Malware Analysis Report

2024-11-30 11:30

Sample ID 240301-cbtresab2v
Target 90b13c5448b62ddb92a1d0f8262ed7b7.bin
SHA256 2dbb391b69ae1de7e1dbc0682b5067fe290f95a11c74d00cc091c281b39dd299
Tags
ransomware spyware stealer lockbit
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2dbb391b69ae1de7e1dbc0682b5067fe290f95a11c74d00cc091c281b39dd299

Threat Level: Known bad

The file 90b13c5448b62ddb92a1d0f8262ed7b7.bin was found to be: Known bad.

Malicious Activity Summary

ransomware spyware stealer lockbit

Lockbit family

Rule to detect Lockbit 3.0 ransomware Windows payload

Renames multiple (332) files with added filename extension

Renames multiple (587) files with added filename extension

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Deletes itself

Reads user/profile data of web browsers

Drops desktop.ini file(s)

Suspicious use of NtSetInformationThreadHideFromDebugger

Sets desktop wallpaper using registry

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: RenamesItself

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Modifies registry class

Modifies Control Panel

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-01 01:54

Signatures

Lockbit family

lockbit

Rule to detect Lockbit 3.0 ransomware Windows payload

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-01 01:54

Reported

2024-03-01 01:57

Platform

win7-20240221-en

Max time kernel

118s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe"

Signatures

Renames multiple (332) files with added filename extension

ransomware

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\AD40.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\AD40.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-1658372521-4246568289-2509113762-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
File opened for modification C:\$Recycle.Bin\S-1-5-21-1658372521-4246568289-2509113762-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\mstH2C7Dr.bmp" C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\mstH2C7Dr.bmp" C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Control Panel\International C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1658372521-4246568289-2509113762-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mstH2C7Dr C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mstH2C7Dr\DefaultIcon\ = "C:\\ProgramData\\mstH2C7Dr.ico" C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mstH2C7Dr C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mstH2C7Dr\ = "mstH2C7Dr" C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mstH2C7Dr\DefaultIcon C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe

"C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe"

C:\ProgramData\AD40.tmp

"C:\ProgramData\AD40.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\AD40.tmp >> NUL

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x154

Network

Country Destination Domain Proto
US 8.8.8.8:53 test.white-datasheet.com udp

Files

memory/2304-0-0x0000000000210000-0x0000000000250000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-1658372521-4246568289-2509113762-1000\desktop.ini

MD5 b8d43db2825b9a048b1434f0d32a2c1f
SHA1 799634c2d1a81d9acf0ad6a226316d16bf203450
SHA256 5383aa58caa31a84bc3c112af7b0f23144d466b434211f32adc657fa22a34b76
SHA512 980da0a69ec6a339f6f41cbddcaf90703da5db8ec860f3986dbe1010c9e1eda054da74a7eebddee1cd06c9e0c904faf538d9401407d0e9d3373aa28842a94142

C:\mstH2C7Dr.README.txt

MD5 ce368aec064cc0b0d20fd87f22630781
SHA1 fd74a6f3124ac408c46f1ef082e09f00f95efeec
SHA256 e80af30fb5554f6e1ccd1643cbdec752293b915c2afa0f148973dabc112b6cc5
SHA512 6350fadf4198fb7e79180e780a36029d4ceb5878d75f4b0c44a36c915364dd50c05deb4972f849b634537c48494438d78c3cb22f4377016420b77f0e36ad526e

F:\$RECYCLE.BIN\S-1-5-21-1658372521-4246568289-2509113762-1000\DDDDDDDDDDD

MD5 46589c5f12771e1a5c76501008f8182b
SHA1 6257d00e93816293b5bdd51559c8366716e43cc4
SHA256 3b024852f44eca4f1552d0e2ad9a6231cb59d6ace0f194a48a206e283208e2ee
SHA512 c6ae24bbaa26dc330c2801909f1864ec580f71270523939b41feed1fd6d611cbd65bb4a5e26c5fa6faf3ecdd29b892d7e60112db0809cf1223565f799fb16e12

\ProgramData\AD40.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/2236-850-0x000000007EFA0000-0x000000007EFA1000-memory.dmp

memory/2236-851-0x0000000000300000-0x0000000000340000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBBB

MD5 77b2eceb093ab985d382aa0218ffce4e
SHA1 8115d92ad0b18de143f2b9a849461d51a6482257
SHA256 65510a9d41b3fe9b1e2ad25514cf4223eb10d9f6e193205e1a74fc936dd77c1e
SHA512 b67969ffdf8c581969abdf195eefaf30af0866409961964ef62b9afe0340363cb96114b647075407f662d6b3ae5ba8122eec8d3f43c5663d15e6ad216c92f4d3

memory/2236-853-0x000000007EF80000-0x000000007EF81000-memory.dmp

memory/2236-861-0x000000007EF20000-0x000000007EF21000-memory.dmp

memory/2236-882-0x000000007EF40000-0x000000007EF41000-memory.dmp

memory/2236-883-0x000000007EF60000-0x000000007EF61000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-01 01:54

Reported

2024-03-01 01:57

Platform

win10v2004-20240226-en

Max time kernel

147s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe"

Signatures

Renames multiple (587) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International\Geo\Nation C:\ProgramData\5975.tmp N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\ProgramData\5975.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ProgramData\5975.tmp N/A

Reads user/profile data of web browsers

spyware stealer

Drops desktop.ini file(s)

Description Indicator Process Target
File opened for modification C:\$Recycle.Bin\S-1-5-21-513485977-2495024337-1260977654-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
File opened for modification F:\$RECYCLE.BIN\S-1-5-21-513485977-2495024337-1260977654-1000\desktop.ini C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A

Sets desktop wallpaper using registry

ransomware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\Desktop\WallPaper = "C:\\ProgramData\\mstH2C7Dr.bmp" C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\Desktop\Wallpaper = "C:\\ProgramData\\mstH2C7Dr.bmp" C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A

Enumerates physical storage devices

Modifies Control Panel

evasion
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\International C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Key created \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\Desktop C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-513485977-2495024337-1260977654-1000\Control Panel\Desktop\WallpaperStyle = "10" C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mstH2C7Dr C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mstH2C7Dr\DefaultIcon\ = "C:\\ProgramData\\mstH2C7Dr.ico" C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mstH2C7Dr C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mstH2C7Dr\ = "mstH2C7Dr" C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mstH2C7Dr\DefaultIcon C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeAssignPrimaryTokenPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe

"C:\Users\Admin\AppData\Local\Temp\90b13c5448b62ddb92a1d0f8262ed7b7.exe"

C:\ProgramData\5975.tmp

"C:\ProgramData\5975.tmp"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C DEL /F /Q C:\PROGRA~3\5975.tmp >> NUL

Network

Country Destination Domain Proto
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 test.white-datasheet.com udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 test.white-datasheet.com udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 11.173.189.20.in-addr.arpa udp

Files

memory/3692-0-0x0000000000E20000-0x0000000000E30000-memory.dmp

memory/3692-1-0x0000000000E20000-0x0000000000E30000-memory.dmp

C:\$Recycle.Bin\S-1-5-21-513485977-2495024337-1260977654-1000\OOOOOOOOOOO

MD5 58dac315ac3cc5e33cb686d73a934a3c
SHA1 2d62d90ae5cc600431d454099d06a08789dc0a64
SHA256 54f84a35b20cea95013c4a6f1134a8945375b542319d8fc97749667fe498fda2
SHA512 9e8ad2d90e3149299125e98567e2c34b666779b41a49f82fe20e0ce181c733569293df6667e48204fff629c1fdf0443e5eb5e67b63e04c069214a22dedde2954

C:\mstH2C7Dr.README.txt

MD5 d917479ce72cc5682c57cda858687dde
SHA1 be36700a2656d1c1a9ad4b93c4e711e1197ac9d0
SHA256 aaa8d17957d1f406aed3fbc02db51e50fa8764abc324ea5142c4da1ba7064f0c
SHA512 019b80b099df85c0660a5eed5f586b88ad2b5b4ced747ed34b9c3a5c5628ec2fd21a9a8964de3ae98ec91f9c83f3fd53f41d33c683992c00e151a4690b4c8409

F:\$RECYCLE.BIN\S-1-5-21-513485977-2495024337-1260977654-1000\DDDDDDDDDDD

MD5 c23b16cd46b542a32b2dd1712fe2be68
SHA1 3f94eb2f7e94c62c33f8c977483e5327b80073bf
SHA256 3c55e843eb3341194987b07ae792b344dbba392b60328223d3ec412ce64292c1
SHA512 feb253a207c00c604687faba3f2d2ca1816697c2c550b19c3574baebe55daf0e032a4e6f691fd3bff2627cc6c507b967832f9b9afbe07290c95d1d98b5855395

memory/3692-2720-0x0000000000E20000-0x0000000000E30000-memory.dmp

memory/3692-2721-0x0000000000E20000-0x0000000000E30000-memory.dmp

C:\ProgramData\5975.tmp

MD5 294e9f64cb1642dd89229fff0592856b
SHA1 97b148c27f3da29ba7b18d6aee8a0db9102f47c9
SHA256 917e115cc403e29b4388e0d175cbfac3e7e40ca1742299fbdb353847db2de7c2
SHA512 b87d531890bf1577b9b4af41dddb2cdbbfa164cf197bd5987df3a3075983645a3acba443e289b7bfd338422978a104f55298fbfe346872de0895bde44adc89cf

memory/4528-2728-0x000000007FE40000-0x000000007FE41000-memory.dmp

memory/4528-2729-0x00000000025F0000-0x0000000002600000-memory.dmp

memory/4528-2730-0x00000000025F0000-0x0000000002600000-memory.dmp

memory/4528-2731-0x000000007FE20000-0x000000007FE21000-memory.dmp

memory/4528-2732-0x000000007FDC0000-0x000000007FDC1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDD

MD5 ee3c6088e1022aff311ccbf6844a8224
SHA1 93cf35de8aaa6b8ec6bc58c061e3cd31d299cf6e
SHA256 6ef914221775bd4eb30d05605ee78d80f528cfafcbf9f8067e824ccd90167dc0
SHA512 5f6f3e36639ae502b3142290ace494dec52f43bac0f53c3177570c791cdedf8c7a5f37b322d201ffd824cb501c7f8135ae13facacba997bc1c1876e42a3a7d95

memory/4528-2761-0x000000007FDE0000-0x000000007FDE1000-memory.dmp

memory/4528-2762-0x000000007FE00000-0x000000007FE01000-memory.dmp