Malware Analysis Report

2024-09-22 14:44

Sample ID 231020-ps2jtacf39
Target e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.bin
SHA256 e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684
Tags
maze ransomware spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684

Threat Level: Known bad

The file e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.bin was found to be: Known bad.

Malicious Activity Summary

maze ransomware spyware stealer trojan

Maze

Deletes shadow copies

Drops startup file

Reads user/profile data of web browsers

Sets desktop wallpaper using registry

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2023-10-20 12:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-20 12:36

Reported

2023-10-20 12:39

Platform

win7-20230831-en

Max time kernel

136s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe"

Signatures

Maze

trojan ransomware maze

Deletes shadow copies

ransomware

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.html C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\8kwiyi.dat C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe N/A

Reads user/profile data of web browsers

spyware stealer

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-86725733-3001458681-3405935542-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\123456789.bmp" C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe

"C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe"

C:\Windows\system32\wbem\wmic.exe

"C:\ckqr\cjam\..\..\Windows\qtbu\uujx\..\..\system32\strly\nbncv\..\..\wbem\s\xlhg\naqs\..\..\..\wmic.exe" shadowcopy delete

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbem\wmic.exe

"C:\h\qmqpp\..\..\Windows\pe\sxar\..\..\system32\qtu\..\wbem\wjov\ldgjq\fbp\..\..\..\wmic.exe" shadowcopy delete

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{3F6B5E16-092A-41ED-930B-0B4125D91D4E}

Network

Country Destination Domain Proto
TR 92.63.8.47:80 tcp
TR 92.63.8.47:80 tcp
TR 92.63.8.47:80 tcp
TR 92.63.8.47:80 tcp
TR 92.63.8.47:80 tcp
TR 92.63.8.47:80 tcp
PL 92.63.32.2:80 tcp
PL 92.63.32.2:80 tcp
PL 92.63.32.2:80 tcp
PL 92.63.37.100:80 tcp
PL 92.63.32.2:80 tcp
PL 92.63.32.2:80 tcp
PL 92.63.32.2:80 tcp
PL 92.63.37.100:80 tcp
PL 92.63.37.100:80 tcp
PL 92.63.37.100:80 tcp
PL 92.63.37.100:80 tcp
PL 92.63.37.100:80 tcp
RU 92.63.194.20:80 92.63.194.20 tcp
RU 92.63.194.20:80 92.63.194.20 tcp
SI 92.63.17.245:80 92.63.17.245 tcp
PL 92.63.32.55:80 tcp

Files

memory/3016-0-0x0000000000070000-0x00000000000C9000-memory.dmp

memory/3016-1-0x00000000004C0000-0x000000000051B000-memory.dmp

memory/3016-6-0x00000000004C0000-0x000000000051B000-memory.dmp

memory/3016-10-0x00000000004C0000-0x000000000051B000-memory.dmp

C:\MSOCache\DECRYPT-FILES.html

MD5 dd0412f3c4d9b88e4124b192d7a7407d
SHA1 877173e17b9b2d38fbac0613ad6c00c758a27360
SHA256 9c24bd6b3b4634958ea532d364ab33f008998c61966f9f82d448459cdfc0cf8b
SHA512 9dbb8efeb10229069fcaa15981d64ad536f8387dc3ca41aa48cc9f4c71ef5dd5d38e6830158b78c28a9c8f81e482336aa192f262e2488335ba087a323c8eb35c

memory/3016-14-0x00000000004C0000-0x000000000051B000-memory.dmp

memory/3016-1718-0x00000000004C0000-0x000000000051B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_7126A68A5EA84868B8AADBA6E08C0FA2.dat

MD5 e5dc13d5977fb9536837d0b5b5f93806
SHA1 d4319921ef7229c53617120ec9c663668499e650
SHA256 88e70419d9a4d9fc0b27ed1eb1790c5ce61ea579063842275e9f0a70b8ff2f16
SHA512 336ac984b05304b28bb45e4f7e2ad0674e996e520751a33c4939fc901be3f4f3c0cb3ac98744d9c907c774672e8ceb45c1853fba6d61aa163dba1f2321fd927f

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-20 12:36

Reported

2023-10-20 12:39

Platform

win10v2004-20230915-en

Max time kernel

151s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe"

Signatures

Maze

trojan ransomware maze

Deletes shadow copies

ransomware

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DECRYPT-FILES.html C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\70lbe4ww5.dat C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\DECRYPT-FILES.html C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\70lbe4ww5.dat C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe N/A

Reads user/profile data of web browsers

spyware stealer

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1574508946-349927670-1185736483-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\\\123456789.bmp" C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 35 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 36 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 33 N/A C:\Windows\system32\wbem\wmic.exe N/A
Token: 34 N/A C:\Windows\system32\wbem\wmic.exe N/A

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe

"C:\Users\Admin\AppData\Local\Temp\e8a091a84dd2ea7ee429135ff48e9f48f7787637ccb79f6c3eb42f34588bc684.exe"

C:\Windows\system32\wbem\wmic.exe

"C:\m\..\Windows\rbav\..\system32\jkne\pkfnh\..\..\wbem\x\..\wmic.exe" shadowcopy delete

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\wbem\wmic.exe

"C:\d\nmh\..\..\Windows\h\ps\..\..\system32\dm\..\wbem\bepxh\..\wmic.exe" shadowcopy delete

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x4a0 0x31c

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
TR 92.63.8.47:80 tcp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 126.177.238.8.in-addr.arpa udp
TR 92.63.8.47:80 tcp
PL 92.63.32.2:80 tcp
PL 92.63.32.2:80 tcp
TR 92.63.8.47:80 tcp
PL 92.63.37.100:80 tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
TR 92.63.8.47:80 tcp
PL 92.63.37.100:80 tcp
PL 92.63.32.2:80 tcp
RU 92.63.194.20:80 92.63.194.20 tcp
RU 92.63.194.20:80 92.63.194.20 tcp
SI 92.63.17.245:80 92.63.17.245 tcp
PL 92.63.32.55:80 tcp
US 8.8.8.8:53 245.17.63.92.in-addr.arpa udp
US 8.8.8.8:53 20.194.63.92.in-addr.arpa udp
PL 92.63.32.2:80 tcp
PL 92.63.37.100:80 tcp
PL 92.63.32.55:80 tcp
PL 92.63.37.100:80 tcp
US 8.8.8.8:53 122.10.44.20.in-addr.arpa udp

Files

memory/4000-0-0x0000000002580000-0x00000000025D9000-memory.dmp

memory/4000-1-0x0000000002720000-0x000000000277B000-memory.dmp

memory/4000-6-0x0000000002720000-0x000000000277B000-memory.dmp

memory/4000-10-0x0000000002720000-0x000000000277B000-memory.dmp

memory/4000-11-0x0000000002720000-0x000000000277B000-memory.dmp

memory/4000-15-0x0000000002720000-0x000000000277B000-memory.dmp

C:\Users\DECRYPT-FILES.html

MD5 9ac945060a34aabaf34f52cc99f39fbe
SHA1 4755036a0c3e0ceb548347c25003319cb0efe2b0
SHA256 0f9932c83170b1b0a83187c4dc045732266399dcc4af91e5a0b9a29336326ccc
SHA512 a0ec64d369ed739c430b8fc885fadb6527770f73635dc0503e91066537c9e38b232e9d8b17f138a8b05b277d25e1a9a478faaf986061b2b5ce7ecf9dab552187

memory/4000-4894-0x0000000002720000-0x000000000277B000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Speech\Files\UserLexicons\SP_3F9B692A79854BADB08EF88D58242CD0.dat

MD5 e138584e3df90dbe6f55232c0fff93d0
SHA1 a72c63341a493113f415bab492c816cf2006e03d
SHA256 242082ac6ebc54dabdcfc8874bf431d5984aa1594f5ff156dbb0a310204bb1d3
SHA512 cfb651198fa967617fa1d9a0a5b8362d85adb13b14825a24a160bde1e80a59d271134c692e6139f5ba8704265fc62ba26cde36d1b36813fce7838083aea68e2c