Malware Analysis Report

2024-11-16 13:11

Sample ID 240410-v38nrsab21
Target eb9d83883aeb809ffeaede845a4e84f3_JaffaCakes118
SHA256 f2fe64f487a40a76b52e459513a5b64827e7f1222343ce8953ae087264171bd1
Tags
persistence metamorpherrat rat stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

f2fe64f487a40a76b52e459513a5b64827e7f1222343ce8953ae087264171bd1

Threat Level: Known bad

The file eb9d83883aeb809ffeaede845a4e84f3_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

persistence metamorpherrat rat stealer trojan

MetamorpherRAT

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Uses the VBS compiler for execution

Deletes itself

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-10 17:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-10 17:31

Reported

2024-04-10 17:34

Platform

win7-20240221-en

Max time kernel

151s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eb9d83883aeb809ffeaede845a4e84f3_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp64EB.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\aspnet_perf2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\mscordbi.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp64EB.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\eb9d83883aeb809ffeaede845a4e84f3_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp64EB.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1992 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\eb9d83883aeb809ffeaede845a4e84f3_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1992 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\eb9d83883aeb809ffeaede845a4e84f3_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1992 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\eb9d83883aeb809ffeaede845a4e84f3_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1992 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\eb9d83883aeb809ffeaede845a4e84f3_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3008 wrote to memory of 2640 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3008 wrote to memory of 2640 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3008 wrote to memory of 2640 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 3008 wrote to memory of 2640 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1992 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\eb9d83883aeb809ffeaede845a4e84f3_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp64EB.tmp.exe
PID 1992 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\eb9d83883aeb809ffeaede845a4e84f3_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp64EB.tmp.exe
PID 1992 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\eb9d83883aeb809ffeaede845a4e84f3_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp64EB.tmp.exe
PID 1992 wrote to memory of 2372 N/A C:\Users\Admin\AppData\Local\Temp\eb9d83883aeb809ffeaede845a4e84f3_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp64EB.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\eb9d83883aeb809ffeaede845a4e84f3_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\eb9d83883aeb809ffeaede845a4e84f3_JaffaCakes118.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7r--jdet.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6817.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc6816.tmp"

C:\Users\Admin\AppData\Local\Temp\tmp64EB.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp64EB.tmp.exe" C:\Users\Admin\AppData\Local\Temp\eb9d83883aeb809ffeaede845a4e84f3_JaffaCakes118.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp

Files

memory/1992-0-0x00000000743E0000-0x000000007498B000-memory.dmp

memory/1992-2-0x00000000743E0000-0x000000007498B000-memory.dmp

memory/1992-6-0x00000000009E0000-0x0000000000A20000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\7r--jdet.cmdline

MD5 46a5df027b8cc1732c28008d114dc5b5
SHA1 a07113ed803ec83b86269227ee5e621e409436bb
SHA256 7c3830f68de3a74f243f9d4806be6d15d45905ddb28d27ae95cd2de3214287c2
SHA512 f8d95b5205c4d6623e3814a1a165972006798fcabfed68762a05febf7906cadcd3fafdbf33a519490f306b098af1eef3e29581cd06ee8b743c5ddd5e610cf911

C:\Users\Admin\AppData\Local\Temp\7r--jdet.0.vb

MD5 5a98f5b49ccb4f0961357027b0cdb30e
SHA1 a29d896a584c0557f39d60d65652012976efb565
SHA256 a33e51264f21a889490733eee4c90b8db2029bcb3e1be66b9260cf831bcf530c
SHA512 1b71655a5dc98f2e1aa04570f0e09e57d0795acb174173a5799ad9fc52e94607363399d900db43e17fa16c7880634aee368463d605f328ef5ee81255c4a4d62a

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 097dd7d3902f824a3960ad33401b539f
SHA1 4e5c80de6a0886a8b02592a0c980b2bc2d9a4a8f
SHA256 e2eb52524ddfed5e52a54484b3fecdc9ebe24fb141d1445d37c99c0ab615df4f
SHA512 bb77c3f7b9b8c461b149f540a0dab99fdde474484b046d663228d8c0f1b6a20b72892643935069dd74134c8ab8e8f26b6badc210a6929a737541b9861007fbe4

C:\Users\Admin\AppData\Local\Temp\vbc6816.tmp

MD5 be68cc4c624e855ac549306084de64fa
SHA1 dc53565777c29cdd214c1b724d3287274b853dee
SHA256 63a8ff8ebe4c4d40e1a7065d0c688666dd887157000ae26b938c5b3897e20b79
SHA512 fe429dfdb0873cc2fe985a5c099667d5b529bee58c6fbba558109c8db98f8fb0cac085a024e123c24a7533f1dd37918e1ad9dec16e5928fe0102a5356e81363b

C:\Users\Admin\AppData\Local\Temp\RES6817.tmp

MD5 97b7af66a41fb94f10a7e413f058c9f2
SHA1 e68ff261ba21889481ef34913c07a62594865fb7
SHA256 98582b415cd339975f32b4b42bb786cdcd3019909d5d9f52ebf0b2699b91ef63
SHA512 ef98fcac7074c644f751db9374a9bca6391b599b817424a31fed4dfe1365121c21dfe8d8e9b097006b046fdcc2851468ce40e32c797f239288314d3dcc92e386

C:\Users\Admin\AppData\Local\Temp\tmp64EB.tmp.exe

MD5 c1f70e0f6e91cfdbb151bd783acab9fc
SHA1 cf979952ddde49f77af52be52984e79ce20815ab
SHA256 fc34be629039d58e72e403b7cfee988ded753d4419f6e66cf97eecfe579eaa30
SHA512 4e65fd7210257d8e1686693eb6f0de82c54640e80100a0b8e951d0f10a915be4f184d77429213687f0ff3132ca0bc4c16d625ed668a5c5cc642b3746b854ea2e

memory/2372-24-0x00000000002E0000-0x0000000000320000-memory.dmp

memory/2372-23-0x00000000743E0000-0x000000007498B000-memory.dmp

memory/1992-22-0x00000000743E0000-0x000000007498B000-memory.dmp

memory/2372-25-0x00000000743E0000-0x000000007498B000-memory.dmp

memory/2372-27-0x00000000002E0000-0x0000000000320000-memory.dmp

memory/2372-29-0x00000000002E0000-0x0000000000320000-memory.dmp

memory/2372-28-0x00000000743E0000-0x000000007498B000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-10 17:31

Reported

2024-04-10 17:34

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\eb9d83883aeb809ffeaede845a4e84f3_JaffaCakes118.exe"

Signatures

MetamorpherRAT

trojan rat stealer metamorpherrat

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\eb9d83883aeb809ffeaede845a4e84f3_JaffaCakes118.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp3EAF.tmp.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\tmp3EAF.tmp.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aspnet_perf2 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\mscordbi.exe\"" C:\Users\Admin\AppData\Local\Temp\tmp3EAF.tmp.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\eb9d83883aeb809ffeaede845a4e84f3_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\tmp3EAF.tmp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4828 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\eb9d83883aeb809ffeaede845a4e84f3_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4828 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\eb9d83883aeb809ffeaede845a4e84f3_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 4828 wrote to memory of 1276 N/A C:\Users\Admin\AppData\Local\Temp\eb9d83883aeb809ffeaede845a4e84f3_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1276 wrote to memory of 5060 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1276 wrote to memory of 5060 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1276 wrote to memory of 5060 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4828 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\eb9d83883aeb809ffeaede845a4e84f3_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp3EAF.tmp.exe
PID 4828 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\eb9d83883aeb809ffeaede845a4e84f3_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp3EAF.tmp.exe
PID 4828 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\eb9d83883aeb809ffeaede845a4e84f3_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\tmp3EAF.tmp.exe

Processes

C:\Users\Admin\AppData\Local\Temp\eb9d83883aeb809ffeaede845a4e84f3_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\eb9d83883aeb809ffeaede845a4e84f3_JaffaCakes118.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\3ch2a8j9.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3FF7.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc245BB70BC533456F962DA559A2347CC1.TMP"

C:\Users\Admin\AppData\Local\Temp\tmp3EAF.tmp.exe

"C:\Users\Admin\AppData\Local\Temp\tmp3EAF.tmp.exe" C:\Users\Admin\AppData\Local\Temp\eb9d83883aeb809ffeaede845a4e84f3_JaffaCakes118.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 bejnz.com udp
US 34.67.9.172:80 bejnz.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 172.9.67.34.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 17.143.109.104.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp
US 34.67.9.172:80 bejnz.com tcp

Files

memory/4828-0-0x0000000075010000-0x00000000755C1000-memory.dmp

memory/4828-1-0x0000000001810000-0x0000000001820000-memory.dmp

memory/4828-2-0x0000000075010000-0x00000000755C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3ch2a8j9.cmdline

MD5 0496df45e599c844eac63e268a42e953
SHA1 b52adaaf66e217024c8243493ca46deedb734f64
SHA256 88c0639db136005d8fad40d05d3f747efb2f2ac16fe27087fc3757c268811b3a
SHA512 305c70b949bd5d4241d49b64733ba98f3ea82faa4378ae713e1c3ee4d8a9bb647d62cf600776fa003ee17eababef75755fa413bdbf4aad6bedfd07dbfa05eb2b

memory/1276-8-0x00000000021E0000-0x00000000021F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3ch2a8j9.0.vb

MD5 8abfdc2f944bf28731e34dcdce3e0786
SHA1 bcfe175c0e7bf1d5a633887fcf0ed94e37aea9fd
SHA256 d22e046cbe2cf4c7e40de5b8a4d97607cbcb96cd00581ba7905cab7b74be953b
SHA512 61970da203b35681d349fb963185a32de3e2239931ab9a5c6ea6d78b15db5db7d818331332052400e88dece8b5045f96bc3dac3a74dbb284c3a5c77fd3d72912

C:\Users\Admin\AppData\Local\Temp\zCom.resources

MD5 097dd7d3902f824a3960ad33401b539f
SHA1 4e5c80de6a0886a8b02592a0c980b2bc2d9a4a8f
SHA256 e2eb52524ddfed5e52a54484b3fecdc9ebe24fb141d1445d37c99c0ab615df4f
SHA512 bb77c3f7b9b8c461b149f540a0dab99fdde474484b046d663228d8c0f1b6a20b72892643935069dd74134c8ab8e8f26b6badc210a6929a737541b9861007fbe4

C:\Users\Admin\AppData\Local\Temp\vbc245BB70BC533456F962DA559A2347CC1.TMP

MD5 8d6dfda06b730d107d73fb91544a56bc
SHA1 19b4cea3a3024513408206edb50dc230164675c9
SHA256 ef5616ffcb23a32bd2e00f09aea5fb9f9d466788b7d9a3de475c53d80914b43c
SHA512 5b654c6d0dec102653025d9d58edf732de698f57647ff696c067023464450244beb53ec452d4934529310d23a55a2b272e0ecbf1fce841ba9f1ba7255ccdb772

C:\Users\Admin\AppData\Local\Temp\RES3FF7.tmp

MD5 5d7c698514bf5892086dd40b6bf2b61e
SHA1 f8e73a4d7fa029e6deb8bbd9519d1414bf9cdcf7
SHA256 16453acbd9b27a47696b26b1d2dfda28a85f97ac7943f7ecd3f3a4275c4c9d51
SHA512 caadc454b59a86e61434d54cd0cb44ea29dd431f243ebf5b91862607e6258a726063ef2da0050222e68b7f56dce8361aacad66a4973574977c5c17068030d5b3

C:\Users\Admin\AppData\Local\Temp\tmp3EAF.tmp.exe

MD5 492952fcef344e7637d2647bb4fd273e
SHA1 6ad000529d38d560283c4d52599e1afaa3bc4c2a
SHA256 b82b718d0382be04c9e9dbb7ce74c5e1d6bed067a406072548b4296612f280af
SHA512 ab81856525bf306b260cd972443f19eb1f60d1d317b7fdb872ef3ac803eab17c97fc66f683e75af8734ef8efe754ca1a7c9048c61705f7524e020f5c2f7cb1fb

memory/560-22-0x0000000075010000-0x00000000755C1000-memory.dmp

memory/560-23-0x00000000013F0000-0x0000000001400000-memory.dmp

memory/4828-21-0x0000000075010000-0x00000000755C1000-memory.dmp

memory/560-24-0x0000000075010000-0x00000000755C1000-memory.dmp

memory/560-26-0x00000000013F0000-0x0000000001400000-memory.dmp

memory/560-27-0x0000000075010000-0x00000000755C1000-memory.dmp

memory/560-28-0x00000000013F0000-0x0000000001400000-memory.dmp

memory/560-29-0x00000000013F0000-0x0000000001400000-memory.dmp