Malware Analysis Report

2024-10-18 21:25

Sample ID 231230-cyxrlacdbm
Target 0bb1c29f4a8c046e798cd9781cc127a7
SHA256 139b8756b01add9dcac07d3a0137b0ea49a932fc4804ad0eca63ffc2958eda72
Tags
a310logger blustealer collection spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

139b8756b01add9dcac07d3a0137b0ea49a932fc4804ad0eca63ffc2958eda72

Threat Level: Known bad

The file 0bb1c29f4a8c046e798cd9781cc127a7 was found to be: Known bad.

Malicious Activity Summary

a310logger blustealer collection spyware stealer

A310logger

BluStealer

A310logger Executable

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Reads local data of messenger clients

Accesses Microsoft Outlook profiles

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Creates scheduled task(s)

Suspicious behavior: GetForegroundWindowSpam

outlook_office_path

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Modifies system certificate store

outlook_win_path

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-30 02:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-30 02:29

Reported

2023-12-30 16:42

Platform

win7-20231215-en

Max time kernel

143s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0bb1c29f4a8c046e798cd9781cc127a7.exe"

Signatures

A310logger

stealer spyware a310logger

BluStealer

stealer blustealer

A310logger Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0bb1c29f4a8c046e798cd9781cc127a7.exe N/A

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1880 set thread context of 2632 N/A C:\Users\Admin\AppData\Local\Temp\0bb1c29f4a8c046e798cd9781cc127a7.exe C:\Users\Admin\AppData\Local\Temp\0bb1c29f4a8c046e798cd9781cc127a7.exe

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\0bb1c29f4a8c046e798cd9781cc127a7.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\0bb1c29f4a8c046e798cd9781cc127a7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 C:\Users\Admin\AppData\Local\Temp\0bb1c29f4a8c046e798cd9781cc127a7.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e C:\Users\Admin\AppData\Local\Temp\0bb1c29f4a8c046e798cd9781cc127a7.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0bb1c29f4a8c046e798cd9781cc127a7.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0bb1c29f4a8c046e798cd9781cc127a7.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\0bb1c29f4a8c046e798cd9781cc127a7.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1880 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\0bb1c29f4a8c046e798cd9781cc127a7.exe C:\Windows\SysWOW64\schtasks.exe
PID 1880 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\0bb1c29f4a8c046e798cd9781cc127a7.exe C:\Windows\SysWOW64\schtasks.exe
PID 1880 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\0bb1c29f4a8c046e798cd9781cc127a7.exe C:\Windows\SysWOW64\schtasks.exe
PID 1880 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Local\Temp\0bb1c29f4a8c046e798cd9781cc127a7.exe C:\Windows\SysWOW64\schtasks.exe
PID 1880 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\0bb1c29f4a8c046e798cd9781cc127a7.exe C:\Users\Admin\AppData\Local\Temp\0bb1c29f4a8c046e798cd9781cc127a7.exe
PID 1880 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\0bb1c29f4a8c046e798cd9781cc127a7.exe C:\Users\Admin\AppData\Local\Temp\0bb1c29f4a8c046e798cd9781cc127a7.exe
PID 1880 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\0bb1c29f4a8c046e798cd9781cc127a7.exe C:\Users\Admin\AppData\Local\Temp\0bb1c29f4a8c046e798cd9781cc127a7.exe
PID 1880 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\0bb1c29f4a8c046e798cd9781cc127a7.exe C:\Users\Admin\AppData\Local\Temp\0bb1c29f4a8c046e798cd9781cc127a7.exe
PID 1880 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\0bb1c29f4a8c046e798cd9781cc127a7.exe C:\Users\Admin\AppData\Local\Temp\0bb1c29f4a8c046e798cd9781cc127a7.exe
PID 1880 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\0bb1c29f4a8c046e798cd9781cc127a7.exe C:\Users\Admin\AppData\Local\Temp\0bb1c29f4a8c046e798cd9781cc127a7.exe
PID 1880 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\0bb1c29f4a8c046e798cd9781cc127a7.exe C:\Users\Admin\AppData\Local\Temp\0bb1c29f4a8c046e798cd9781cc127a7.exe
PID 1880 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\0bb1c29f4a8c046e798cd9781cc127a7.exe C:\Users\Admin\AppData\Local\Temp\0bb1c29f4a8c046e798cd9781cc127a7.exe
PID 1880 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\0bb1c29f4a8c046e798cd9781cc127a7.exe C:\Users\Admin\AppData\Local\Temp\0bb1c29f4a8c046e798cd9781cc127a7.exe
PID 2632 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\0bb1c29f4a8c046e798cd9781cc127a7.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe
PID 2632 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\0bb1c29f4a8c046e798cd9781cc127a7.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe
PID 2632 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\0bb1c29f4a8c046e798cd9781cc127a7.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe
PID 2632 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\0bb1c29f4a8c046e798cd9781cc127a7.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0bb1c29f4a8c046e798cd9781cc127a7.exe

"C:\Users\Admin\AppData\Local\Temp\0bb1c29f4a8c046e798cd9781cc127a7.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JacGDBJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1D70.tmp"

C:\Users\Admin\AppData\Local\Temp\0bb1c29f4a8c046e798cd9781cc127a7.exe

"{path}"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 smtp.privateemail.com udp
US 66.29.159.53:465 smtp.privateemail.com tcp
US 66.29.159.53:465 smtp.privateemail.com tcp
US 66.29.159.53:465 smtp.privateemail.com tcp

Files

memory/1880-1-0x00000000747A0000-0x0000000074E8E000-memory.dmp

memory/1880-0-0x0000000000DF0000-0x0000000000ED2000-memory.dmp

memory/1880-2-0x0000000000570000-0x00000000005B0000-memory.dmp

memory/1880-3-0x0000000000400000-0x0000000000408000-memory.dmp

memory/1880-4-0x00000000747A0000-0x0000000074E8E000-memory.dmp

memory/1880-5-0x0000000000570000-0x00000000005B0000-memory.dmp

memory/1880-6-0x00000000080C0000-0x000000000817E000-memory.dmp

memory/1880-7-0x0000000004F50000-0x0000000004FC2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp1D70.tmp

MD5 507025585ff4c4532a8ad5126d67e529
SHA1 db826f82d8a0b76deba826f1d06e48bd5d4e8bd9
SHA256 427809fee70d4c78750119481481305030179ac45a020d09bb00c5b7402cfdd7
SHA512 6f710565eb1e81046f904f2d4d5c648b7e198421d1a94ff6f50003d85dda35ad9dad3ddbe4ea60f59530a1282d916203999e26f154928d07f229753a04a3fe53

memory/2632-11-0x0000000000400000-0x000000000045F000-memory.dmp

memory/2632-13-0x0000000000400000-0x000000000045F000-memory.dmp

memory/2632-15-0x0000000000400000-0x000000000045F000-memory.dmp

memory/2632-19-0x0000000000400000-0x000000000045F000-memory.dmp

memory/2632-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1880-21-0x00000000747A0000-0x0000000074E8E000-memory.dmp

memory/2632-22-0x0000000000400000-0x000000000045F000-memory.dmp

C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\TEMPLA~1\CUE3L4~1.ZIP

MD5 40a9752d59f2883e40d928f85a749008
SHA1 c60fb58eff64a7969b46f3934766f991352eeb47
SHA256 ef95540ec8dae3d255439fb847d26397c265b5cccda5ed0d6b9ed3dda14a2820
SHA512 ce33985f91103315accb1039635488d7e144df264bab8e164c1f9844ce6923e1c9c76349f14542901887ffcbbbca40b92cf474126f0b94893e8af1f608464b3c

\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe

MD5 91b41651e6e9ab352805c6d35a297d08
SHA1 11b8eaa7b7941461bc952b11ec3f07d25dcd1c2e
SHA256 0872abe29cc9231cdded3a44e02a7ea17f09cf2ac2bdbd7077065858829c3723
SHA512 b0b0d73f6ac7b6e9b39db0fa58931873143f6559c3b8d3db2d82d453045f75da94f3236b6c6c5200b52af6cacc038565eb2e9c6a834608dac0b0e8bb45b1e892

memory/2640-55-0x0000000000220000-0x00000000002D2000-memory.dmp

memory/2640-56-0x000007FEF5D30000-0x000007FEF671C000-memory.dmp

memory/2640-57-0x0000000001EC0000-0x0000000001F40000-memory.dmp

memory/2640-59-0x000007FEF5D30000-0x000007FEF671C000-memory.dmp

memory/2632-111-0x0000000002A10000-0x0000000002A11000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files.zip

MD5 98a833e15d18697e8e56cdafb0642647
SHA1 e5f94d969899646a3d4635f28a7cd9dd69705887
SHA256 ff006c86b5ec033fe3cafd759bf75be00e50c375c75157e99c0c5d39c96a2a6c
SHA512 c6f9a09d9707b770dbc10d47c4d9b949f4ebf5f030b5ef8c511b635c32d418ad25d72eee5d7ed02a96aeb8bf2c85491ca1aa0e4336d242793c886ed1bcdd910b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\Are.docx

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\AssertSend.xlsx

MD5 e7dfb78025c821c6959902749fed2c1e
SHA1 5f91573212a6801d24919cbbe10361575c11a77d
SHA256 74ca119efde4a8b210138dc83db9182c12d788dc4659e0cd9ec3bbcc63e67345
SHA512 da667417b5898a259a7cd9d67d1d27082062adb2db60431e6eea7180d78a75f38d2663d3cdf9cfba8a410e4721f0ca426563eb1244e5a99a4258664aef4bcd5e

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\DisconnectLimit.docx

MD5 8cd7fad9d98a3179f3991286aad65b29
SHA1 9dcb3c53c522c30cd5104dcc4b686af5e20d5193
SHA256 e66f180b0d92e996677139a59bba6b4e2eaa792e61e6d1004413e312a635853f
SHA512 f4983639bc62c0ee07733ca71cf58cdcb16a2fb8da25c8c4fd7018b9ec5d9f80b003f4f488df612787b81c72f8c7cd11c0c52ac34ee411b7409f31b65b67de91

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\Files.docx

MD5 4a8fbd593a733fc669169d614021185b
SHA1 166e66575715d4c52bcb471c09bdbc5a9bb2f615
SHA256 714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42
SHA512 6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\Opened.docx

MD5 bfbc1a403197ac8cfc95638c2da2cf0e
SHA1 634658f4dd9747e87fa540f5ba47e218acfc8af2
SHA256 272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6
SHA512 b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\Recently.docx

MD5 3b068f508d40eb8258ff0b0592ca1f9c
SHA1 59ac025c3256e9c6c86165082974fe791ff9833a
SHA256 07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7
SHA512 e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\ShowDebug.docx

MD5 9f23713daefce937d5c5a5778690e29d
SHA1 d49a4aa5d93217be0c47e55fa4023ea7e3079214
SHA256 9f994e0c46db6baa24ca1afbc549a2bab3ed8fb825c803856f9a1a244cb421b9
SHA512 26b75f2c54b3e6d8c90580a56af86580c5f098ee40fc0f3bef9fc604eb932fe6aead1db9d57c8bd1f7ad860096e8760571c9defe0b2d7ec71613b5c21f7ec127

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\These.docx

MD5 87cbab2a743fb7e0625cc332c9aac537
SHA1 50f858caa7f4ac3a93cf141a5d15b4edeb447ee7
SHA256 57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023
SHA512 6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\UseSubmit.docx

MD5 fe54bdfad78cbcdaabce46305c2dd964
SHA1 c24dcc944979811670002569b61e7da1c1fc1f6a
SHA256 3b72973ab47039dc72f5c23a6a2565fa68178b5ab2dd552ed997de2614ea491f
SHA512 a6caebc8456df12e096984e75160d8f70e0c36802fbf5399f78212b9c244c0396182432177ea934a76d47185dd24e1962d2121ab9785a38d5d34d592688a707b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files.zip

MD5 d79638c7a82b3efe9951679fc65dcc2c
SHA1 3bea7f043ec7c69121281954be4e66cb2c504f9b
SHA256 819733cca92548f167b5190ee3a8f6f9e1cdeb29e365bbfad15f8d4f4e430c3a
SHA512 a4bfc699d6e56576feb25dec2eb9213030c5aebe79790b828771b7742e0c02c214618d13fae5f7df6dec199843f285b5e831c62d48ce04da7d040361dabcb0c4

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\UnprotectInitialize.rtf

MD5 799a3e25f8471a2f1f7cf551bdb14150
SHA1 39332cec3e7fc97893db963453e43d58300b5e56
SHA256 54fb1c379000e063f37b329ff388c219def1ceba09387a9107d5a277c48b7108
SHA512 7a331abe3fbf6ca69f68360e0dbdf59580fb59603fb0e8f94d7197df7e6d727f1e35c09aae0a830dbd390aa79690f4600d0f8983c02c4332008928a6d285cc5d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\TestInitialize.docm

MD5 7837f6a2d0c1dbf756295621a976a5d4
SHA1 4870062cf50a0ef8141c02a57b2e7d31e5806132
SHA256 3dc4b97c2b2face60aa12a7526e684a105c4e6ce17f637d03246b27bc45404d9
SHA512 6f46de6fe83769e30bda9d9a98169c488e5356794a3e3b7315b19d210a364f3372b1f8ba44df499893a009a142af97844b2be2331ec1149991f715212794dbfb

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\SuspendDismount.xlsm

MD5 bb9d2cb8c4d25310d862bcb2a681b05d
SHA1 2dcbd1212f7c08e1d557abbd31153cf1a1a0a521
SHA256 63c6efb32f0ac64ab02208b0565f3470fb5405ac9750d5155f7c1e62d6420658
SHA512 caf6035632b110362df85c51d3bac3d084eaebf3afbb7248b03f6d3ce86add48d1096ac970c9e812abb9e192a660ff22c676e5f24cd41d7f5c978d439a820c0b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\SkipSubmit.doc

MD5 f0b1e86847b0b0709546e858868a3513
SHA1 22ee1a44f23046750d20284d93a29077fbf0992b
SHA256 ec5c727ac62e6927302aa7096a8303e4f0a34a01af5f3f2a0f6930ec11e8e8ae
SHA512 5d8e49d31b5e721a95677165960911d83b88ca381d59da370cf9c0f0b82d48044877d995d14a329fc53e333a2d39b11883b739f76f8cd9b51a4cbf73012d143d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\RepairUpdate.pdf

MD5 88626ef70b4740946160ae6207170bb0
SHA1 b0614df776697c653d515174698b696149c523df
SHA256 928144009f5818d0c04407469d3cf5405f7b13b8b7d843abf95016187b0efd2c
SHA512 f936c31527e10fd877c24f0e4757e3c1f444ab89050cbec792a84de5b38a2a85fc22e00e46da4a427fad63acd873bed66bb4e92f07defab04dc3da1721497cc6

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\ConvertUndo.rtf

MD5 384c89718564ad9f63b4605b2b590624
SHA1 7f6af83eafe3af413e170df621d09cbbc2644de3
SHA256 c5bfd4045e4c0204c49b90bfcc1683b530e40d47f3c32dd9e599bbd716c04ac1
SHA512 854d92cb525b4bad1223de3cc16ada8fc23ce44cdad8ce300aa941524f6c2a180abadc5a11303a64fb5045aa4bd69e48619d736c26f4d446e5985ac7b85510d2

C:\Users\Admin\AppData\Local\Temp\Cab65B7.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar6608.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

memory/2632-217-0x0000000000400000-0x000000000045F000-memory.dmp

memory/2632-219-0x0000000002A10000-0x0000000002A11000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-30 02:29

Reported

2023-12-30 16:44

Platform

win10v2004-20231215-en

Max time kernel

50s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0bb1c29f4a8c046e798cd9781cc127a7.exe"

Signatures

A310logger

stealer spyware a310logger

BluStealer

stealer blustealer

A310logger Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\0bb1c29f4a8c046e798cd9781cc127a7.exe

"C:\Users\Admin\AppData\Local\Temp\0bb1c29f4a8c046e798cd9781cc127a7.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\JacGDBJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2584.tmp"

C:\Users\Admin\AppData\Local\Temp\0bb1c29f4a8c046e798cd9781cc127a7.exe

"{path}"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 17.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 201.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 167.109.18.2.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 smtp.privateemail.com udp
US 66.29.159.53:465 smtp.privateemail.com tcp
US 8.8.8.8:53 53.159.29.66.in-addr.arpa udp
US 8.8.8.8:53 100.5.17.2.in-addr.arpa udp

Files

memory/1164-1-0x0000000000680000-0x0000000000762000-memory.dmp

memory/1164-0-0x00000000748C0000-0x0000000075070000-memory.dmp

memory/1164-2-0x0000000005730000-0x0000000005CD4000-memory.dmp

memory/1164-3-0x0000000005180000-0x0000000005212000-memory.dmp

memory/1164-4-0x0000000005160000-0x0000000005170000-memory.dmp

memory/1164-5-0x0000000005150000-0x000000000515A000-memory.dmp

memory/1164-6-0x00000000054E0000-0x00000000054E8000-memory.dmp

memory/1164-7-0x0000000006480000-0x000000000651C000-memory.dmp

memory/1164-8-0x00000000748C0000-0x0000000075070000-memory.dmp

memory/1164-9-0x0000000005160000-0x0000000005170000-memory.dmp

memory/1164-10-0x0000000007EF0000-0x0000000007FAE000-memory.dmp

memory/1164-11-0x0000000007D80000-0x0000000007DF2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp2584.tmp

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/3052-15-0x0000000000400000-0x000000000045F000-memory.dmp

memory/1164-19-0x00000000748C0000-0x0000000075070000-memory.dmp

memory/3052-18-0x0000000000400000-0x000000000045F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe

MD5 8e247ee4a5ad26e808ad76a8f65ea1c9
SHA1 4bcd3462dd28b4703ca078be8dc63151e3b235bb
SHA256 bf226e2098d459e5158507c6c1b9fe45e4882331f2fc06221842ce0292c2e3c9
SHA512 919a9f794534c663f801abad4df0256b697f8f9727e29677e0563fb0de1956903a91e1e372811a133b607e7f9afc79ea36899b0fcb446dbccc42ab74359d2a34

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NET4\Fox.exe

MD5 6e0f56005f4b540bcbc1e062326c5b12
SHA1 f6af0da73d8659cff8468e30dfbe3b345b2b25a2
SHA256 a4b91781bc28fe99832fe17ebd67e720225c7ee5fd8f789593ef34c5b3eed846
SHA512 328e99f174adb5346de400d3e581b26d0aaf5e042dc75dc048b389df049920e637aa3ecd545f5a267562508e6cf303ce585ec2336709796752824cafe77aff50

memory/1092-51-0x00000000009B0000-0x0000000000A62000-memory.dmp

memory/1092-53-0x000000001B730000-0x000000001B740000-memory.dmp

memory/1092-52-0x00007FFCF07B0000-0x00007FFCF1271000-memory.dmp

memory/1092-61-0x00007FFCF07B0000-0x00007FFCF1271000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\credentials.txt

MD5 055c857272026583a61e1b5821c69a24
SHA1 ec39d34f16487682801dd2b319554cbed57feca4
SHA256 190db16bb64995e3bdea04b9e6fc1994dacfea3253a7559732205b1d41362b84
SHA512 d7833c4651683e95959107e05b07b60d2e963b9fbecd0106b329e2087d1dfc9aedb962b334e22b6b462699cbce86097d4d50ce5d1310ad098e3531efaa4e204b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files.zip

MD5 98a833e15d18697e8e56cdafb0642647
SHA1 e5f94d969899646a3d4635f28a7cd9dd69705887
SHA256 ff006c86b5ec033fe3cafd759bf75be00e50c375c75157e99c0c5d39c96a2a6c
SHA512 c6f9a09d9707b770dbc10d47c4d9b949f4ebf5f030b5ef8c511b635c32d418ad25d72eee5d7ed02a96aeb8bf2c85491ca1aa0e4336d242793c886ed1bcdd910b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\Files.docx

MD5 4a8fbd593a733fc669169d614021185b
SHA1 166e66575715d4c52bcb471c09bdbc5a9bb2f615
SHA256 714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42
SHA512 6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\Opened.docx

MD5 bfbc1a403197ac8cfc95638c2da2cf0e
SHA1 634658f4dd9747e87fa540f5ba47e218acfc8af2
SHA256 272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6
SHA512 b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\Recently.docx

MD5 3b068f508d40eb8258ff0b0592ca1f9c
SHA1 59ac025c3256e9c6c86165082974fe791ff9833a
SHA256 07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7
SHA512 e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\These.docx

MD5 87cbab2a743fb7e0625cc332c9aac537
SHA1 50f858caa7f4ac3a93cf141a5d15b4edeb447ee7
SHA256 57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023
SHA512 6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files.zip

MD5 58c176860e5fd80830f83e1327aedf6e
SHA1 db73217a964c27a3cb6b60cf950b19a7c8ca4199
SHA256 734be1e3625b6795aa0125996dda01264ba09b8cfe81bcf8ee58587ea16e4f57
SHA512 b46f6cc81fca0992e9e3e99d7ae220dc01193073be3bd9d0b15ebe176379da54fc0dfdc7c7b2da76d5d5ae053d4568fe56ca96416c4bcbef2d26ee0ac8deaff3

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\PingPublish.pdf

MD5 91300b76ee60c9f235d90e95fadac3d5
SHA1 2f7040a435560b6cffb2120d2f6ee4a19f9cf275
SHA256 e2933e1b7e5c268393a6d2752637a3f9aa694b37d6d0ce94490e18d0a5dced1f
SHA512 8df6e18585d8f9bafd81f47777036cbe338729cad0e264200f831ee296a44b9bfac33800503fefbe6aede81a91ca00ecc6a557d1ede3abd653f7dc31e9701be0

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\ImportGet.xlsm

MD5 c5d81c4d42dbb3fa076f803cb2e629e5
SHA1 b9785c3dd1c74a384abf0546d4711ea50dbd48d2
SHA256 e4c0931304ead1184d1a04e0898b9e2d50716f3130578be0e37bbabdbb3ad9b1
SHA512 667a16cf83e996fd61835986f2d3494f6778f15a60c0cfaa641090a697c449440ee7457946639089af168ef04462cf6679a09a9c18133cd84439099f6aef1b5d

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Files\DebugResize.rtf

MD5 15f28d2da355b46aac95f16968b9d26a
SHA1 5382e5ab1e2baf6ec8ca4231cd78b5acc8b124f7
SHA256 fcfa6468cff03836d2aabc43bd17efa7dbcdd276fafbbbca92b32672fe86c9ec
SHA512 fbdcd157c3d731979abbb352bcda590b66036b688ae171a1e8e11d1b2aad71612beff2505b22b4dce4fc85bd358bdf70f2953beb2c9a719fe93b9afbe175eb60

memory/3052-139-0x0000000000400000-0x000000000045F000-memory.dmp