Malware Analysis Report

2024-11-30 06:50

Sample ID 240604-b5g42shg33
Target a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe
SHA256 a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc
Tags
agenttesla keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc

Threat Level: Known bad

The file a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe was found to be: Known bad.

Malicious Activity Summary

agenttesla keylogger spyware stealer trojan

AgentTesla

Detects executables referencing Windows vault credential objects. Observed in infostealers

Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Detects executables referencing many file transfer clients. Observed in information stealers

Detects executables referencing many email and collaboration clients. Observed in information stealers

Detect packed .NET executables. Mostly AgentTeslaV4.

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Looks up external IP address via web service

Suspicious use of SetThreadContext

AutoIT Executable

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-06-04 01:43

Signatures

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 01:43

Reported

2024-06-04 01:46

Platform

win7-20240221-en

Max time kernel

121s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Detect packed .NET executables. Mostly AgentTeslaV4.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing Windows vault credential objects. Observed in infostealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many email and collaboration clients. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many file transfer clients. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2648 set thread context of 2600 N/A C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3056 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3056 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3056 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3056 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3056 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3056 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3056 wrote to memory of 2624 N/A C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3056 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe
PID 3056 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe
PID 3056 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe
PID 3056 wrote to memory of 2756 N/A C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe
PID 2756 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2756 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2756 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2756 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2756 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2756 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2756 wrote to memory of 2644 N/A C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2756 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe
PID 2756 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe
PID 2756 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe
PID 2756 wrote to memory of 2648 N/A C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe
PID 2648 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2648 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2648 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2648 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2648 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2648 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2648 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2648 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe

"C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe"

C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe

"C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe"

C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe

"C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.ipify.org udp
US 104.26.13.205:443 api.ipify.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cocles

MD5 783d23834de9a67975d6d8d5dd624c33
SHA1 49967f7137a0d7afbe403bb67472ccb183031d7b
SHA256 207ce0227f5aacb87fa89587dda8c13ef0fddb784551735d61b915b91822f199
SHA512 280111680e680e334a4b92fbbd816ffe145097a361998382b029b03dd2de9791e7da52f1f513542a0b97ba772d117b1454bf4d498174a783966f63f1e2bb1e45

memory/3056-11-0x0000000000120000-0x0000000000124000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Cocles

MD5 4a37b2ebce76601f28e88e24e62ae715
SHA1 2de7edb7e9d0cb82c1ce37bf2018e65cf4ef8b0f
SHA256 e03f1f2de3a0ea07b30025efd9231aa4c8dfe7206207f8aa07398359fc34c04d
SHA512 2442549f355aab69ce01179acd308ba057b62fd479ef60e0686d709a58af7841f583931f596ae9b63e6c283f7813fc9d15aefae7a7c05dd8a662b1bac58108df

C:\Users\Admin\AppData\Local\Temp\Mazatl

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\Mazatl

MD5 f0daa501b890c824b0aac0853ed60c08
SHA1 020f40b45f96925a292d8d078493d513d034991d
SHA256 d7bdf941d0b05c018070f5a85732d1437292d5d77339d26990162be95998a838
SHA512 5953914dca5c9cbb078f33c8e97eeddfd00929f07bd5f7ec67e7f49d4316e42a38af9b2c2aaf9e85425f7d12fbbab217e988f722cdf8a5df43737b3e153cf4e7

C:\Users\Admin\AppData\Local\Temp\aut2685.tmp

MD5 96d838c0d60e6803d29a3a94ede33933
SHA1 21d4985e97f42bf3dc2ea39cfb6deeba464260ef
SHA256 c920a56dd04a2c27fa756cf7faeb7f5981773bc22099f7830992ecf27f06ce6b
SHA512 4ec9c2c5b2548145debaf476fe93e136cc14da1340c5273f82ce3dab4d383d6a902cfc0cbc2eaeeb8044d0402c5c9e65082bf9f93e22b8b670ba04d23e45efdf

memory/2600-41-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2600-40-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2600-39-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2600-42-0x0000000074A6E000-0x0000000074A6F000-memory.dmp

memory/2600-43-0x0000000000270000-0x00000000002C4000-memory.dmp

memory/2600-44-0x0000000000BD0000-0x0000000000C24000-memory.dmp

memory/2600-45-0x0000000074A60000-0x000000007514E000-memory.dmp

memory/2600-46-0x0000000074A60000-0x000000007514E000-memory.dmp

memory/2600-96-0x0000000000BD0000-0x0000000000C1D000-memory.dmp

memory/2600-244-0x0000000074A60000-0x000000007514E000-memory.dmp

memory/2600-106-0x0000000000BD0000-0x0000000000C1D000-memory.dmp

memory/2600-1092-0x0000000074A60000-0x000000007514E000-memory.dmp

memory/2600-104-0x0000000000BD0000-0x0000000000C1D000-memory.dmp

memory/2600-102-0x0000000000BD0000-0x0000000000C1D000-memory.dmp

memory/2600-100-0x0000000000BD0000-0x0000000000C1D000-memory.dmp

memory/2600-98-0x0000000000BD0000-0x0000000000C1D000-memory.dmp

memory/2600-94-0x0000000000BD0000-0x0000000000C1D000-memory.dmp

memory/2600-91-0x0000000000BD0000-0x0000000000C1D000-memory.dmp

memory/2600-88-0x0000000000BD0000-0x0000000000C1D000-memory.dmp

memory/2600-84-0x0000000000BD0000-0x0000000000C1D000-memory.dmp

memory/2600-78-0x0000000000BD0000-0x0000000000C1D000-memory.dmp

memory/2600-72-0x0000000000BD0000-0x0000000000C1D000-memory.dmp

memory/2600-92-0x0000000000BD0000-0x0000000000C1D000-memory.dmp

memory/2600-86-0x0000000000BD0000-0x0000000000C1D000-memory.dmp

memory/2600-82-0x0000000000BD0000-0x0000000000C1D000-memory.dmp

memory/2600-80-0x0000000000BD0000-0x0000000000C1D000-memory.dmp

memory/2600-77-0x0000000000BD0000-0x0000000000C1D000-memory.dmp

memory/2600-74-0x0000000000BD0000-0x0000000000C1D000-memory.dmp

memory/2600-70-0x0000000000BD0000-0x0000000000C1D000-memory.dmp

memory/2600-68-0x0000000000BD0000-0x0000000000C1D000-memory.dmp

memory/2600-66-0x0000000000BD0000-0x0000000000C1D000-memory.dmp

memory/2600-64-0x0000000000BD0000-0x0000000000C1D000-memory.dmp

memory/2600-62-0x0000000000BD0000-0x0000000000C1D000-memory.dmp

memory/2600-60-0x0000000000BD0000-0x0000000000C1D000-memory.dmp

memory/2600-58-0x0000000000BD0000-0x0000000000C1D000-memory.dmp

memory/2600-56-0x0000000000BD0000-0x0000000000C1D000-memory.dmp

memory/2600-54-0x0000000000BD0000-0x0000000000C1D000-memory.dmp

memory/2600-52-0x0000000000BD0000-0x0000000000C1D000-memory.dmp

memory/2600-50-0x0000000000BD0000-0x0000000000C1D000-memory.dmp

memory/2600-48-0x0000000000BD0000-0x0000000000C1D000-memory.dmp

memory/2600-47-0x0000000000BD0000-0x0000000000C1D000-memory.dmp

memory/2600-1093-0x0000000000400000-0x0000000000446000-memory.dmp

memory/2600-1094-0x0000000074A6E000-0x0000000074A6F000-memory.dmp

memory/2600-1095-0x0000000074A60000-0x000000007514E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-04 01:43

Reported

2024-06-04 01:46

Platform

win10v2004-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

Detect packed .NET executables. Mostly AgentTeslaV4.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers.

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects binaries and memory artifacts referencing sandbox DLLs typically observed in sandbox evasion

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing Windows vault credential objects. Observed in infostealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many confidential data stores found in browsers, mail clients, cryptocurreny wallets, etc. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many email and collaboration clients. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Detects executables referencing many file transfer clients. Observed in information stealers

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A api.ipify.org N/A N/A
N/A api.ipify.org N/A N/A
N/A ip-api.com N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2816 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2816 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2816 wrote to memory of 1620 N/A C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 2816 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe
PID 2816 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe
PID 2816 wrote to memory of 1736 N/A C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe
PID 1736 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1736 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1736 wrote to memory of 788 N/A C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1736 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe
PID 1736 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe
PID 1736 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe
PID 60 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 60 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 60 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 60 wrote to memory of 532 N/A C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe

"C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe"

C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe

"C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe"

C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe

"C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"C:\Users\Admin\AppData\Local\Temp\a0aeecd9428c6495f7c16c85478cfd0c46a2f961df63f27943088873c6abdfdc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 api.ipify.org udp
US 172.67.74.152:443 api.ipify.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 152.74.67.172.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 11.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\aut6987.tmp

MD5 783d23834de9a67975d6d8d5dd624c33
SHA1 49967f7137a0d7afbe403bb67472ccb183031d7b
SHA256 207ce0227f5aacb87fa89587dda8c13ef0fddb784551735d61b915b91822f199
SHA512 280111680e680e334a4b92fbbd816ffe145097a361998382b029b03dd2de9791e7da52f1f513542a0b97ba772d117b1454bf4d498174a783966f63f1e2bb1e45

memory/2816-12-0x0000000003B80000-0x0000000003B84000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Mazatl

MD5 f0daa501b890c824b0aac0853ed60c08
SHA1 020f40b45f96925a292d8d078493d513d034991d
SHA256 d7bdf941d0b05c018070f5a85732d1437292d5d77339d26990162be95998a838
SHA512 5953914dca5c9cbb078f33c8e97eeddfd00929f07bd5f7ec67e7f49d4316e42a38af9b2c2aaf9e85425f7d12fbbab217e988f722cdf8a5df43737b3e153cf4e7

C:\Users\Admin\AppData\Local\Temp\Cocles

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Temp\aut6E8A.tmp

MD5 96d838c0d60e6803d29a3a94ede33933
SHA1 21d4985e97f42bf3dc2ea39cfb6deeba464260ef
SHA256 c920a56dd04a2c27fa756cf7faeb7f5981773bc22099f7830992ecf27f06ce6b
SHA512 4ec9c2c5b2548145debaf476fe93e136cc14da1340c5273f82ce3dab4d383d6a902cfc0cbc2eaeeb8044d0402c5c9e65082bf9f93e22b8b670ba04d23e45efdf

memory/532-41-0x0000000000400000-0x0000000000446000-memory.dmp

memory/532-43-0x0000000000400000-0x0000000000446000-memory.dmp

memory/532-44-0x0000000000400000-0x0000000000446000-memory.dmp

memory/532-42-0x0000000000400000-0x0000000000446000-memory.dmp

memory/532-45-0x0000000002D00000-0x0000000002D54000-memory.dmp

memory/532-46-0x0000000005AA0000-0x0000000006044000-memory.dmp

memory/532-47-0x0000000005360000-0x00000000053B4000-memory.dmp

memory/532-63-0x0000000005360000-0x00000000053AD000-memory.dmp

memory/532-67-0x0000000005360000-0x00000000053AD000-memory.dmp

memory/532-107-0x0000000005360000-0x00000000053AD000-memory.dmp

memory/532-103-0x0000000005360000-0x00000000053AD000-memory.dmp

memory/532-101-0x0000000005360000-0x00000000053AD000-memory.dmp

memory/532-99-0x0000000005360000-0x00000000053AD000-memory.dmp

memory/532-97-0x0000000005360000-0x00000000053AD000-memory.dmp

memory/532-95-0x0000000005360000-0x00000000053AD000-memory.dmp

memory/532-93-0x0000000005360000-0x00000000053AD000-memory.dmp

memory/532-91-0x0000000005360000-0x00000000053AD000-memory.dmp

memory/532-89-0x0000000005360000-0x00000000053AD000-memory.dmp

memory/532-87-0x0000000005360000-0x00000000053AD000-memory.dmp

memory/532-85-0x0000000005360000-0x00000000053AD000-memory.dmp

memory/532-83-0x0000000005360000-0x00000000053AD000-memory.dmp

memory/532-79-0x0000000005360000-0x00000000053AD000-memory.dmp

memory/532-77-0x0000000005360000-0x00000000053AD000-memory.dmp

memory/532-75-0x0000000005360000-0x00000000053AD000-memory.dmp

memory/532-73-0x0000000005360000-0x00000000053AD000-memory.dmp

memory/532-71-0x0000000005360000-0x00000000053AD000-memory.dmp

memory/532-69-0x0000000005360000-0x00000000053AD000-memory.dmp

memory/532-65-0x0000000005360000-0x00000000053AD000-memory.dmp

memory/532-61-0x0000000005360000-0x00000000053AD000-memory.dmp

memory/532-59-0x0000000005360000-0x00000000053AD000-memory.dmp

memory/532-57-0x0000000005360000-0x00000000053AD000-memory.dmp

memory/532-55-0x0000000005360000-0x00000000053AD000-memory.dmp

memory/532-53-0x0000000005360000-0x00000000053AD000-memory.dmp

memory/532-51-0x0000000005360000-0x00000000053AD000-memory.dmp

memory/532-105-0x0000000005360000-0x00000000053AD000-memory.dmp

memory/532-81-0x0000000005360000-0x00000000053AD000-memory.dmp

memory/532-49-0x0000000005360000-0x00000000053AD000-memory.dmp

memory/532-48-0x0000000005360000-0x00000000053AD000-memory.dmp

memory/532-1092-0x0000000005560000-0x00000000055C6000-memory.dmp

memory/532-1093-0x00000000068F0000-0x0000000006940000-memory.dmp

memory/532-1094-0x00000000069E0000-0x0000000006A72000-memory.dmp

memory/532-1095-0x0000000006970000-0x000000000697A000-memory.dmp

memory/532-1096-0x0000000000400000-0x0000000000446000-memory.dmp