Malware Analysis Report

2024-11-16 12:23

Sample ID 240317-1s9e7shg3z
Target 90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953
SHA256 90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953
Tags
discovery exploit
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

SHA256

90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953

Threat Level: Likely malicious

The file 90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953 was found to be: Likely malicious.

Malicious Activity Summary

discovery exploit

Possible privilege escalation attempt

Modifies file permissions

Checks computer location settings

Looks up external IP address via web service

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-17 21:55

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-17 21:55

Reported

2024-03-17 21:58

Platform

win10v2004-20240226-en

Max time kernel

143s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 34 N/A C:\Windows\system32\tzutil.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2972 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe C:\Windows\system32\cmd.exe
PID 2972 wrote to memory of 4980 N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe C:\Windows\system32\cmd.exe
PID 2972 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe C:\Windows\system32\cmd.exe
PID 2972 wrote to memory of 3980 N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe C:\Windows\system32\cmd.exe
PID 2972 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe C:\Windows\System32\cmd.exe
PID 2972 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe C:\Windows\System32\cmd.exe
PID 2972 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe C:\Windows\system32\cmd.exe
PID 2972 wrote to memory of 1064 N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe C:\Windows\system32\cmd.exe
PID 2196 wrote to memory of 456 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\tzutil.exe
PID 2196 wrote to memory of 456 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\tzutil.exe
PID 2972 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe C:\Windows\system32\cmd.exe
PID 2972 wrote to memory of 1188 N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe C:\Windows\system32\cmd.exe
PID 2972 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe C:\Windows\system32\WerFault.exe
PID 2972 wrote to memory of 3492 N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe C:\Windows\system32\WerFault.exe

Processes

C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe

"C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C tzutil /s "W. Europe Standard Time"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\tzutil.exe

tzutil /s "W. Europe Standard Time"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\WerFault.exe

C:\Windows\system32\WerFault.exe -u -p 2972 -s 1848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4192 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 183.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 watermelon.vantacheats.de udp
US 172.67.134.179:443 watermelon.vantacheats.de tcp
US 8.8.8.8:53 179.134.67.172.in-addr.arpa udp
US 8.8.8.8:53 icanhazip.com udp
US 104.16.184.241:80 icanhazip.com tcp
US 8.8.8.8:53 241.184.16.104.in-addr.arpa udp
N/A 127.0.0.1:49831 tcp
N/A 127.0.0.1:49833 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 42.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 185.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.178.89.13.in-addr.arpa udp

Files

memory/2972-0-0x0000000140000000-0x0000000141413000-memory.dmp

memory/2972-1-0x00007FF9F58F0000-0x00007FF9F58F2000-memory.dmp

memory/2972-2-0x0000000140000000-0x0000000141413000-memory.dmp

memory/2972-3-0x0000000140000000-0x0000000141413000-memory.dmp

memory/2972-7-0x0000000140000000-0x0000000141413000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-17 21:55

Reported

2024-03-17 21:58

Platform

win7-20231129-en

Max time kernel

150s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe"

Signatures

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\takeown.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A icanhazip.com N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\OpenSSH\MSAudDecMFT.dll C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A

Enumerates physical storage devices

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827 C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8 C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13 C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510 C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 34 N/A C:\Windows\system32\tzutil.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1660 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe C:\Windows\system32\cmd.exe
PID 1660 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe C:\Windows\system32\cmd.exe
PID 1660 wrote to memory of 2604 N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe C:\Windows\system32\cmd.exe
PID 1660 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe C:\Windows\system32\cmd.exe
PID 1660 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe C:\Windows\system32\cmd.exe
PID 1660 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe C:\Windows\system32\cmd.exe
PID 1660 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe C:\Windows\System32\cmd.exe
PID 1660 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe C:\Windows\System32\cmd.exe
PID 1660 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe C:\Windows\System32\cmd.exe
PID 1660 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe C:\Windows\system32\cmd.exe
PID 1660 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe C:\Windows\system32\cmd.exe
PID 1660 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe C:\Windows\system32\cmd.exe
PID 2620 wrote to memory of 2740 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\tzutil.exe
PID 2620 wrote to memory of 2740 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\tzutil.exe
PID 2620 wrote to memory of 2740 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\tzutil.exe
PID 1660 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe C:\Windows\system32\cmd.exe
PID 1660 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe C:\Windows\system32\cmd.exe
PID 1660 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe C:\Windows\system32\cmd.exe
PID 1660 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe C:\Windows\system32\cmd.exe
PID 1660 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe C:\Windows\system32\cmd.exe
PID 1660 wrote to memory of 2764 N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe C:\Windows\system32\cmd.exe
PID 1660 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe C:\Windows\system32\cmd.exe
PID 1660 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe C:\Windows\system32\cmd.exe
PID 1660 wrote to memory of 2424 N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe C:\Windows\system32\cmd.exe
PID 2424 wrote to memory of 2152 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 2424 wrote to memory of 2152 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 2424 wrote to memory of 2152 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\takeown.exe
PID 1660 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe C:\Windows\system32\cmd.exe
PID 1660 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe C:\Windows\system32\cmd.exe
PID 1660 wrote to memory of 2816 N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe C:\Windows\system32\cmd.exe
PID 2816 wrote to memory of 2936 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2816 wrote to memory of 2936 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 2816 wrote to memory of 2936 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\icacls.exe
PID 1660 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe C:\Windows\system32\cmd.exe
PID 1660 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe C:\Windows\system32\cmd.exe
PID 1660 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe C:\Windows\system32\cmd.exe
PID 1660 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe C:\Windows\system32\cmd.exe
PID 1660 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe C:\Windows\system32\cmd.exe
PID 1660 wrote to memory of 1656 N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe C:\Windows\system32\cmd.exe
PID 1660 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe C:\Windows\System32\cmd.exe
PID 1660 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe C:\Windows\System32\cmd.exe
PID 1660 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe C:\Windows\System32\cmd.exe
PID 1660 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe C:\Windows\System32\cmd.exe
PID 1660 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe C:\Windows\System32\cmd.exe
PID 1660 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe C:\Windows\System32\cmd.exe
PID 1660 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe C:\Windows\System32\cmd.exe
PID 1660 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe C:\Windows\System32\cmd.exe
PID 1660 wrote to memory of 768 N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe C:\Windows\System32\cmd.exe
PID 1660 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe C:\Windows\System32\cmd.exe
PID 1660 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe C:\Windows\System32\cmd.exe
PID 1660 wrote to memory of 1640 N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe C:\Windows\System32\cmd.exe
PID 1660 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe C:\Windows\system32\cmd.exe
PID 1660 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe C:\Windows\system32\cmd.exe
PID 1660 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe C:\Windows\system32\cmd.exe
PID 1088 wrote to memory of 2292 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 1088 wrote to memory of 2292 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 1088 wrote to memory of 2292 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 556 wrote to memory of 1740 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 556 wrote to memory of 1740 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 556 wrote to memory of 1740 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 1660 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe C:\Windows\system32\cmd.exe
PID 1660 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe C:\Windows\system32\cmd.exe
PID 1660 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe C:\Windows\system32\cmd.exe
PID 1660 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe C:\Windows\system32\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe

"C:\Users\Admin\AppData\Local\Temp\90e311349e1073863325d6b0a3356587dcd77ddf964ff4b1222e7d61b965f953.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C tzutil /s "W. Europe Standard Time"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\tzutil.exe

tzutil /s "W. Europe Standard Time"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cd "C:\Users\Admin\AppData\Local\Temp"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c takeown /F %systemroot%\System32\MSAudDecMFT.dll

C:\Windows\system32\takeown.exe

takeown /F C:\Windows\System32\MSAudDecMFT.dll

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c icacls %systemroot%\System32\MSAudDecMFT.dll /grant "%username%":F

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\MSAudDecMFT.dll /grant "Admin":F

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del %systemroot%\System32\MSAudDecMFT.dll

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c del /f /Q %systemroot%\System32\MSAudDecMFT.dll

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C takeown /F %systemroot%\System32\MSAudDecMFT.dll

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C icacls %systemroot%\System32\MSAudDecMFT.dll /grant "%username%":F

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C del %systemroot%\System32\MSAudDecMFT.dll

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C del /f /Q %systemroot%\System32\MSAudDecMFT.dll

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\MSAudDecMFT.dll /grant "Admin":F

C:\Windows\system32\takeown.exe

takeown /F C:\Windows\System32\MSAudDecMFT.dll

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c cls

Network

Country Destination Domain Proto
US 8.8.8.8:53 watermelon.vantacheats.de udp
US 172.67.134.179:443 watermelon.vantacheats.de tcp
US 8.8.8.8:53 apps.identrust.com udp
GB 96.17.179.184:80 apps.identrust.com tcp
US 8.8.8.8:53 www.microsoft.com udp
N/A 127.0.0.1:49277 tcp
N/A 127.0.0.1:49279 tcp
US 8.8.8.8:53 icanhazip.com udp
US 104.16.184.241:80 icanhazip.com tcp
US 8.8.8.8:53 daddy-please.stop-trying-to-reverse.us udp
US 104.21.9.175:443 daddy-please.stop-trying-to-reverse.us tcp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.109.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.129.233:443 cdn.discordapp.com tcp
US 104.21.9.175:443 daddy-please.stop-trying-to-reverse.us tcp
N/A 127.0.0.1:49608 tcp
N/A 127.0.0.1:49610 tcp

Files

memory/1660-1-0x0000000140000000-0x0000000141413000-memory.dmp

memory/1660-0-0x0000000076EA0000-0x0000000076EA2000-memory.dmp

memory/1660-3-0x0000000076EA0000-0x0000000076EA2000-memory.dmp

memory/1660-5-0x0000000140000000-0x0000000141413000-memory.dmp

memory/1660-6-0x0000000076EA0000-0x0000000076EA2000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 753df6889fd7410a2e9fe333da83a429
SHA1 3c425f16e8267186061dd48ac1c77c122962456e
SHA256 b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA512 9d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444

C:\Users\Admin\AppData\Local\Temp\Tar2061.tmp

MD5 dd73cead4b93366cf3465c8cd32e2796
SHA1 74546226dfe9ceb8184651e920d1dbfb432b314e
SHA256 a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512 ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 556781d310b1169dda7096d35782f99c
SHA1 ac9cd51bdf3dbd94f364e56508dc2482012c29a7
SHA256 9abeb89d4bae8507b823166c5e76de128884f6af648b971841eb7556b79c1349
SHA512 2a2c57b254a8f7ac0fbbd35b144f8776120648a8c7ee557f04489d12ccf4a15b1494987ac471c40d229a1f9bb1577727c088ff829853ef3b1c75a010091c0d2d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c6fa7f881ba1d7f19e7eb3b9cc3ae235
SHA1 f209f20cf6b7ae7edd71ecfe661a5b61feb9e93c
SHA256 36b955e1556b73f0f939fe32001049e054b459efb1f4c26ab44f0e6fe8a94e4b
SHA512 3db3f669346b42d66ca561c2d591eeba94515de43be6c5ce34379354ec7faf0a343924bc8bff661d37a6855ee7f8b7cb48a0973cadb39e195be39760fd35588a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 13362dfa3f199f763a264f4f9239d7ef
SHA1 2a67b6137c25c250ae490cbcb72e832fd2b8c5bc
SHA256 45927a2d2b5252c9403148f8aac29c1f39dc5cf41c21de90d07229fceafd9541
SHA512 c6adc55b64ddf524f7ed2fc81ac6821839a9c01d406ea1aef6c62de840a5bce8c962d87f2f96a1b2cda8758df6d910ecc9edd6e919a80415309b089a3db7997c

memory/1660-416-0x0000000140000000-0x0000000141413000-memory.dmp

memory/1660-417-0x0000000140000000-0x0000000141413000-memory.dmp