Malware Analysis Report

2024-09-22 14:32

Sample ID 231013-da5mzadb94
Target Sample.bin.zip
SHA256 6f842cb5e980860c23e5a499f73492e143eef4def47a3aede74f1df3b373f9da
Tags
maze ransomware trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6f842cb5e980860c23e5a499f73492e143eef4def47a3aede74f1df3b373f9da

Threat Level: Known bad

The file Sample.bin.zip was found to be: Known bad.

Malicious Activity Summary

maze ransomware trojan

Maze

Deletes shadow copies

Drops startup file

Sets desktop wallpaper using registry

Drops file in Program Files directory

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2023-10-13 02:49

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-13 02:49

Reported

2023-10-18 00:09

Platform

win7-20230831-en

Max time kernel

138s

Max time network

130s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Sample.dll

Signatures

Maze

trojan ransomware maze

Deletes shadow copies

ransomware

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6c350cbc26c7f372.tmp C:\Windows\SysWOW64\regsvr32.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-607259312-1573743425-2763420908-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\111.bmp" C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\MeasureUnprotect.ppt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\6c350cbc26c7f372.tmp C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files\DECRYPT-FILES.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\DECRYPT-FILES.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\HideReset.snd C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\SearchBlock.odp C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\6c350cbc26c7f372.tmp C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\InstallConnect.docm C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\MoveInstall.vbs C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\PushStart.wax C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\WatchStop.M2T C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\ConvertToRename.mpa C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\OpenGrant.mp3 C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\6c350cbc26c7f372.tmp C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\6c350cbc26c7f372.tmp C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\InstallImport.mp4 C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\6c350cbc26c7f372.tmp C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\DECRYPT-FILES.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\SubmitCopy.htm C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files (x86)\DECRYPT-FILES.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\ApproveRepair.odt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\CompressDismount.wmv C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\DismountPop.xlsx C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\UnblockSplit.xlsb C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\DECRYPT-FILES.txt C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Sample.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\Sample.dll

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbem\wmic.exe

"C:\pyq\dngl\..\..\Windows\hdp\jtpa\j\..\..\..\system32\t\cauy\xkihe\..\..\..\wbem\gdjt\ci\..\..\wmic.exe" shadowcopy delete

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}

Network

N/A

Files

memory/1180-0-0x00000000001F0000-0x000000000024D000-memory.dmp

memory/1180-1-0x00000000002A0000-0x00000000002FD000-memory.dmp

memory/1180-6-0x00000000002A0000-0x00000000002FD000-memory.dmp

memory/1180-10-0x00000000002A0000-0x00000000002FD000-memory.dmp

memory/1180-13-0x00000000002A0000-0x00000000002FD000-memory.dmp

F:\$RECYCLE.BIN\S-1-5-21-607259312-1573743425-2763420908-1000\DECRYPT-FILES.txt

MD5 e2bc33fe26a2b874a4b3b3688217603d
SHA1 6e819ced935e03b02b88982eb26dbd0b8d95ad2d
SHA256 5b4b46d1c4508678f9d812eec546a7c29e390f35a441960ecf2d4fe29e5c6add
SHA512 804e73db963bb387a1b1c16542dc3f9ca0c26e5c2fa4b20f2913a77b0a08b5e6f0cf12ab1cc1f145016f16a598f012dfaa855eda8a9651c4fb87aecfebcd6802

memory/1180-826-0x00000000002A0000-0x00000000002FD000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_F76562E7701D4B529CF3584D89B9BC9C.dat

MD5 26cb4e20db267a23a4cb7da97ec7873e
SHA1 befd341a8a95271c71eb267f59bd875fabcd96dd
SHA256 d4e92ab73dbb91459422a854c093c3d6aa200b020779d671edd5fce9e7d9cb27
SHA512 503ee5a5f96771d53e9ba627dbce73a89da3ab3bba37c7b691c293d61aac8bb20aa000357f5d504151470d1f87fa04e28f613db387d40d5bd2e8bba5b66555a9

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-13 02:49

Reported

2023-10-18 00:08

Platform

win10v2004-20230915-en

Max time kernel

152s

Max time network

161s

Command Line

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Sample.dll

Signatures

Maze

trojan ransomware maze

Deletes shadow copies

ransomware

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6cfd0cc65ce16197.tmp C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\6cfd0cc65ce16197.tmp C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.txt C:\Windows\SysWOW64\regsvr32.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\111.bmp" C:\Windows\SysWOW64\regsvr32.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\JoinAssert.bmp C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\RestoreOut.avi C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\WatchSend.pub C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files (x86)\6cfd0cc65ce16197.tmp C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\SearchWait.xps C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\SwitchStep.otf C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\BlockMount.potx C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\ExportEdit.tiff C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\RegisterNew.aifc C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\SearchTest.ps1 C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files (x86)\DECRYPT-FILES.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\AssertJoin.xlsm C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\ImportRename.temp C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\MeasureEdit.svgz C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\RemoveRegister.html C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\SetReceive.contact C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\GrantMove.aifc C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\ResolveOptimize.wmx C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\ConfirmUpdate.i64 C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\TestConvert.ps1xml C:\Windows\SysWOW64\regsvr32.exe N/A
File created C:\Program Files\DECRYPT-FILES.txt C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\CompleteSelect.ppsm C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\EnterSync.lock C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\StartComplete.m1v C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\6cfd0cc65ce16197.tmp C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\SetCompare.dotx C:\Windows\SysWOW64\regsvr32.exe N/A
File opened for modification C:\Program Files\UnregisterClose.emz C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A
N/A N/A C:\Windows\SysWOW64\regsvr32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 824 wrote to memory of 500 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 824 wrote to memory of 500 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 824 wrote to memory of 500 N/A C:\Windows\system32\regsvr32.exe C:\Windows\SysWOW64\regsvr32.exe
PID 500 wrote to memory of 3692 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\wbem\wmic.exe
PID 500 wrote to memory of 3692 N/A C:\Windows\SysWOW64\regsvr32.exe C:\Windows\system32\wbem\wmic.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Windows\system32\regsvr32.exe

regsvr32 /s C:\Users\Admin\AppData\Local\Temp\Sample.dll

C:\Windows\SysWOW64\regsvr32.exe

/s C:\Users\Admin\AppData\Local\Temp\Sample.dll

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbem\wmic.exe

"C:\k\..\Windows\awihm\aukcq\..\..\system32\xxw\dwb\..\..\wbem\f\arni\..\..\wmic.exe" shadowcopy delete

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x2c8 0x150

Network

Country Destination Domain Proto
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 108.211.229.192.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp

Files

memory/500-0-0x0000000000AB0000-0x0000000000B0D000-memory.dmp

memory/500-1-0x0000000002390000-0x00000000023ED000-memory.dmp

memory/500-6-0x0000000002390000-0x00000000023ED000-memory.dmp

memory/500-10-0x0000000002390000-0x00000000023ED000-memory.dmp

memory/500-13-0x0000000002390000-0x00000000023ED000-memory.dmp

F:\$RECYCLE.BIN\DECRYPT-FILES.txt

MD5 64955d1ce98e92ecebcc589169ddaa95
SHA1 86f2d69edc989153f3339f78594c196f6413cc86
SHA256 29c0bf34e6bcf2a96b890128fdb36aadf9982c2229b18b38686ec92b18096808
SHA512 b47dfc7d62a719bf8e54da977a83311ab6cbd7be3cf9300f5e6cbff07336264f71ace424cac178c4104da364a2f81d4aee1b7f2cabe89a30387ee1dcd2c546b3

memory/500-773-0x0000000002390000-0x00000000023ED000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_0F3B7EC492364DEE840501A9A32694AC.dat

MD5 03ac0ad603a89ab3834f6b6bdb55bbd8
SHA1 0e33bb3828ed99e509975eddbc01b2df38de1235
SHA256 2411b32a85ece5fb7fbb89932a2a289bd6886afe1db4b3acf1031c423a49ad22
SHA512 19c4dcaeabbbec9d964e595e223ecb0a74ee96f9659bd724e953de1ca3f3d9053f5e4b7d58671ada83f2c806acd23a76aaf69501fb2a038c8c7225294ff78e0b