Malware Analysis Report

2024-11-15 06:26

Sample ID 240618-sb8tcasgmn
Target bc8c9c47fbc12ecf67d1d2db3945475c_JaffaCakes118
SHA256 1371ed0e3652cdad077d790e54feec632246b2c457ce225a7536b0fb9d4489d7
Tags
agenttesla collection evasion keylogger spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1371ed0e3652cdad077d790e54feec632246b2c457ce225a7536b0fb9d4489d7

Threat Level: Known bad

The file bc8c9c47fbc12ecf67d1d2db3945475c_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

agenttesla collection evasion keylogger spyware stealer trojan

AgentTesla

AgentTesla payload

Looks for VirtualBox Guest Additions in registry

Looks for VMWare Tools registry key

Checks BIOS information in registry

Checks computer location settings

Maps connected drives based on registry

Accesses Microsoft Outlook profiles

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

outlook_office_path

outlook_win_path

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-18 14:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-18 14:58

Reported

2024-06-18 15:00

Platform

win10v2004-20240611-en

Max time kernel

108s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bc8c9c47fbc12ecf67d1d2db3945475c_JaffaCakes118.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Oracle\VirtualBox Guest Additions C:\Users\Admin\AppData\Local\Temp\bc8c9c47fbc12ecf67d1d2db3945475c_JaffaCakes118.exe N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\VMware, Inc.\VMware Tools C:\Users\Admin\AppData\Local\Temp\bc8c9c47fbc12ecf67d1d2db3945475c_JaffaCakes118.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\bc8c9c47fbc12ecf67d1d2db3945475c_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\bc8c9c47fbc12ecf67d1d2db3945475c_JaffaCakes118.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\bc8c9c47fbc12ecf67d1d2db3945475c_JaffaCakes118.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\bc8c9c47fbc12ecf67d1d2db3945475c_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\bc8c9c47fbc12ecf67d1d2db3945475c_JaffaCakes118.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3908 set thread context of 2460 N/A C:\Users\Admin\AppData\Local\Temp\bc8c9c47fbc12ecf67d1d2db3945475c_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc8c9c47fbc12ecf67d1d2db3945475c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3908 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\bc8c9c47fbc12ecf67d1d2db3945475c_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 3908 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\bc8c9c47fbc12ecf67d1d2db3945475c_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 3908 wrote to memory of 4692 N/A C:\Users\Admin\AppData\Local\Temp\bc8c9c47fbc12ecf67d1d2db3945475c_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 3908 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\bc8c9c47fbc12ecf67d1d2db3945475c_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3908 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\bc8c9c47fbc12ecf67d1d2db3945475c_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3908 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\bc8c9c47fbc12ecf67d1d2db3945475c_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3908 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\bc8c9c47fbc12ecf67d1d2db3945475c_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3908 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\bc8c9c47fbc12ecf67d1d2db3945475c_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3908 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\bc8c9c47fbc12ecf67d1d2db3945475c_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3908 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\bc8c9c47fbc12ecf67d1d2db3945475c_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 3908 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\bc8c9c47fbc12ecf67d1d2db3945475c_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bc8c9c47fbc12ecf67d1d2db3945475c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\bc8c9c47fbc12ecf67d1d2db3945475c_JaffaCakes118.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hEbxgBEArIV" /XML "C:\Users\Admin\AppData\Local\Temp\tmpDF92.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"{path}"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.106:443 www.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 105.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 106.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 35.166.122.92.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp

Files

memory/3908-0-0x000000007517E000-0x000000007517F000-memory.dmp

memory/3908-1-0x00000000004E0000-0x00000000005D2000-memory.dmp

memory/3908-2-0x0000000007950000-0x0000000007EF4000-memory.dmp

memory/3908-3-0x0000000007450000-0x00000000074E2000-memory.dmp

memory/3908-4-0x0000000004A70000-0x0000000004A7A000-memory.dmp

memory/3908-5-0x0000000075170000-0x0000000075920000-memory.dmp

memory/3908-6-0x0000000007430000-0x000000000743A000-memory.dmp

memory/3908-7-0x000000007517E000-0x000000007517F000-memory.dmp

memory/3908-8-0x0000000075170000-0x0000000075920000-memory.dmp

memory/3908-9-0x00000000088E0000-0x000000000895E000-memory.dmp

memory/3908-10-0x0000000008B10000-0x0000000008BAC000-memory.dmp

memory/3908-11-0x0000000008A80000-0x0000000008AFA000-memory.dmp

memory/3908-12-0x000000000F240000-0x000000000F2A6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpDF92.tmp

MD5 7b731609dbd94b934f9839e91ea3f789
SHA1 b844456de4ed65d93124f5f087bee8ec791535b4
SHA256 ed0c4af184af826f9b1e0eadcbe64fbd5021e98f9c7930419899a1bd66979f75
SHA512 ec31fa191070da37d05078190de9033254015a4a161c288bde618d3a2aecf16b55f8a7856a9e21bdfc81d054114b7c0f7eee74e4c64b220de7ef048ddfbf7f21

memory/2460-16-0x0000000000400000-0x0000000000466000-memory.dmp

memory/3908-18-0x0000000075170000-0x0000000075920000-memory.dmp

memory/2460-19-0x0000000075170000-0x0000000075920000-memory.dmp

memory/2460-20-0x0000000075170000-0x0000000075920000-memory.dmp

memory/2460-21-0x0000000005210000-0x0000000005228000-memory.dmp

memory/2460-22-0x0000000075170000-0x0000000075920000-memory.dmp

memory/2460-23-0x00000000065E0000-0x0000000006630000-memory.dmp

memory/2460-24-0x0000000075170000-0x0000000075920000-memory.dmp

memory/2460-25-0x0000000075170000-0x0000000075920000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-18 14:58

Reported

2024-06-18 15:00

Platform

win7-20240508-en

Max time kernel

119s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\bc8c9c47fbc12ecf67d1d2db3945475c_JaffaCakes118.exe"

Signatures

AgentTesla

keylogger trojan stealer spyware agenttesla

AgentTesla payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Looks for VirtualBox Guest Additions in registry

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions C:\Users\Admin\AppData\Local\Temp\bc8c9c47fbc12ecf67d1d2db3945475c_JaffaCakes118.exe N/A

Looks for VMWare Tools registry key

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\VMware, Inc.\VMware Tools C:\Users\Admin\AppData\Local\Temp\bc8c9c47fbc12ecf67d1d2db3945475c_JaffaCakes118.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\bc8c9c47fbc12ecf67d1d2db3945475c_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\bc8c9c47fbc12ecf67d1d2db3945475c_JaffaCakes118.exe N/A

Accesses Microsoft Outlook profiles

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Maps connected drives based on registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum C:\Users\Admin\AppData\Local\Temp\bc8c9c47fbc12ecf67d1d2db3945475c_JaffaCakes118.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\Disk\Enum\0 C:\Users\Admin\AppData\Local\Temp\bc8c9c47fbc12ecf67d1d2db3945475c_JaffaCakes118.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1520 set thread context of 2812 N/A C:\Users\Admin\AppData\Local\Temp\bc8c9c47fbc12ecf67d1d2db3945475c_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

Enumerates physical storage devices

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\bc8c9c47fbc12ecf67d1d2db3945475c_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1520 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\bc8c9c47fbc12ecf67d1d2db3945475c_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 1520 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\bc8c9c47fbc12ecf67d1d2db3945475c_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 1520 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\bc8c9c47fbc12ecf67d1d2db3945475c_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 1520 wrote to memory of 2632 N/A C:\Users\Admin\AppData\Local\Temp\bc8c9c47fbc12ecf67d1d2db3945475c_JaffaCakes118.exe C:\Windows\SysWOW64\schtasks.exe
PID 1520 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\bc8c9c47fbc12ecf67d1d2db3945475c_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1520 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\bc8c9c47fbc12ecf67d1d2db3945475c_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1520 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\bc8c9c47fbc12ecf67d1d2db3945475c_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1520 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\bc8c9c47fbc12ecf67d1d2db3945475c_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1520 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\bc8c9c47fbc12ecf67d1d2db3945475c_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1520 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\bc8c9c47fbc12ecf67d1d2db3945475c_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1520 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\bc8c9c47fbc12ecf67d1d2db3945475c_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1520 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\bc8c9c47fbc12ecf67d1d2db3945475c_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1520 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\bc8c9c47fbc12ecf67d1d2db3945475c_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1520 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\bc8c9c47fbc12ecf67d1d2db3945475c_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1520 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\bc8c9c47fbc12ecf67d1d2db3945475c_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
PID 1520 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\bc8c9c47fbc12ecf67d1d2db3945475c_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

outlook_office_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

outlook_win_path

Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\bc8c9c47fbc12ecf67d1d2db3945475c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\bc8c9c47fbc12ecf67d1d2db3945475c_JaffaCakes118.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hEbxgBEArIV" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA13F.tmp"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe

"{path}"

Network

N/A

Files

memory/1520-0-0x0000000074D7E000-0x0000000074D7F000-memory.dmp

memory/1520-1-0x00000000009D0000-0x0000000000AC2000-memory.dmp

memory/1520-2-0x0000000074D70000-0x000000007545E000-memory.dmp

memory/1520-3-0x00000000003B0000-0x00000000003BA000-memory.dmp

memory/1520-4-0x0000000074D7E000-0x0000000074D7F000-memory.dmp

memory/1520-5-0x0000000074D70000-0x000000007545E000-memory.dmp

memory/1520-6-0x0000000004AB0000-0x0000000004B2E000-memory.dmp

memory/1520-7-0x0000000005B30000-0x0000000005BAA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpA13F.tmp

MD5 53eff391bbccbd428f8e8d635633ab1c
SHA1 4c6d097617c1aea02412abbb3cb67e5585facbe3
SHA256 7c8e571dfb4afdf05da202c362a843b321ca4176b9dd750b3b9f692a3cd7161e
SHA512 f62e56f195eead8eb7c361d0513f8cf9c27cc883d212bd924c259665416af7c56c15bbc82e2dcd2a488cc5ab3f8921205fff7c34958dbb7d5ebe2deef215efd4

memory/2812-11-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2812-13-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2812-16-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2812-17-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2812-23-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2812-26-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2812-21-0x0000000000400000-0x0000000000466000-memory.dmp

memory/2812-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1520-27-0x0000000074D70000-0x000000007545E000-memory.dmp