Malware Analysis Report

2025-08-10 19:46

Sample ID 221116-rh4brsbf77
Target 3f0a89e3647d4ff575fc0c8db1ea5e9f7dbf2c0041f90ec2ef26c7eab69b34f8.exe
SHA256 3f0a89e3647d4ff575fc0c8db1ea5e9f7dbf2c0041f90ec2ef26c7eab69b34f8
Tags
nanocore keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3f0a89e3647d4ff575fc0c8db1ea5e9f7dbf2c0041f90ec2ef26c7eab69b34f8

Threat Level: Known bad

The file 3f0a89e3647d4ff575fc0c8db1ea5e9f7dbf2c0041f90ec2ef26c7eab69b34f8.exe was found to be: Known bad.

Malicious Activity Summary

nanocore keylogger persistence spyware stealer trojan

NanoCore

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Program Files directory

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2022-11-16 14:12

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2022-11-16 14:12

Reported

2022-11-16 14:15

Platform

win7-20220812-en

Max time kernel

145s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3f0a89e3647d4ff575fc0c8db1ea5e9f7dbf2c0041f90ec2ef26c7eab69b34f8.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\UDP Service = "C:\\Program Files (x86)\\UDP Service\\udpsv.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 784 set thread context of 1444 N/A C:\Users\Admin\AppData\Local\Temp\3f0a89e3647d4ff575fc0c8db1ea5e9f7dbf2c0041f90ec2ef26c7eab69b34f8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\UDP Service\udpsv.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
File opened for modification C:\Program Files (x86)\UDP Service\udpsv.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3f0a89e3647d4ff575fc0c8db1ea5e9f7dbf2c0041f90ec2ef26c7eab69b34f8.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 784 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\3f0a89e3647d4ff575fc0c8db1ea5e9f7dbf2c0041f90ec2ef26c7eab69b34f8.exe C:\Windows\SysWOW64\schtasks.exe
PID 784 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\3f0a89e3647d4ff575fc0c8db1ea5e9f7dbf2c0041f90ec2ef26c7eab69b34f8.exe C:\Windows\SysWOW64\schtasks.exe
PID 784 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\3f0a89e3647d4ff575fc0c8db1ea5e9f7dbf2c0041f90ec2ef26c7eab69b34f8.exe C:\Windows\SysWOW64\schtasks.exe
PID 784 wrote to memory of 936 N/A C:\Users\Admin\AppData\Local\Temp\3f0a89e3647d4ff575fc0c8db1ea5e9f7dbf2c0041f90ec2ef26c7eab69b34f8.exe C:\Windows\SysWOW64\schtasks.exe
PID 784 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\3f0a89e3647d4ff575fc0c8db1ea5e9f7dbf2c0041f90ec2ef26c7eab69b34f8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 784 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\3f0a89e3647d4ff575fc0c8db1ea5e9f7dbf2c0041f90ec2ef26c7eab69b34f8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 784 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\3f0a89e3647d4ff575fc0c8db1ea5e9f7dbf2c0041f90ec2ef26c7eab69b34f8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 784 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\3f0a89e3647d4ff575fc0c8db1ea5e9f7dbf2c0041f90ec2ef26c7eab69b34f8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 784 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\3f0a89e3647d4ff575fc0c8db1ea5e9f7dbf2c0041f90ec2ef26c7eab69b34f8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 784 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\3f0a89e3647d4ff575fc0c8db1ea5e9f7dbf2c0041f90ec2ef26c7eab69b34f8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 784 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\3f0a89e3647d4ff575fc0c8db1ea5e9f7dbf2c0041f90ec2ef26c7eab69b34f8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 784 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\3f0a89e3647d4ff575fc0c8db1ea5e9f7dbf2c0041f90ec2ef26c7eab69b34f8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 784 wrote to memory of 1444 N/A C:\Users\Admin\AppData\Local\Temp\3f0a89e3647d4ff575fc0c8db1ea5e9f7dbf2c0041f90ec2ef26c7eab69b34f8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3f0a89e3647d4ff575fc0c8db1ea5e9f7dbf2c0041f90ec2ef26c7eab69b34f8.exe

"C:\Users\Admin\AppData\Local\Temp\3f0a89e3647d4ff575fc0c8db1ea5e9f7dbf2c0041f90ec2ef26c7eab69b34f8.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TztnPxRQQq" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEA7F.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"{path}"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.69:1620 maxlogs.webhop.me tcp
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.69:1620 maxlogs.webhop.me tcp
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.69:1620 maxlogs.webhop.me tcp
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.69:1620 maxlogs.webhop.me tcp
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.69:1620 maxlogs.webhop.me tcp
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.69:1620 maxlogs.webhop.me tcp
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.69:1620 maxlogs.webhop.me tcp
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.69:1620 maxlogs.webhop.me tcp
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.69:1620 maxlogs.webhop.me tcp
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.69:1620 maxlogs.webhop.me tcp
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.69:1620 maxlogs.webhop.me tcp
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.69:1620 maxlogs.webhop.me tcp
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.69:1620 maxlogs.webhop.me tcp
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.69:1620 maxlogs.webhop.me tcp
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.69:1620 maxlogs.webhop.me tcp
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.69:1620 maxlogs.webhop.me tcp
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.69:1620 maxlogs.webhop.me tcp

Files

memory/784-54-0x00000000010D0000-0x00000000011BA000-memory.dmp

memory/784-55-0x0000000075FC1000-0x0000000075FC3000-memory.dmp

memory/784-56-0x0000000000590000-0x00000000005A2000-memory.dmp

memory/784-57-0x0000000005320000-0x00000000053AC000-memory.dmp

memory/784-58-0x0000000004D90000-0x0000000004DCA000-memory.dmp

memory/936-59-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpEA7F.tmp

MD5 a841247c97a339c90d5b3621a45611dc
SHA1 f0c2cf0930733a87dc8ac00b75b7d509c5dbeec1
SHA256 0f90febd5d4ccae84fc8ebf5ffb64450795a429328d3f0c8f637d45abfda3009
SHA512 547ff6bd2ebfabac04d3be976ba3f01571fc591ecbba25cc5758a07ba5be38edf53f903be9bb66fa37a29f59af4ddfac22d9dae3bfaeec0932a191d5af620858

memory/1444-61-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1444-62-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1444-64-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1444-65-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1444-67-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1444-68-0x000000000041E792-mapping.dmp

memory/1444-70-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1444-72-0x0000000000400000-0x0000000000438000-memory.dmp

memory/1444-74-0x0000000000350000-0x000000000035A000-memory.dmp

memory/1444-75-0x0000000000360000-0x000000000037E000-memory.dmp

memory/1444-76-0x00000000004E0000-0x00000000004EA000-memory.dmp

memory/1444-77-0x0000000004EE5000-0x0000000004EF6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2022-11-16 14:12

Reported

2022-11-16 14:15

Platform

win10v2004-20221111-en

Max time kernel

144s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\3f0a89e3647d4ff575fc0c8db1ea5e9f7dbf2c0041f90ec2ef26c7eab69b34f8.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\3f0a89e3647d4ff575fc0c8db1ea5e9f7dbf2c0041f90ec2ef26c7eab69b34f8.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\TCP Subsystem = "C:\\Program Files (x86)\\TCP Subsystem\\tcpss.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1472 set thread context of 4436 N/A C:\Users\Admin\AppData\Local\Temp\3f0a89e3647d4ff575fc0c8db1ea5e9f7dbf2c0041f90ec2ef26c7eab69b34f8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\TCP Subsystem\tcpss.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
File opened for modification C:\Program Files (x86)\TCP Subsystem\tcpss.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\3f0a89e3647d4ff575fc0c8db1ea5e9f7dbf2c0041f90ec2ef26c7eab69b34f8.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1472 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\3f0a89e3647d4ff575fc0c8db1ea5e9f7dbf2c0041f90ec2ef26c7eab69b34f8.exe C:\Windows\SysWOW64\schtasks.exe
PID 1472 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\3f0a89e3647d4ff575fc0c8db1ea5e9f7dbf2c0041f90ec2ef26c7eab69b34f8.exe C:\Windows\SysWOW64\schtasks.exe
PID 1472 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\3f0a89e3647d4ff575fc0c8db1ea5e9f7dbf2c0041f90ec2ef26c7eab69b34f8.exe C:\Windows\SysWOW64\schtasks.exe
PID 1472 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\3f0a89e3647d4ff575fc0c8db1ea5e9f7dbf2c0041f90ec2ef26c7eab69b34f8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1472 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\3f0a89e3647d4ff575fc0c8db1ea5e9f7dbf2c0041f90ec2ef26c7eab69b34f8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1472 wrote to memory of 4160 N/A C:\Users\Admin\AppData\Local\Temp\3f0a89e3647d4ff575fc0c8db1ea5e9f7dbf2c0041f90ec2ef26c7eab69b34f8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1472 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\3f0a89e3647d4ff575fc0c8db1ea5e9f7dbf2c0041f90ec2ef26c7eab69b34f8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1472 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\3f0a89e3647d4ff575fc0c8db1ea5e9f7dbf2c0041f90ec2ef26c7eab69b34f8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1472 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\3f0a89e3647d4ff575fc0c8db1ea5e9f7dbf2c0041f90ec2ef26c7eab69b34f8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1472 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\3f0a89e3647d4ff575fc0c8db1ea5e9f7dbf2c0041f90ec2ef26c7eab69b34f8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1472 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\3f0a89e3647d4ff575fc0c8db1ea5e9f7dbf2c0041f90ec2ef26c7eab69b34f8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1472 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\3f0a89e3647d4ff575fc0c8db1ea5e9f7dbf2c0041f90ec2ef26c7eab69b34f8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1472 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\3f0a89e3647d4ff575fc0c8db1ea5e9f7dbf2c0041f90ec2ef26c7eab69b34f8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1472 wrote to memory of 4436 N/A C:\Users\Admin\AppData\Local\Temp\3f0a89e3647d4ff575fc0c8db1ea5e9f7dbf2c0041f90ec2ef26c7eab69b34f8.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Processes

C:\Users\Admin\AppData\Local\Temp\3f0a89e3647d4ff575fc0c8db1ea5e9f7dbf2c0041f90ec2ef26c7eab69b34f8.exe

"C:\Users\Admin\AppData\Local\Temp\3f0a89e3647d4ff575fc0c8db1ea5e9f7dbf2c0041f90ec2ef26c7eab69b34f8.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\TztnPxRQQq" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCFB8.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"{path}"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

"{path}"

Network

Country Destination Domain Proto
N/A 209.197.3.8:80 tcp
N/A 209.197.3.8:80 tcp
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.69:1620 maxlogs.webhop.me tcp
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.69:1620 maxlogs.webhop.me tcp
N/A 51.104.15.252:443 tcp
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.69:1620 maxlogs.webhop.me tcp
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.69:1620 maxlogs.webhop.me tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 93.184.221.240:80 tcp
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.69:1620 maxlogs.webhop.me tcp
N/A 104.80.225.205:443 tcp
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.69:1620 maxlogs.webhop.me tcp
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.69:1620 maxlogs.webhop.me tcp
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.69:1620 maxlogs.webhop.me tcp
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.69:1620 maxlogs.webhop.me tcp
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.69:1620 maxlogs.webhop.me tcp
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.69:1620 maxlogs.webhop.me tcp
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.69:1620 maxlogs.webhop.me tcp
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.69:1620 maxlogs.webhop.me tcp
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.69:1620 maxlogs.webhop.me tcp
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.69:1620 maxlogs.webhop.me tcp
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.69:1620 maxlogs.webhop.me tcp
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.69:1620 maxlogs.webhop.me tcp
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.69:1620 maxlogs.webhop.me tcp
N/A 8.8.8.8:53 maxlogs.webhop.me udp
N/A 79.134.225.69:1620 maxlogs.webhop.me tcp

Files

memory/1472-132-0x00000000005C0000-0x00000000006AA000-memory.dmp

memory/1472-133-0x0000000005550000-0x0000000005AF4000-memory.dmp

memory/1472-134-0x0000000005040000-0x00000000050D2000-memory.dmp

memory/1472-135-0x0000000005180000-0x000000000521C000-memory.dmp

memory/1472-136-0x00000000050F0000-0x00000000050FA000-memory.dmp

memory/4856-137-0x0000000000000000-mapping.dmp

C:\Users\Admin\AppData\Local\Temp\tmpCFB8.tmp

MD5 35e45f7d0f39f4ec44cb7a2612d08c17
SHA1 6c81050c24b385cabe26eb6ce2d347e52e3e3755
SHA256 e95f7357ed9328f24aaeeaf35e146476b72646009aefdab5a02e3771aa415709
SHA512 2af7160028530c985953bbad7cd8c1465b6d6b1274e4f98e4cd92c8736c40f5ef333befda5f097be4f92b15fbd061f55735331608ad68ce1f5c0eac31b19c13f

memory/4160-139-0x0000000000000000-mapping.dmp

memory/4436-140-0x0000000000000000-mapping.dmp

memory/4436-141-0x0000000000400000-0x0000000000438000-memory.dmp