Malware Analysis Report

2024-10-19 07:12

Sample ID 240430-wnyqpacd7s
Target 0a48ebd4c893f0e4e54edc1024236b06_JaffaCakes118
SHA256 695da3c8bed2ce16d81174c620837b40e19a2e0f0b77c3385129046e45c49888
Tags
nanocore keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

695da3c8bed2ce16d81174c620837b40e19a2e0f0b77c3385129046e45c49888

Threat Level: Known bad

The file 0a48ebd4c893f0e4e54edc1024236b06_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

nanocore keylogger persistence spyware stealer trojan

NanoCore

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Creates scheduled task(s)

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-30 18:04

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-30 18:04

Reported

2024-04-30 18:07

Platform

win7-20240221-en

Max time kernel

143s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0a48ebd4c893f0e4e54edc1024236b06_JaffaCakes118.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\DDP Service = "C:\\Program Files (x86)\\DDP Service\\ddpsv.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3008 set thread context of 2356 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\DDP Service\ddpsv.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe N/A
File opened for modification C:\Program Files (x86)\DDP Service\ddpsv.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2440 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\0a48ebd4c893f0e4e54edc1024236b06_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe
PID 2440 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\0a48ebd4c893f0e4e54edc1024236b06_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe
PID 2440 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\0a48ebd4c893f0e4e54edc1024236b06_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe
PID 2440 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\0a48ebd4c893f0e4e54edc1024236b06_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe
PID 2440 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\0a48ebd4c893f0e4e54edc1024236b06_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe
PID 2440 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\0a48ebd4c893f0e4e54edc1024236b06_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe
PID 2440 wrote to memory of 3008 N/A C:\Users\Admin\AppData\Local\Temp\0a48ebd4c893f0e4e54edc1024236b06_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe
PID 3008 wrote to memory of 2356 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe
PID 3008 wrote to memory of 2356 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe
PID 3008 wrote to memory of 2356 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe
PID 3008 wrote to memory of 2356 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe
PID 3008 wrote to memory of 2356 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe
PID 3008 wrote to memory of 2356 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe
PID 3008 wrote to memory of 2356 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe
PID 3008 wrote to memory of 2356 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe
PID 3008 wrote to memory of 2356 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe
PID 3008 wrote to memory of 2356 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe
PID 3008 wrote to memory of 2356 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe
PID 3008 wrote to memory of 2356 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe
PID 2356 wrote to memory of 1076 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe C:\Windows\SysWOW64\schtasks.exe
PID 2356 wrote to memory of 1076 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe C:\Windows\SysWOW64\schtasks.exe
PID 2356 wrote to memory of 1076 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe C:\Windows\SysWOW64\schtasks.exe
PID 2356 wrote to memory of 1076 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe C:\Windows\SysWOW64\schtasks.exe
PID 2356 wrote to memory of 2340 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe C:\Windows\SysWOW64\schtasks.exe
PID 2356 wrote to memory of 2340 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe C:\Windows\SysWOW64\schtasks.exe
PID 2356 wrote to memory of 2340 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe C:\Windows\SysWOW64\schtasks.exe
PID 2356 wrote to memory of 2340 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0a48ebd4c893f0e4e54edc1024236b06_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0a48ebd4c893f0e4e54edc1024236b06_JaffaCakes118.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe" /logtoconsole=false /logfile= /u "C:\Users\Admin\AppData\Local\Temp\0a48ebd4c893f0e4e54edc1024236b06_JaffaCakes118.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DDP Service" /xml "C:\Users\Admin\AppData\Local\Temp\tmp208B.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DDP Service Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmp2463.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 delawizzy.ddns.net udp
US 8.8.8.8:53 delawizzy.ddns.net udp
US 8.8.8.8:53 delawizzy.ddns.net udp
NL 46.243.189.131:3752 tcp
NL 46.243.189.131:3752 tcp
NL 46.243.189.131:3752 tcp
US 8.8.8.8:53 delawizzy.ddns.net udp
US 8.8.8.8:53 delawizzy.ddns.net udp
US 8.8.8.8:53 delawizzy.ddns.net udp
NL 46.243.189.131:3752 tcp
NL 46.243.189.131:3752 tcp
NL 46.243.189.131:3752 tcp

Files

memory/2440-0-0x0000000074750000-0x0000000074CFB000-memory.dmp

memory/2440-1-0x0000000074750000-0x0000000074CFB000-memory.dmp

memory/2440-2-0x0000000000220000-0x0000000000260000-memory.dmp

memory/2440-3-0x0000000074750000-0x0000000074CFB000-memory.dmp

memory/3008-4-0x0000000074750000-0x0000000074CFB000-memory.dmp

memory/3008-5-0x0000000074750000-0x0000000074CFB000-memory.dmp

memory/3008-6-0x0000000074750000-0x0000000074CFB000-memory.dmp

memory/2356-9-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2356-8-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2356-19-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2356-21-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2356-17-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2356-15-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2356-13-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2356-11-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3008-22-0x0000000074750000-0x0000000074CFB000-memory.dmp

memory/2356-23-0x0000000074750000-0x0000000074CFB000-memory.dmp

memory/2356-24-0x0000000000290000-0x00000000002D0000-memory.dmp

memory/2356-25-0x0000000074750000-0x0000000074CFB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp208B.tmp

MD5 776580d2028b74ed89bb21146482bdff
SHA1 d1a45290dedde63d8539a2fc8af866b430238bc7
SHA256 fbad359469fc6aefb5695d01974f4edf50528f51f80d57b9eb0d8f2f81033cc0
SHA512 de084f473db26ce159b639b02e7ffa263ae5b6c4c1da9f6932676dae4a6c65f082b1bcac673c45c2e2b84caa06d1860ea6f0545b81fd7b3e4f8fe5e802a160d3

C:\Users\Admin\AppData\Local\Temp\tmp2463.tmp

MD5 93d357e6194c8eb8d0616a9f592cc4bf
SHA1 5cc3a3d95d82cb88f65cb6dc6c188595fa272808
SHA256 a18de0ef2102d2546c7afd07ad1d7a071a0e59aff0868cf3937a145f24feb713
SHA512 4df079387f6a76e0deb96ab4c11f6cffa62a8b42dc4970e885dab10351fade2d9e933663c141b76409657f85f1bf9dbb533d92dce52dc62598aafc4793743f7f

memory/2356-33-0x0000000074750000-0x0000000074CFB000-memory.dmp

memory/2356-34-0x0000000000290000-0x00000000002D0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-30 18:04

Reported

2024-04-30 18:07

Platform

win10v2004-20240426-en

Max time kernel

139s

Max time network

147s

Command Line

"C:\Users\Admin\AppData\Local\Temp\0a48ebd4c893f0e4e54edc1024236b06_JaffaCakes118.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\0a48ebd4c893f0e4e54edc1024236b06_JaffaCakes118.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DHCP Subsystem = "C:\\Program Files (x86)\\DHCP Subsystem\\dhcpss.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4196 set thread context of 3152 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\DHCP Subsystem\dhcpss.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe N/A
File opened for modification C:\Program Files (x86)\DHCP Subsystem\dhcpss.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2240 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\0a48ebd4c893f0e4e54edc1024236b06_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe
PID 2240 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\0a48ebd4c893f0e4e54edc1024236b06_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe
PID 2240 wrote to memory of 4196 N/A C:\Users\Admin\AppData\Local\Temp\0a48ebd4c893f0e4e54edc1024236b06_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe
PID 4196 wrote to memory of 3152 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe
PID 4196 wrote to memory of 3152 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe
PID 4196 wrote to memory of 3152 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe
PID 4196 wrote to memory of 3152 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe
PID 4196 wrote to memory of 3152 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe
PID 4196 wrote to memory of 3152 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe
PID 4196 wrote to memory of 3152 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe
PID 4196 wrote to memory of 3152 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe
PID 3152 wrote to memory of 3512 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe C:\Windows\SysWOW64\schtasks.exe
PID 3152 wrote to memory of 3512 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe C:\Windows\SysWOW64\schtasks.exe
PID 3152 wrote to memory of 3512 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe C:\Windows\SysWOW64\schtasks.exe
PID 3152 wrote to memory of 1524 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe C:\Windows\SysWOW64\schtasks.exe
PID 3152 wrote to memory of 1524 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe C:\Windows\SysWOW64\schtasks.exe
PID 3152 wrote to memory of 1524 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\0a48ebd4c893f0e4e54edc1024236b06_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\0a48ebd4c893f0e4e54edc1024236b06_JaffaCakes118.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe" /logtoconsole=false /logfile= /u "C:\Users\Admin\AppData\Local\Temp\0a48ebd4c893f0e4e54edc1024236b06_JaffaCakes118.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\installutil.exe"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DHCP Subsystem" /xml "C:\Users\Admin\AppData\Local\Temp\tmpA0B4.tmp"

C:\Windows\SysWOW64\schtasks.exe

"schtasks.exe" /create /f /tn "DHCP Subsystem Task" /xml "C:\Users\Admin\AppData\Local\Temp\tmpA0F4.tmp"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.129:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 133.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 129.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 69.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 delawizzy.ddns.net udp
US 8.8.8.8:53 delawizzy.ddns.net udp
US 8.8.8.8:53 delawizzy.ddns.net udp
NL 46.243.189.131:3752 tcp
NL 46.243.189.131:3752 tcp
NL 46.243.189.131:3752 tcp
US 8.8.8.8:53 delawizzy.ddns.net udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 delawizzy.ddns.net udp
US 8.8.8.8:53 delawizzy.ddns.net udp
NL 46.243.189.131:3752 tcp
NL 46.243.189.131:3752 tcp
NL 46.243.189.131:3752 tcp

Files

memory/2240-1-0x0000000001040000-0x0000000001050000-memory.dmp

memory/2240-0-0x00000000746F0000-0x0000000074CA1000-memory.dmp

memory/2240-2-0x00000000746F0000-0x0000000074CA1000-memory.dmp

memory/2240-4-0x00000000746F0000-0x0000000074CA1000-memory.dmp

memory/4196-6-0x0000000001240000-0x0000000001250000-memory.dmp

memory/4196-5-0x00000000746F0000-0x0000000074CA1000-memory.dmp

memory/4196-7-0x00000000746F0000-0x0000000074CA1000-memory.dmp

memory/4196-8-0x00000000746F0000-0x0000000074CA1000-memory.dmp

memory/4196-9-0x0000000001240000-0x0000000001250000-memory.dmp

memory/4196-10-0x0000000001240000-0x0000000001250000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\installutil.exe.log

MD5 7a4a84f4d2df1fe011638038702dad89
SHA1 64e9856d95b2064ff51e1c77819c818e6e5b3291
SHA256 cfd5734d90e6889355768ae5a723076000d88af2e5b6b435d55fa5bfa3e29590
SHA512 cbe9f7724806d161e70a161525c89199e10e6f38ad425533defaa1e02a12bf2cf28cba6788ed68e446cbd4286541e341b55c40133c134f9fcf94cae79b34092d

memory/4196-16-0x00000000746F0000-0x0000000074CA1000-memory.dmp

memory/3152-15-0x00000000007A0000-0x00000000007B0000-memory.dmp

memory/3152-17-0x00000000746F0000-0x0000000074CA1000-memory.dmp

memory/3152-14-0x00000000746F0000-0x0000000074CA1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpA0B4.tmp

MD5 776580d2028b74ed89bb21146482bdff
SHA1 d1a45290dedde63d8539a2fc8af866b430238bc7
SHA256 fbad359469fc6aefb5695d01974f4edf50528f51f80d57b9eb0d8f2f81033cc0
SHA512 de084f473db26ce159b639b02e7ffa263ae5b6c4c1da9f6932676dae4a6c65f082b1bcac673c45c2e2b84caa06d1860ea6f0545b81fd7b3e4f8fe5e802a160d3

C:\Users\Admin\AppData\Local\Temp\tmpA0F4.tmp

MD5 2f26d92c1eeead3896820e56ec46f6f1
SHA1 d95533b61eed7d89e4ada56bc566d60e42ac1f61
SHA256 99a158463ce40c750bad6991ae1fceece305a0dbf8e209dd7147b5d539756bfa
SHA512 6c1ed12d5e1afcd9e7f327e0153786fd8594f75a995f341c408ef014e69917452a9fe99c511f0249aceb57b3045b707f1fd3f404e4086cfbf0aadcb3318db892

memory/3152-25-0x00000000746F0000-0x0000000074CA1000-memory.dmp

memory/3152-26-0x00000000007A0000-0x00000000007B0000-memory.dmp