Malware Analysis Report

2024-08-06 14:48

Sample ID 240615-kw7ssavcmd
Target ada5c21676bbedc2d53858fba5d33702_JaffaCakes118
SHA256 0c493a39761851a26d351a3258692fe144cf756097a4bd923a959e8795ad6c6c
Tags
nanocore evasion keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0c493a39761851a26d351a3258692fe144cf756097a4bd923a959e8795ad6c6c

Threat Level: Known bad

The file ada5c21676bbedc2d53858fba5d33702_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

nanocore evasion keylogger spyware stealer trojan

NanoCore

Drops startup file

Checks whether UAC is enabled

Suspicious use of SetThreadContext

Unsigned PE

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Privilege Escalation
TA0004
Defense Evasion
TA0005
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-15 08:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 08:58

Reported

2024-06-15 09:00

Platform

win7-20231129-en

Max time kernel

148s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Quotation_Request_Sheet_0089600090944833933.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HcLRYd.url C:\Users\Admin\AppData\Local\Temp\Quotation_Request_Sheet_0089600090944833933.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3024 set thread context of 2640 N/A C:\Users\Admin\AppData\Local\Temp\Quotation_Request_Sheet_0089600090944833933.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quotation_Request_Sheet_0089600090944833933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quotation_Request_Sheet_0089600090944833933.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Quotation_Request_Sheet_0089600090944833933.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3024 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\Quotation_Request_Sheet_0089600090944833933.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 3024 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\Quotation_Request_Sheet_0089600090944833933.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 3024 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\Quotation_Request_Sheet_0089600090944833933.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 3024 wrote to memory of 1448 N/A C:\Users\Admin\AppData\Local\Temp\Quotation_Request_Sheet_0089600090944833933.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 1448 wrote to memory of 2764 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1448 wrote to memory of 2764 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1448 wrote to memory of 2764 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1448 wrote to memory of 2764 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3024 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\Quotation_Request_Sheet_0089600090944833933.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3024 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\Quotation_Request_Sheet_0089600090944833933.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3024 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\Quotation_Request_Sheet_0089600090944833933.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3024 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\Quotation_Request_Sheet_0089600090944833933.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3024 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\Quotation_Request_Sheet_0089600090944833933.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3024 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\Quotation_Request_Sheet_0089600090944833933.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3024 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\Quotation_Request_Sheet_0089600090944833933.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3024 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\Quotation_Request_Sheet_0089600090944833933.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3024 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\Quotation_Request_Sheet_0089600090944833933.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3024 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\Quotation_Request_Sheet_0089600090944833933.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3024 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\Quotation_Request_Sheet_0089600090944833933.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3024 wrote to memory of 2640 N/A C:\Users\Admin\AppData\Local\Temp\Quotation_Request_Sheet_0089600090944833933.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Quotation_Request_Sheet_0089600090944833933.exe

"C:\Users\Admin\AppData\Local\Temp\Quotation_Request_Sheet_0089600090944833933.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nue5xcyv\nue5xcyv.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1C76.tmp" "c:\Users\Admin\AppData\Local\Temp\nue5xcyv\CSC67A023D2C1044EE8B4785184C4F5CC5.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

Network

Country Destination Domain Proto
GB 185.125.205.71:6789 tcp
GB 185.125.205.71:6789 tcp
GB 185.125.205.71:6789 tcp
US 8.8.8.8:53 omada1.ddns.net udp
US 8.8.8.8:53 omada1.ddns.net udp
US 8.8.8.8:53 omada1.ddns.net udp
GB 185.125.205.71:6789 tcp
GB 185.125.205.71:6789 tcp
GB 185.125.205.71:6789 tcp
US 8.8.8.8:53 omada1.ddns.net udp
US 8.8.8.8:53 omada1.ddns.net udp
US 8.8.8.8:53 omada1.ddns.net udp
GB 185.125.205.71:6789 tcp
GB 185.125.205.71:6789 tcp
GB 185.125.205.71:6789 tcp
US 8.8.8.8:53 omada1.ddns.net udp
US 8.8.8.8:53 omada1.ddns.net udp
US 8.8.8.8:53 omada1.ddns.net udp
GB 185.125.205.71:6789 tcp
GB 185.125.205.71:6789 tcp
GB 185.125.205.71:6789 tcp
US 8.8.8.8:53 omada1.ddns.net udp
US 8.8.8.8:53 omada1.ddns.net udp
US 8.8.8.8:53 omada1.ddns.net udp
GB 185.125.205.71:6789 tcp
GB 185.125.205.71:6789 tcp
GB 185.125.205.71:6789 tcp
US 8.8.8.8:53 omada1.ddns.net udp
US 8.8.8.8:53 omada1.ddns.net udp
US 8.8.8.8:53 omada1.ddns.net udp
GB 185.125.205.71:6789 tcp
GB 185.125.205.71:6789 tcp

Files

memory/3024-0-0x0000000074BFE000-0x0000000074BFF000-memory.dmp

memory/3024-1-0x0000000000230000-0x00000000002A4000-memory.dmp

memory/3024-5-0x0000000074BF0000-0x00000000752DE000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\nue5xcyv\nue5xcyv.cmdline

MD5 3131deac5c2136e027dfea093fbf238f
SHA1 a2ee1fd66c527c9609485bd37eaea25f35017cf4
SHA256 2ff9d7ee1f81e4e0a1a681c7767d18d461f66f5b24165d928007a33a1f6b6baf
SHA512 b61bbf22a63632ee72746882c5f1eafef37d905ec7515e26ab07da9cbbe6a622b051ba6daca6ed48b024000cf1613433194f6a8d260c837af0453fd3724ad4fd

\??\c:\Users\Admin\AppData\Local\Temp\nue5xcyv\nue5xcyv.0.cs

MD5 4801a7d3498045d0e79c845b4750557d
SHA1 479bae8d7b735b8d24225d173bdbf47b940e4da0
SHA256 e724633ba5babd87fd8d3a24cca85f213e0c8827ddc44aba0e470d42ae3f5e31
SHA512 4f0aa3c16cf13ab8c071dd5bc2176861216ba51cebe9bf6f4bd94ca23af7c1e629238afc829cecd493ae02a06b3e1213edefc78c42a4941be9958feb10db7e36

\??\c:\Users\Admin\AppData\Local\Temp\nue5xcyv\CSC67A023D2C1044EE8B4785184C4F5CC5.TMP

MD5 40a60c9ef7ab7332bfaf6230c84e8b40
SHA1 2221f2abb192c85f2ef5e82188c8b2914f4a593d
SHA256 f9bde7623139d1dc698ee475dcfcfed5d3b7646d9defc06fc70ff170c8ac7689
SHA512 841d0f15c2b8cf63a16786b4babdb15376413ecd71b5aa489c07dc294a390998f1b368af3e5fb058ce733a494383c78d2c4b083c1aed8fa88c433f9debeeee88

C:\Users\Admin\AppData\Local\Temp\RES1C76.tmp

MD5 b9b6b2ed0c87b30c0e8e28f115647257
SHA1 775774c51fbbba4e5610549e34288d0514f7bd66
SHA256 85a5cd1c35433834a9a19dc92d5fb0e9f11f6c37d36987b919f389613d059072
SHA512 c673e6052432abb59ae1c517d6886b53fd7c41a2f2ce5423b84286816b083f8c04eeab93d02feb2035bc0c90b8a7d2f1f98ebff3660565af362bfd4862a0a42a

C:\Users\Admin\AppData\Local\Temp\nue5xcyv\nue5xcyv.dll

MD5 2cc70c8b7627676d3f280c51f953593f
SHA1 a2c8a193a720790b1688380a06d816fd12378882
SHA256 73d31773b199af66c4fcefbe9031a78c3447f9a2558852c4b0b85e53115aa041
SHA512 35a1c367804f0edf6be2d05b831491bfd394ae03c3dccadbd81d995db96447f031cac77de66d02a847a856da8c4cce88d27bfa88f251db3fd16022a69410999a

C:\Users\Admin\AppData\Local\Temp\nue5xcyv\nue5xcyv.pdb

MD5 f40c18a3557ac7fb58cbb2e78aa81b3f
SHA1 707b2bb71ddc96ddfdddcc671a58db11ee12fa93
SHA256 b18974171243e3677bedd26e5fcfd9ce9320a34fd134ce30d87884a1e984aca4
SHA512 d0069139feffad55d195fe2fa4b050dff201efb1887806a65271329616668c77113493d4205341a9960cac8e31dcdaf52a62eb7fd5dce24b83cee5c94f839273

memory/3024-17-0x0000000000220000-0x0000000000228000-memory.dmp

memory/3024-19-0x0000000000760000-0x00000000007A2000-memory.dmp

memory/3024-20-0x0000000000460000-0x000000000046C000-memory.dmp

memory/3024-23-0x0000000000870000-0x00000000008A8000-memory.dmp

memory/2640-25-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2640-30-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2640-28-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2640-27-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2640-26-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2640-24-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2640-32-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2640-34-0x0000000000400000-0x0000000000438000-memory.dmp

memory/3024-35-0x0000000074BF0000-0x00000000752DE000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 08:58

Reported

2024-06-15 09:00

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Quotation_Request_Sheet_0089600090944833933.exe"

Signatures

NanoCore

keylogger trojan stealer spyware nanocore

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HcLRYd.url C:\Users\Admin\AppData\Local\Temp\Quotation_Request_Sheet_0089600090944833933.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2788 set thread context of 4664 N/A C:\Users\Admin\AppData\Local\Temp\Quotation_Request_Sheet_0089600090944833933.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quotation_Request_Sheet_0089600090944833933.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Quotation_Request_Sheet_0089600090944833933.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Quotation_Request_Sheet_0089600090944833933.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2788 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\Quotation_Request_Sheet_0089600090944833933.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2788 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\Quotation_Request_Sheet_0089600090944833933.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2788 wrote to memory of 2268 N/A C:\Users\Admin\AppData\Local\Temp\Quotation_Request_Sheet_0089600090944833933.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2268 wrote to memory of 2240 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2268 wrote to memory of 2240 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2268 wrote to memory of 2240 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2788 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\Quotation_Request_Sheet_0089600090944833933.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2788 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\Quotation_Request_Sheet_0089600090944833933.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2788 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\Quotation_Request_Sheet_0089600090944833933.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2788 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\Quotation_Request_Sheet_0089600090944833933.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2788 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\Quotation_Request_Sheet_0089600090944833933.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2788 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\Quotation_Request_Sheet_0089600090944833933.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2788 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\Quotation_Request_Sheet_0089600090944833933.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2788 wrote to memory of 4664 N/A C:\Users\Admin\AppData\Local\Temp\Quotation_Request_Sheet_0089600090944833933.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Quotation_Request_Sheet_0089600090944833933.exe

"C:\Users\Admin\AppData\Local\Temp\Quotation_Request_Sheet_0089600090944833933.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\m1sgfq54\m1sgfq54.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5AA3.tmp" "c:\Users\Admin\AppData\Local\Temp\m1sgfq54\CSC7786421CE6DD4D13BBBAE94F74E7AED3.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

Network

Country Destination Domain Proto
GB 185.125.205.71:6789 tcp
GB 185.125.205.71:6789 tcp
GB 185.125.205.71:6789 tcp
US 8.8.8.8:53 omada1.ddns.net udp
US 8.8.4.4:53 omada1.ddns.net udp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 8.8.8.8:53 omada1.ddns.net udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 omada1.ddns.net udp
US 8.8.4.4:53 omada1.ddns.net udp
US 8.8.8.8:53 omada1.ddns.net udp
US 8.8.8.8:53 omada1.ddns.net udp
US 8.8.4.4:53 omada1.ddns.net udp

Files

memory/2788-0-0x000000007492E000-0x000000007492F000-memory.dmp

memory/2788-1-0x0000000000E30000-0x0000000000EA4000-memory.dmp

memory/2788-5-0x0000000074920000-0x00000000750D0000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\m1sgfq54\m1sgfq54.cmdline

MD5 948abdf6f2a35c87d3a1fea5b11c83c6
SHA1 fbf47c5c95119c6dc1d18b007f00e68066a46f8f
SHA256 f86c2e237248a04015180ff38e8a3a03e002b7ab1179ff32def1839b9c424847
SHA512 9dca84a65ada7add43fbbe66f8f0dff9f7f2570b526f6594d25888073b560a4977c2736b115bac3c39cf6411d74cbcfc9fca0d39d2be3980f186ed9a996ac412

\??\c:\Users\Admin\AppData\Local\Temp\m1sgfq54\m1sgfq54.0.cs

MD5 4801a7d3498045d0e79c845b4750557d
SHA1 479bae8d7b735b8d24225d173bdbf47b940e4da0
SHA256 e724633ba5babd87fd8d3a24cca85f213e0c8827ddc44aba0e470d42ae3f5e31
SHA512 4f0aa3c16cf13ab8c071dd5bc2176861216ba51cebe9bf6f4bd94ca23af7c1e629238afc829cecd493ae02a06b3e1213edefc78c42a4941be9958feb10db7e36

\??\c:\Users\Admin\AppData\Local\Temp\m1sgfq54\CSC7786421CE6DD4D13BBBAE94F74E7AED3.TMP

MD5 6e9e83ab90a3d2ba703b2d7ebff38aab
SHA1 835e39cdb3812b5e36764d9885c2dfe59e2e1224
SHA256 6ac75578afca75f1cd097f3f3e6d96c121b37a5bd008239f1c472019522a9b0d
SHA512 7352fab09f2ab5ce091134ef56f57e26cf0a7a8f96ff2ad80fb84bf2326e3a372ac012daa452a07e99a0f780cc9eee2756194e8cff1d2edc0831e3eace6fadbc

C:\Users\Admin\AppData\Local\Temp\RES5AA3.tmp

MD5 6a7ede554626bc89b5449aea51ac30a2
SHA1 15448cad99e9d3ac8c6dee6d20c80035ea47643d
SHA256 573c567345a69b8aea7bcfe6bf6466ccf34f598d985ee7649c61f243fce9c25d
SHA512 7bfb63794f8212b9ee74e9bf71b3775e0f9c7e3cad82213333ac2710c596cd0ee3d5a7aae6cfc9375a1de0299d70442cdddd4e9efbc92702ebdea4f59bd9476a

C:\Users\Admin\AppData\Local\Temp\m1sgfq54\m1sgfq54.pdb

MD5 b4e5767686085c3af5669990e031eb84
SHA1 9008cb404353f92ceee308312474d8f13bec8ced
SHA256 6a56011e3d499f0f9fa9023f41ff49bc9e4894437eb7ab5311d08077573106a8
SHA512 f1c419fb91ac51c52f0e5fc1d6133fd8814716b45ceffc1b925601536b37fdd20333c4318d7fc61cf8a4c477f61447ba0e708af38ac2838521618ac40339f243

C:\Users\Admin\AppData\Local\Temp\m1sgfq54\m1sgfq54.dll

MD5 c071d4f6e54067ca5fd0020323ed4e55
SHA1 257c16016ced36a5169fee3b4b1d554f5eabcae5
SHA256 fb1f63a2d6fcc00fb16978330432f6ca8095db3edf2951a911a2bb4f9023a3e5
SHA512 4058ff041cf50d009b3763839c667cd311defc2b853513c58c4af21a031e273433d038d53994a87bd2255ac395d3be7f4dba1edb1cfd8504ac6c8766df8a12ca

memory/2788-17-0x0000000005770000-0x0000000005778000-memory.dmp

memory/2788-19-0x00000000058A0000-0x0000000005932000-memory.dmp

memory/2788-20-0x0000000005D80000-0x0000000005DC2000-memory.dmp

memory/2788-21-0x0000000005DD0000-0x0000000005DDC000-memory.dmp

memory/2788-24-0x0000000005DF0000-0x0000000005E28000-memory.dmp

memory/2788-25-0x0000000005ED0000-0x0000000005F6C000-memory.dmp

memory/4664-26-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2788-28-0x0000000074920000-0x00000000750D0000-memory.dmp

memory/4664-29-0x0000000074B12000-0x0000000074B13000-memory.dmp

memory/4664-30-0x0000000074B10000-0x00000000750C1000-memory.dmp

memory/4664-31-0x0000000074B10000-0x00000000750C1000-memory.dmp

memory/4664-33-0x0000000074B12000-0x0000000074B13000-memory.dmp

memory/4664-34-0x0000000074B10000-0x00000000750C1000-memory.dmp