Malware Analysis Report

2024-11-30 20:07

Sample ID 240509-bht54acd69
Target cd244ca9c1a284a8e9ea743bd516d93862b797465dad6dad5e28efe8d74ac372
SHA256 cd244ca9c1a284a8e9ea743bd516d93862b797465dad6dad5e28efe8d74ac372
Tags
agenttesla zgrat keylogger rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

cd244ca9c1a284a8e9ea743bd516d93862b797465dad6dad5e28efe8d74ac372

Threat Level: Known bad

The file cd244ca9c1a284a8e9ea743bd516d93862b797465dad6dad5e28efe8d74ac372 was found to be: Known bad.

Malicious Activity Summary

agenttesla zgrat keylogger rat spyware stealer trojan

AgentTesla

Detect ZGRat V1

ZGRat

Looks up external IP address via web service

AutoIT Executable

Suspicious use of SetThreadContext

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-09 01:09

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 01:09

Reported

2024-05-09 01:11

Platform

win7-20240221-en

Max time kernel

120s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cd244ca9c1a284a8e9ea743bd516d93862b797465dad6dad5e28efe8d74ac372.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2660 set thread context of 2540 N/A C:\Users\Admin\AppData\Local\Temp\cd244ca9c1a284a8e9ea743bd516d93862b797465dad6dad5e28efe8d74ac372.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\cd244ca9c1a284a8e9ea743bd516d93862b797465dad6dad5e28efe8d74ac372.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2660 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\cd244ca9c1a284a8e9ea743bd516d93862b797465dad6dad5e28efe8d74ac372.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2660 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\cd244ca9c1a284a8e9ea743bd516d93862b797465dad6dad5e28efe8d74ac372.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2660 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\cd244ca9c1a284a8e9ea743bd516d93862b797465dad6dad5e28efe8d74ac372.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2660 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\cd244ca9c1a284a8e9ea743bd516d93862b797465dad6dad5e28efe8d74ac372.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2660 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\cd244ca9c1a284a8e9ea743bd516d93862b797465dad6dad5e28efe8d74ac372.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2660 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\cd244ca9c1a284a8e9ea743bd516d93862b797465dad6dad5e28efe8d74ac372.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2660 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\cd244ca9c1a284a8e9ea743bd516d93862b797465dad6dad5e28efe8d74ac372.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2660 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\cd244ca9c1a284a8e9ea743bd516d93862b797465dad6dad5e28efe8d74ac372.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cd244ca9c1a284a8e9ea743bd516d93862b797465dad6dad5e28efe8d74ac372.exe

"C:\Users\Admin\AppData\Local\Temp\cd244ca9c1a284a8e9ea743bd516d93862b797465dad6dad5e28efe8d74ac372.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\cd244ca9c1a284a8e9ea743bd516d93862b797465dad6dad5e28efe8d74ac372.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\vitraillist

MD5 9b9b53d76c5bb6b890157993cf720c64
SHA1 e03ae3b48974c2cb28d93f9548413f833a68ec53
SHA256 570edde4f1d9dec57454b81034d86c8fd194225f036b4f9acc1792eb5983dc37
SHA512 03fbeec082b8bafa5442f4a99d5222cf4fe1385110082e816244eff980e2b898d76b36f8528954ccbd292da2004229751f17cc079bfeb41b1bc4e2471a89c4f3

memory/2660-11-0x0000000000110000-0x0000000000114000-memory.dmp

memory/2540-12-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2540-15-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2540-14-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2540-16-0x000000007432E000-0x000000007432F000-memory.dmp

memory/2540-17-0x00000000005E0000-0x0000000000636000-memory.dmp

memory/2540-18-0x0000000074320000-0x0000000074A0E000-memory.dmp

memory/2540-19-0x0000000074320000-0x0000000074A0E000-memory.dmp

memory/2540-20-0x0000000000840000-0x0000000000894000-memory.dmp

memory/2540-24-0x0000000000840000-0x000000000088E000-memory.dmp

memory/2540-68-0x0000000000840000-0x000000000088E000-memory.dmp

memory/2540-80-0x0000000000840000-0x000000000088E000-memory.dmp

memory/2540-78-0x0000000000840000-0x000000000088E000-memory.dmp

memory/2540-76-0x0000000000840000-0x000000000088E000-memory.dmp

memory/2540-74-0x0000000000840000-0x000000000088E000-memory.dmp

memory/2540-72-0x0000000000840000-0x000000000088E000-memory.dmp

memory/2540-70-0x0000000000840000-0x000000000088E000-memory.dmp

memory/2540-66-0x0000000000840000-0x000000000088E000-memory.dmp

memory/2540-64-0x0000000000840000-0x000000000088E000-memory.dmp

memory/2540-62-0x0000000000840000-0x000000000088E000-memory.dmp

memory/2540-60-0x0000000000840000-0x000000000088E000-memory.dmp

memory/2540-58-0x0000000000840000-0x000000000088E000-memory.dmp

memory/2540-56-0x0000000000840000-0x000000000088E000-memory.dmp

memory/2540-54-0x0000000000840000-0x000000000088E000-memory.dmp

memory/2540-52-0x0000000000840000-0x000000000088E000-memory.dmp

memory/2540-50-0x0000000000840000-0x000000000088E000-memory.dmp

memory/2540-48-0x0000000000840000-0x000000000088E000-memory.dmp

memory/2540-46-0x0000000000840000-0x000000000088E000-memory.dmp

memory/2540-44-0x0000000000840000-0x000000000088E000-memory.dmp

memory/2540-42-0x0000000000840000-0x000000000088E000-memory.dmp

memory/2540-40-0x0000000000840000-0x000000000088E000-memory.dmp

memory/2540-38-0x0000000000840000-0x000000000088E000-memory.dmp

memory/2540-36-0x0000000000840000-0x000000000088E000-memory.dmp

memory/2540-34-0x0000000000840000-0x000000000088E000-memory.dmp

memory/2540-32-0x0000000000840000-0x000000000088E000-memory.dmp

memory/2540-30-0x0000000000840000-0x000000000088E000-memory.dmp

memory/2540-28-0x0000000000840000-0x000000000088E000-memory.dmp

memory/2540-26-0x0000000000840000-0x000000000088E000-memory.dmp

memory/2540-22-0x0000000000840000-0x000000000088E000-memory.dmp

memory/2540-21-0x0000000000840000-0x000000000088E000-memory.dmp

memory/2540-1065-0x0000000074320000-0x0000000074A0E000-memory.dmp

memory/2540-1066-0x000000007432E000-0x000000007432F000-memory.dmp

memory/2540-1067-0x0000000074320000-0x0000000074A0E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 01:09

Reported

2024-05-09 01:11

Platform

win10v2004-20240508-en

Max time kernel

92s

Max time network

101s

Command Line

"C:\Users\Admin\AppData\Local\Temp\cd244ca9c1a284a8e9ea743bd516d93862b797465dad6dad5e28efe8d74ac372.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Detect ZGRat V1

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

ZGRat

rat zgrat

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 528 set thread context of 2580 N/A C:\Users\Admin\AppData\Local\Temp\cd244ca9c1a284a8e9ea743bd516d93862b797465dad6dad5e28efe8d74ac372.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3320 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\cd244ca9c1a284a8e9ea743bd516d93862b797465dad6dad5e28efe8d74ac372.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3320 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\cd244ca9c1a284a8e9ea743bd516d93862b797465dad6dad5e28efe8d74ac372.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3320 wrote to memory of 752 N/A C:\Users\Admin\AppData\Local\Temp\cd244ca9c1a284a8e9ea743bd516d93862b797465dad6dad5e28efe8d74ac372.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3320 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\cd244ca9c1a284a8e9ea743bd516d93862b797465dad6dad5e28efe8d74ac372.exe C:\Users\Admin\AppData\Local\Temp\cd244ca9c1a284a8e9ea743bd516d93862b797465dad6dad5e28efe8d74ac372.exe
PID 3320 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\cd244ca9c1a284a8e9ea743bd516d93862b797465dad6dad5e28efe8d74ac372.exe C:\Users\Admin\AppData\Local\Temp\cd244ca9c1a284a8e9ea743bd516d93862b797465dad6dad5e28efe8d74ac372.exe
PID 3320 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\cd244ca9c1a284a8e9ea743bd516d93862b797465dad6dad5e28efe8d74ac372.exe C:\Users\Admin\AppData\Local\Temp\cd244ca9c1a284a8e9ea743bd516d93862b797465dad6dad5e28efe8d74ac372.exe
PID 2988 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\cd244ca9c1a284a8e9ea743bd516d93862b797465dad6dad5e28efe8d74ac372.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2988 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\cd244ca9c1a284a8e9ea743bd516d93862b797465dad6dad5e28efe8d74ac372.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2988 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\cd244ca9c1a284a8e9ea743bd516d93862b797465dad6dad5e28efe8d74ac372.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2988 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\cd244ca9c1a284a8e9ea743bd516d93862b797465dad6dad5e28efe8d74ac372.exe C:\Users\Admin\AppData\Local\Temp\cd244ca9c1a284a8e9ea743bd516d93862b797465dad6dad5e28efe8d74ac372.exe
PID 2988 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\cd244ca9c1a284a8e9ea743bd516d93862b797465dad6dad5e28efe8d74ac372.exe C:\Users\Admin\AppData\Local\Temp\cd244ca9c1a284a8e9ea743bd516d93862b797465dad6dad5e28efe8d74ac372.exe
PID 2988 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\cd244ca9c1a284a8e9ea743bd516d93862b797465dad6dad5e28efe8d74ac372.exe C:\Users\Admin\AppData\Local\Temp\cd244ca9c1a284a8e9ea743bd516d93862b797465dad6dad5e28efe8d74ac372.exe
PID 64 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\cd244ca9c1a284a8e9ea743bd516d93862b797465dad6dad5e28efe8d74ac372.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 64 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\cd244ca9c1a284a8e9ea743bd516d93862b797465dad6dad5e28efe8d74ac372.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 64 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\cd244ca9c1a284a8e9ea743bd516d93862b797465dad6dad5e28efe8d74ac372.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 64 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\cd244ca9c1a284a8e9ea743bd516d93862b797465dad6dad5e28efe8d74ac372.exe C:\Users\Admin\AppData\Local\Temp\cd244ca9c1a284a8e9ea743bd516d93862b797465dad6dad5e28efe8d74ac372.exe
PID 64 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\cd244ca9c1a284a8e9ea743bd516d93862b797465dad6dad5e28efe8d74ac372.exe C:\Users\Admin\AppData\Local\Temp\cd244ca9c1a284a8e9ea743bd516d93862b797465dad6dad5e28efe8d74ac372.exe
PID 64 wrote to memory of 528 N/A C:\Users\Admin\AppData\Local\Temp\cd244ca9c1a284a8e9ea743bd516d93862b797465dad6dad5e28efe8d74ac372.exe C:\Users\Admin\AppData\Local\Temp\cd244ca9c1a284a8e9ea743bd516d93862b797465dad6dad5e28efe8d74ac372.exe
PID 528 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\cd244ca9c1a284a8e9ea743bd516d93862b797465dad6dad5e28efe8d74ac372.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 528 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\cd244ca9c1a284a8e9ea743bd516d93862b797465dad6dad5e28efe8d74ac372.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 528 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\cd244ca9c1a284a8e9ea743bd516d93862b797465dad6dad5e28efe8d74ac372.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 528 wrote to memory of 2580 N/A C:\Users\Admin\AppData\Local\Temp\cd244ca9c1a284a8e9ea743bd516d93862b797465dad6dad5e28efe8d74ac372.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\cd244ca9c1a284a8e9ea743bd516d93862b797465dad6dad5e28efe8d74ac372.exe

"C:\Users\Admin\AppData\Local\Temp\cd244ca9c1a284a8e9ea743bd516d93862b797465dad6dad5e28efe8d74ac372.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\cd244ca9c1a284a8e9ea743bd516d93862b797465dad6dad5e28efe8d74ac372.exe"

C:\Users\Admin\AppData\Local\Temp\cd244ca9c1a284a8e9ea743bd516d93862b797465dad6dad5e28efe8d74ac372.exe

"C:\Users\Admin\AppData\Local\Temp\cd244ca9c1a284a8e9ea743bd516d93862b797465dad6dad5e28efe8d74ac372.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\cd244ca9c1a284a8e9ea743bd516d93862b797465dad6dad5e28efe8d74ac372.exe"

C:\Users\Admin\AppData\Local\Temp\cd244ca9c1a284a8e9ea743bd516d93862b797465dad6dad5e28efe8d74ac372.exe

"C:\Users\Admin\AppData\Local\Temp\cd244ca9c1a284a8e9ea743bd516d93862b797465dad6dad5e28efe8d74ac372.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\cd244ca9c1a284a8e9ea743bd516d93862b797465dad6dad5e28efe8d74ac372.exe"

C:\Users\Admin\AppData\Local\Temp\cd244ca9c1a284a8e9ea743bd516d93862b797465dad6dad5e28efe8d74ac372.exe

"C:\Users\Admin\AppData\Local\Temp\cd244ca9c1a284a8e9ea743bd516d93862b797465dad6dad5e28efe8d74ac372.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\cd244ca9c1a284a8e9ea743bd516d93862b797465dad6dad5e28efe8d74ac372.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 52.111.229.43:443 tcp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\aut34EB.tmp

MD5 9b9b53d76c5bb6b890157993cf720c64
SHA1 e03ae3b48974c2cb28d93f9548413f833a68ec53
SHA256 570edde4f1d9dec57454b81034d86c8fd194225f036b4f9acc1792eb5983dc37
SHA512 03fbeec082b8bafa5442f4a99d5222cf4fe1385110082e816244eff980e2b898d76b36f8528954ccbd292da2004229751f17cc079bfeb41b1bc4e2471a89c4f3

memory/3320-12-0x0000000001560000-0x0000000001564000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\vitraillist

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\kinematical

MD5 9a05158e4ba660c40d7d6098ff6c2364
SHA1 159140d36232b35d61ca8ea7286981c297b741c3
SHA256 259614cdc895ec0f9d0c0edabee619401dbbb77223c73fa04f0d42403fdddb58
SHA512 45d3f5cf6b3e8e18f4af5177706811a739f431582dadd653669c6fd62a59132ce280c9a1805f455e292306a58bbe4523672a94f481f31e6be2e91022055b922e

C:\Users\Admin\AppData\Local\Temp\aut39DD.tmp

MD5 9e008f52612eb18d978886b2dac7a875
SHA1 a00de2a307d992718ef79ee3201f60c0f6334c62
SHA256 d0140aa9de707325ad32929f68a3b48d09cf4c36776c8bb3754f3e657017cada
SHA512 1d661078af9a3e25422267922ff2304d406379582946d16988c0489b822337baf56ca421c16ccd9f9e8935347bcabb6d41abe6cbc88d0d769b94d4dff0507f21

memory/2580-55-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2580-57-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2580-56-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2580-58-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2580-59-0x0000000005810000-0x0000000005866000-memory.dmp

memory/2580-60-0x0000000005F30000-0x00000000064D4000-memory.dmp

memory/2580-61-0x00000000058B0000-0x0000000005904000-memory.dmp

memory/2580-67-0x00000000058B0000-0x00000000058FE000-memory.dmp

memory/2580-75-0x00000000058B0000-0x00000000058FE000-memory.dmp

memory/2580-121-0x00000000058B0000-0x00000000058FE000-memory.dmp

memory/2580-117-0x00000000058B0000-0x00000000058FE000-memory.dmp

memory/2580-115-0x00000000058B0000-0x00000000058FE000-memory.dmp

memory/2580-114-0x00000000058B0000-0x00000000058FE000-memory.dmp

memory/2580-111-0x00000000058B0000-0x00000000058FE000-memory.dmp

memory/2580-109-0x00000000058B0000-0x00000000058FE000-memory.dmp

memory/2580-107-0x00000000058B0000-0x00000000058FE000-memory.dmp

memory/2580-105-0x00000000058B0000-0x00000000058FE000-memory.dmp

memory/2580-103-0x00000000058B0000-0x00000000058FE000-memory.dmp

memory/2580-101-0x00000000058B0000-0x00000000058FE000-memory.dmp

memory/2580-99-0x00000000058B0000-0x00000000058FE000-memory.dmp

memory/2580-95-0x00000000058B0000-0x00000000058FE000-memory.dmp

memory/2580-93-0x00000000058B0000-0x00000000058FE000-memory.dmp

memory/2580-91-0x00000000058B0000-0x00000000058FE000-memory.dmp

memory/2580-90-0x00000000058B0000-0x00000000058FE000-memory.dmp

memory/2580-87-0x00000000058B0000-0x00000000058FE000-memory.dmp

memory/2580-85-0x00000000058B0000-0x00000000058FE000-memory.dmp

memory/2580-83-0x00000000058B0000-0x00000000058FE000-memory.dmp

memory/2580-81-0x00000000058B0000-0x00000000058FE000-memory.dmp

memory/2580-79-0x00000000058B0000-0x00000000058FE000-memory.dmp

memory/2580-77-0x00000000058B0000-0x00000000058FE000-memory.dmp

memory/2580-73-0x00000000058B0000-0x00000000058FE000-memory.dmp

memory/2580-71-0x00000000058B0000-0x00000000058FE000-memory.dmp

memory/2580-69-0x00000000058B0000-0x00000000058FE000-memory.dmp

memory/2580-65-0x00000000058B0000-0x00000000058FE000-memory.dmp

memory/2580-119-0x00000000058B0000-0x00000000058FE000-memory.dmp

memory/2580-97-0x00000000058B0000-0x00000000058FE000-memory.dmp

memory/2580-63-0x00000000058B0000-0x00000000058FE000-memory.dmp

memory/2580-62-0x00000000058B0000-0x00000000058FE000-memory.dmp

memory/2580-1106-0x0000000005AF0000-0x0000000005B56000-memory.dmp

memory/2580-1107-0x0000000006CB0000-0x0000000006D00000-memory.dmp

memory/2580-1108-0x0000000006DA0000-0x0000000006E32000-memory.dmp

memory/2580-1109-0x0000000006D20000-0x0000000006D2A000-memory.dmp

memory/2580-1110-0x0000000000400000-0x0000000000446000-memory.dmp