Malware Analysis Report

2025-08-05 21:24

Sample ID 231220-s8h9yseag2
Target dd2e2cf10a41a07faa2bfc890a30ef28
SHA256 57926c629184179f9f15f942b791bd36bfec63e28b87dd7b2f701b878bba7df4
Tags
vmprotect
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

57926c629184179f9f15f942b791bd36bfec63e28b87dd7b2f701b878bba7df4

Threat Level: Shows suspicious behavior

The file dd2e2cf10a41a07faa2bfc890a30ef28 was found to be: Shows suspicious behavior.

Malicious Activity Summary

vmprotect

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

VMProtect packed file

Suspicious use of NtSetInformationThreadHideFromDebugger

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-20 15:47

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-20 15:47

Reported

2023-12-22 06:32

Platform

win7-20231215-en

Max time kernel

139s

Max time network

128s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dd2e2cf10a41a07faa2bfc890a30ef28.exe"

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd2e2cf10a41a07faa2bfc890a30ef28.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd2e2cf10a41a07faa2bfc890a30ef28.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\msconfig.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\services32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\msconfig.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\services32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 660 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\dd2e2cf10a41a07faa2bfc890a30ef28.exe C:\Users\Admin\AppData\Roaming\msconfig.exe
PID 660 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\dd2e2cf10a41a07faa2bfc890a30ef28.exe C:\Users\Admin\AppData\Roaming\msconfig.exe
PID 660 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\dd2e2cf10a41a07faa2bfc890a30ef28.exe C:\Users\Admin\AppData\Roaming\msconfig.exe
PID 660 wrote to memory of 1720 N/A C:\Users\Admin\AppData\Local\Temp\dd2e2cf10a41a07faa2bfc890a30ef28.exe C:\Users\Admin\AppData\Roaming\msconfig.exe
PID 1720 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Roaming\msconfig.exe C:\Windows\System32\cmd.exe
PID 1720 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Roaming\msconfig.exe C:\Windows\System32\cmd.exe
PID 1720 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Roaming\msconfig.exe C:\Windows\System32\cmd.exe
PID 3008 wrote to memory of 2804 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3008 wrote to memory of 2804 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3008 wrote to memory of 2804 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1720 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Roaming\msconfig.exe C:\Users\Admin\AppData\Local\Temp\services32.exe
PID 1720 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Roaming\msconfig.exe C:\Users\Admin\AppData\Local\Temp\services32.exe
PID 1720 wrote to memory of 2960 N/A C:\Users\Admin\AppData\Roaming\msconfig.exe C:\Users\Admin\AppData\Local\Temp\services32.exe
PID 2960 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\services32.exe C:\Windows\System32\cmd.exe
PID 2960 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\services32.exe C:\Windows\System32\cmd.exe
PID 2960 wrote to memory of 2928 N/A C:\Users\Admin\AppData\Local\Temp\services32.exe C:\Windows\System32\cmd.exe
PID 2960 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\services32.exe C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
PID 2960 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\services32.exe C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
PID 2960 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\services32.exe C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
PID 2928 wrote to memory of 112 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2928 wrote to memory of 112 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2928 wrote to memory of 112 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\dd2e2cf10a41a07faa2bfc890a30ef28.exe

"C:\Users\Admin\AppData\Local\Temp\dd2e2cf10a41a07faa2bfc890a30ef28.exe"

C:\Users\Admin\AppData\Roaming\msconfig.exe

"C:\Users\Admin\AppData\Roaming\msconfig.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Local\Temp\services32.exe"' & exit

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Local\Temp\services32.exe"'

C:\Users\Admin\AppData\Local\Temp\services32.exe

"C:\Users\Admin\AppData\Local\Temp\services32.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Local\Temp\services32.exe"' & exit

C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Local\Temp\services32.exe"'

Network

N/A

Files

memory/660-3-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/660-2-0x0000000000400000-0x0000000000AE3000-memory.dmp

memory/660-0-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/660-5-0x00000000000F0000-0x00000000000F1000-memory.dmp

memory/660-6-0x0000000000400000-0x0000000000AE3000-memory.dmp

\Users\Admin\AppData\Roaming\msconfig.exe

MD5 979861237c93e9a7847102eac3f35f25
SHA1 6cf8339b30cf877d5160ba39c799a5dda57e15d5
SHA256 7c4005388b4aca10385a690a4059758265012b27dccb13ee82f588cee30e6c9a
SHA512 24ef07e62b711195c0bddf62101df0d25e45a93dd85efe831d1b081a1011723b852b030eaa3842f3528ebac841e4fca6c4caff1450a69d002dca5998053376a7

C:\Users\Admin\AppData\Roaming\msconfig.exe

MD5 5f102f5f09eca1ad0ffec009117b559c
SHA1 509b72a2ed190f90263d7e2eb37b5f854137e55c
SHA256 e1dbce579b50c0b06b3caa454aa4c1396dac05409d33a2b5790456d6a578548e
SHA512 8a06d8a2be8c1f7995818c52ea099e8d6f358cebdb07f3c270d69a27ce64f348639a1422f06f8460947688e0eebd275857ea8820eaa5e900ad4d95d8fd885025

C:\Users\Admin\AppData\Roaming\msconfig.exe

MD5 918a85170b64242730f12ee6fbac0fa2
SHA1 4efbd541664dd987931e3e6c0bd3cb45ccaa8dbb
SHA256 8a7501ca02a7b8e8bbb3693e41fb256e4ee5f5e70cb6fc3f60adc8995240e560
SHA512 c1164b55974bb20c31b578b8f0a485c9493f734a5a1d24322728e4e033da0faa7fc7b870e0a94b725f8ab073ab0eaf9da4cc2ce7736957ce3c7acd2c9f250d1c

memory/1720-13-0x000000013FBA0000-0x000000013FD8C000-memory.dmp

memory/1720-14-0x000007FEF57D0000-0x000007FEF61BC000-memory.dmp

memory/1720-15-0x0000000002200000-0x0000000002280000-memory.dmp

memory/1720-16-0x000000001BC40000-0x000000001BE2A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\services32.exe

MD5 0be8b762903b2a90843b9c3e3db3b471
SHA1 e7cf9bcb4c809340ebbd9aeb09bcb76e6468552a
SHA256 a937d5e7a70b9c789df57de34f41595107a6277fe4150190363d9661e7b96b3f
SHA512 31e44025376097f88f36430e83e08b9457b9e45a44e9b6f5737da0cf5dc339f69a0fd3f015877391a2c5b24dc3f0b3ecb86cd049b1237b11fd4b9b19a3c9dc3b

\Users\Admin\AppData\Local\Temp\services32.exe

MD5 247760a2ca78500ed2c87d7e9612436e
SHA1 d917191a62c9497ad793f5571265ae45724ca4b2
SHA256 005e044eb04a89bdd032b41d0894c34c585dbd3c8a34ce58a69745c2232f1f02
SHA512 c78660585df3a21c7a5cd7d934b3d0a823a68790a00f7e959e00a26294cbdfe1b70da71c0e5e5291df93d5883a739b7efb033e5f0cc7f2760e968fee647f3ef9

C:\Users\Admin\AppData\Local\Temp\services32.exe

MD5 23d0f836b2960d74d4d1dac9c3405b66
SHA1 1b092d1891c5bb6c7f1452127b72f14b4c2c1f79
SHA256 5e314bfe4bb54d4f8ae6094bcff31e8c9b75770ca143eec71b6105af02b6eef2
SHA512 83a0385f619b2da13f78c8c341f55020cf96cc30cdda2ea73b9dad34ae512387e1fd2e0dce33eb14c0b9bda438a0c03ea3535a4e62020f693946d2696f533219

C:\Users\Admin\AppData\Local\Temp\services32.exe

MD5 ddbd9ebdd46645157a0eb34edab4358d
SHA1 89a3f4a367f6fd97f4fd4cb457c2db30bbd6c1bb
SHA256 1a35de0fe3cb2b85de3ca0a41606f9db79ea788fab8254bb59f239c2ab901c3c
SHA512 db1debf82bc7d5b68302004abc9430494286d06029a046f2390578b11a5b5e6525adac0a17a525a92945d18440a4bf2e2013a256e6288fc29e003f42e2a1f092

memory/2960-23-0x000000013F850000-0x000000013FA3C000-memory.dmp

memory/1720-24-0x000007FEF57D0000-0x000007FEF61BC000-memory.dmp

memory/2960-25-0x000007FEF57D0000-0x000007FEF61BC000-memory.dmp

memory/2960-26-0x000000001B8A0000-0x000000001B920000-memory.dmp

\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe

MD5 1415d3cef8766b64044d48804587e97d
SHA1 4d5d324dc95cacfffe08a30096c95892ae22660e
SHA256 530f0f19333c1b89a59017b7728d0128514f1f18705af48cb4428f87bf833849
SHA512 48d0d3ea6abaaf2ed94aceea28ff4de0b8d823de5e35641860e7c9736f860c8491087d5e9a6a108a50e82db8ce0e4cf33efc3d4a390368618939cf92cf594765

memory/2956-33-0x000000013F360000-0x000000013F366000-memory.dmp

memory/2956-34-0x000007FEF57D0000-0x000007FEF61BC000-memory.dmp

memory/2956-35-0x0000000002460000-0x00000000024E0000-memory.dmp

memory/2960-36-0x000007FEF57D0000-0x000007FEF61BC000-memory.dmp

memory/2960-37-0x000007FEF57D0000-0x000007FEF61BC000-memory.dmp

memory/2956-38-0x000007FEF57D0000-0x000007FEF61BC000-memory.dmp

memory/2956-39-0x0000000002460000-0x00000000024E0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-20 15:47

Reported

2023-12-22 06:32

Platform

win10v2004-20231215-en

Max time kernel

133s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\dd2e2cf10a41a07faa2bfc890a30ef28.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\services32.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\dd2e2cf10a41a07faa2bfc890a30ef28.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3791175113-1062217823-1177695025-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\msconfig.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\dd2e2cf10a41a07faa2bfc890a30ef28.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\dd2e2cf10a41a07faa2bfc890a30ef28.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\msconfig.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\services32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1848 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\dd2e2cf10a41a07faa2bfc890a30ef28.exe C:\Users\Admin\AppData\Roaming\msconfig.exe
PID 1848 wrote to memory of 1932 N/A C:\Users\Admin\AppData\Local\Temp\dd2e2cf10a41a07faa2bfc890a30ef28.exe C:\Users\Admin\AppData\Roaming\msconfig.exe
PID 1932 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Roaming\msconfig.exe C:\Windows\System32\cmd.exe
PID 1932 wrote to memory of 2008 N/A C:\Users\Admin\AppData\Roaming\msconfig.exe C:\Windows\System32\cmd.exe
PID 2008 wrote to memory of 2976 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2008 wrote to memory of 2976 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1932 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Roaming\msconfig.exe C:\Users\Admin\AppData\Local\Temp\services32.exe
PID 1932 wrote to memory of 1764 N/A C:\Users\Admin\AppData\Roaming\msconfig.exe C:\Users\Admin\AppData\Local\Temp\services32.exe
PID 1764 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\services32.exe C:\Windows\System32\cmd.exe
PID 1764 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\services32.exe C:\Windows\System32\cmd.exe
PID 1764 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\services32.exe C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
PID 1764 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\services32.exe C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe
PID 1188 wrote to memory of 3384 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1188 wrote to memory of 3384 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\dd2e2cf10a41a07faa2bfc890a30ef28.exe

"C:\Users\Admin\AppData\Local\Temp\dd2e2cf10a41a07faa2bfc890a30ef28.exe"

C:\Users\Admin\AppData\Roaming\msconfig.exe

"C:\Users\Admin\AppData\Roaming\msconfig.exe"

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Local\Temp\services32.exe"'

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Local\Temp\services32.exe"' & exit

C:\Users\Admin\AppData\Local\Temp\services32.exe

"C:\Users\Admin\AppData\Local\Temp\services32.exe"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Local\Temp\services32.exe"' & exit

C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe"

C:\Windows\system32\schtasks.exe

schtasks /create /f /sc onlogon /rl highest /tn "services32" /tr '"C:\Users\Admin\AppData\Local\Temp\services32.exe"'

Network

Country Destination Domain Proto
US 8.8.8.8:53 147.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/1848-1-0x0000000000400000-0x0000000000AE3000-memory.dmp

memory/1848-0-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/1848-2-0x0000000000400000-0x0000000000AE3000-memory.dmp

C:\Users\Admin\AppData\Roaming\msconfig.exe

MD5 318ed36e9e86705a64785370dfb3d449
SHA1 c829f1a131d5831abd0407bd1cb7d03f58bbcc20
SHA256 1aedc7a7de2045368d9f15abd3e0a2fff34639db4cb1e4441a050e667ea9d828
SHA512 bae6feeb65a1796deded0bc055d89de5304b43edc6f329c0af2647bde4c04636170794a2f070b59547a34f9a01fb61218d5988ef3c5743ed896a8dc90848a1c6

C:\Users\Admin\AppData\Roaming\msconfig.exe

MD5 789d410c48d86e9c75a3f77190b25846
SHA1 8e77724c96da53994b3db26df3c5fe1e91c8b87f
SHA256 4d8b192b098e151e71d6749f5690d400f44e8cbfc494923fae79dbdf5a69aeaa
SHA512 992e18236bf37a8dbff463da4e50c6401e65a2f22146ac26e0fd8813e0e40e5f73755bfb7c149fdb3844418b03167b97ecd6e1727c79916cfb37a76aaade4cc1

C:\Users\Admin\AppData\Roaming\msconfig.exe

MD5 8c1b376208fcc1dffe640cfc9a7c4539
SHA1 8cdd314200e8b47195adba6614898db8a8aa2f17
SHA256 7546627ccf909ec2d023a342164a914e34d1e517379a617b7468835cad304705
SHA512 2987270d5ff9d4549d9ce58922c3a45e79f31837fa79b3003bd858376ea818af6a39360c659c2178d23f0a07cd3cb16fc3349837764022786d0e0704d00b9fc1

memory/1932-62-0x0000000000B50000-0x0000000000D3C000-memory.dmp

memory/1932-63-0x00007FF937B80000-0x00007FF938641000-memory.dmp

memory/1932-64-0x000000001C890000-0x000000001C8A0000-memory.dmp

memory/1932-66-0x0000000002130000-0x0000000002142000-memory.dmp

memory/1932-65-0x000000001C8A0000-0x000000001CA8A000-memory.dmp

memory/1932-79-0x00007FF937B80000-0x00007FF938641000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\services32.exe

MD5 8a14bec3d46c43d7142640b1a1764e91
SHA1 58819977b16433fa405b5a8dfa23966ab13ba11d
SHA256 25866e9432c0ed5501856d7928f1cf8dd0a27e6fe0f5293ec009a900a4cff540
SHA512 e48bd1d72888ed1ab51a4e762a333c68258c71ab0cd4fe8f2d1e109f81599bc4899edf573b306c503e4fc9fa1967c6aa275166113d511553ba2b715e52f3b740

memory/1764-80-0x00007FF937B80000-0x00007FF938641000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\services32.exe

MD5 835aad8d40d9871a75c52015e65f46a4
SHA1 e9726151dcfb5b9e33c544a463a304438d44bc72
SHA256 c7ec084b94ed35b0b5bb042a009a5717f376d35f3eb8a664d99e3002311de893
SHA512 2052db0053b078dbc8f950030052b6c0593dff04f6ee85be8764110cc582510e7180d87fab4a17bea651c492c5598a689f9fc5bb59a05eeaf30a6c7b15ca0364

memory/1764-81-0x0000000002F00000-0x0000000002F10000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Telemetry\sihost32.exe

MD5 1415d3cef8766b64044d48804587e97d
SHA1 4d5d324dc95cacfffe08a30096c95892ae22660e
SHA256 530f0f19333c1b89a59017b7728d0128514f1f18705af48cb4428f87bf833849
SHA512 48d0d3ea6abaaf2ed94aceea28ff4de0b8d823de5e35641860e7c9736f860c8491087d5e9a6a108a50e82db8ce0e4cf33efc3d4a390368618939cf92cf594765

memory/4940-95-0x0000000000D00000-0x0000000000D06000-memory.dmp

memory/4940-96-0x00007FF937B80000-0x00007FF938641000-memory.dmp

memory/1764-98-0x00007FF937B80000-0x00007FF938641000-memory.dmp

memory/4940-99-0x00007FF937B80000-0x00007FF938641000-memory.dmp

memory/4940-100-0x000000001C830000-0x000000001C840000-memory.dmp