a7730d0219ab789fc7b2
SHA1 713a63d0321c51b0c91347d407ece92d8800c0aa
SHA256 383e4ef893f9e4a573ba5ff801d150f2d401e7badb2d18ba47698991eb3750b1
SHA512 82f2046e059923c3c1be7e82af6947b7b62c5056ae60e15675103dbd911ee9b703f0537e863f782251df7ed8a1ce2d10db173055341ae8e945a4b846df7c8418

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe

MD5 450d8900f699a7730d0219ab789fc7b2
SHA1 713a63d0321c51b0c91347d407ece92d8800c0aa
SHA256 383e4ef893f9e4a573ba5ff801d150f2d401e7badb2d18ba47698991eb3750b1
SHA512 82f2046e059923c3c1be7e82af6947b7b62c5056ae60e15675103dbd911ee9b703f0537e863f782251df7ed8a1ce2d10db173055341ae8e945a4b846df7c8418

memory/1084-1001-0x0000000000400000-0x0000000000488000-memory.dmp

memory/1740-1009-0x0000000000250000-0x0000000000251000-memory.dmp

memory/1740-1010-0x00000000003A0000-0x0000000000469000-memory.dmp

memory/1084-1011-0x0000000000400000-0x0000000000488000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-06-30 18:46

Reported

2023-06-30 18:48

Platform

win10v2004-20230621-en

Max time kernel

85s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Generic.33993308.27608.29847.exe"

Signatures

DarkVNC

rat darkvnc

DarkVNC payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Generic.33993308.27608.29847.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Generic.33993308.27608.29847.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1900 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Generic.33993308.27608.29847.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe
PID 1900 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Generic.33993308.27608.29847.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe
PID 1900 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Generic.33993308.27608.29847.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe
PID 4108 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe
PID 4108 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe
PID 4108 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe
PID 4108 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe
PID 4108 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe
PID 4108 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe
PID 4108 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe
PID 4108 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe
PID 4108 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe
PID 3892 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe C:\Windows\system32\svchost.exe
PID 3892 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe C:\Windows\system32\svchost.exe
PID 3892 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe C:\Windows\system32\svchost.exe
PID 3892 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe C:\Windows\system32\svchost.exe
PID 3892 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe C:\Windows\system32\svchost.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Generic.33993308.27608.29847.exe

"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Trojan.Generic.33993308.27608.29847.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k

Network

Country Destination Domain Proto
US 8.8.8.8:53 254.5.248.8.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
RU 5.42.66.3:80 5.42.66.3 tcp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 3.66.42.5.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 45.19.74.20.in-addr.arpa udp
US 8.8.8.8:53 160.252.72.23.in-addr.arpa udp
US 8.8.8.8:53 2.77.109.52.in-addr.arpa udp
US 8.8.8.8:53 254.132.255.8.in-addr.arpa udp
US 173.234.155.20:443 tcp
US 173.234.155.20:443 tcp
US 8.8.8.8:53 20.155.234.173.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe

MD5 450d8900f699a7730d0219ab789fc7b2
SHA1 713a63d0321c51b0c91347d407ece92d8800c0aa
SHA256 383e4ef893f9e4a573ba5ff801d150f2d401e7badb2d18ba47698991eb3750b1
SHA512 82f2046e059923c3c1be7e82af6947b7b62c5056ae60e15675103dbd911ee9b703f0537e863f782251df7ed8a1ce2d10db173055341ae8e945a4b846df7c8418

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe

MD5 450d8900f699a7730d0219ab789fc7b2
SHA1 713a63d0321c51b0c91347d407ece92d8800c0aa
SHA256 383e4ef893f9e4a573ba5ff801d150f2d401e7badb2d18ba47698991eb3750b1
SHA512 82f2046e059923c3c1be7e82af6947b7b62c5056ae60e15675103dbd911ee9b703f0537e863f782251df7ed8a1ce2d10db173055341ae8e945a4b846df7c8418

memory/4108-138-0x0000000000AC0000-0x0000000001704000-memory.dmp

memory/4108-139-0x0000000006210000-0x0000000006220000-memory.dmp

memory/4108-140-0x00000000078E0000-0x0000000007E84000-memory.dmp

memory/4108-141-0x0000000006A70000-0x0000000006B02000-memory.dmp

memory/4108-142-0x0000000006870000-0x0000000006948000-memory.dmp

memory/4108-143-0x0000000006870000-0x0000000006948000-memory.dmp

memory/4108-145-0x0000000006870000-0x0000000006948000-memory.dmp

memory/4108-147-0x0000000006870000-0x0000000006948000-memory.dmp

memory/4108-149-0x0000000006870000-0x0000000006948000-memory.dmp

memory/4108-151-0x0000000006870000-0x0000000006948000-memory.dmp

memory/4108-153-0x0000000006870000-0x0000000006948000-memory.dmp

memory/4108-155-0x0000000006870000-0x0000000006948000-memory.dmp

memory/4108-157-0x0000000006870000-0x0000000006948000-memory.dmp

memory/4108-159-0x0000000006870000-0x0000000006948000-memory.dmp

memory/4108-161-0x0000000006870000-0x0000000006948000-memory.dmp

memory/4108-163-0x0000000006870000-0x0000000006948000-memory.dmp

memory/4108-165-0x0000000006870000-0x0000000006948000-memory.dmp

memory/4108-167-0x0000000006870000-0x0000000006948000-memory.dmp

memory/4108-169-0x0000000006870000-0x0000000006948000-memory.dmp

memory/4108-171-0x0000000006870000-0x0000000006948000-memory.dmp

memory/4108-173-0x0000000006870000-0x0000000006948000-memory.dmp

memory/4108-175-0x0000000006870000-0x0000000006948000-memory.dmp

memory/4108-177-0x0000000006870000-0x0000000006948000-memory.dmp

memory/4108-179-0x0000000006870000-0x0000000006948000-memory.dmp

memory/4108-181-0x0000000006870000-0x0000000006948000-memory.dmp

memory/4108-183-0x0000000006870000-0x0000000006948000-memory.dmp

memory/4108-185-0x0000000006870000-0x0000000006948000-memory.dmp

memory/4108-187-0x0000000006870000-0x0000000006948000-memory.dmp

memory/4108-189-0x0000000006870000-0x0000000006948000-memory.dmp

memory/4108-191-0x0000000006870000-0x0000000006948000-memory.dmp

memory/4108-193-0x0000000006870000-0x0000000006948000-memory.dmp

memory/4108-195-0x0000000006870000-0x0000000006948000-memory.dmp

memory/4108-197-0x0000000006870000-0x0000000006948000-memory.dmp

memory/4108-199-0x0000000006870000-0x0000000006948000-memory.dmp

memory/4108-201-0x0000000006870000-0x0000000006948000-memory.dmp

memory/4108-203-0x0000000006870000-0x0000000006948000-memory.dmp

memory/4108-205-0x0000000006870000-0x0000000006948000-memory.dmp

memory/4108-1064-0x0000000006A10000-0x0000000006A11000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\whileemploy_1.exe

MD5 450d8900f699a7730d0219ab789fc7b2
SHA1 713a63d0321c51b0c91347d407ece92d8800c0aa
SHA256 383e4ef893f9e4a573ba5ff801d150f2d401e7badb2d18ba47698991eb3750b1
SHA512 82f2046e059923c3c1be7e82af6947b7b62c5056ae60e15675103dbd911ee9b703f0537e863f782251df7ed8a1ce2d10db173055341ae8e945a4b846df7c8418

memory/3892-1071-0x0000000000400000-0x0000000000488000-memory.dmp

memory/3892-1081-0x0000000000400000-0x0000000000488000-memory.dmp

memory/3200-1082-0x00000000003D0000-0x00000000003D1000-memory.dmp

memory/3200-1083-0x0000000000300000-0x00000000003C9000-memory.dmp