Malware Analysis Report

2024-10-18 23:06

Sample ID 240725-brlv3ssfjd
Target 6d9645853f6a14a564f7be1110327e6f_JaffaCakes118
SHA256 903a315f8e05abfbdc9cf2b32f5c23c770505d5dcb1190c5e17a8117287ce4f4
Tags
ardamax discovery keylogger persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

903a315f8e05abfbdc9cf2b32f5c23c770505d5dcb1190c5e17a8117287ce4f4

Threat Level: Known bad

The file 6d9645853f6a14a564f7be1110327e6f_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

ardamax discovery keylogger persistence stealer

Ardamax

Ardamax main executable

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Checks installed software on the system

Adds Run key to start application

Drops file in System32 directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

NSIS installer

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-25 01:22

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-25 01:22

Reported

2024-07-25 02:02

Platform

win10v2004-20240704-en

Max time kernel

135s

Max time network

108s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6d9645853f6a14a564f7be1110327e6f_JaffaCakes118.exe"

Signatures

Ardamax

keylogger stealer ardamax

Ardamax main executable

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\6d9645853f6a14a564f7be1110327e6f_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1403246978-718555486-3105247137-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Install.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kermit.exe N/A
N/A N/A C:\Windows\SysWOW64\MCBFIX\LDB.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\LDB Start = "C:\\Windows\\SysWOW64\\MCBFIX\\LDB.exe" C:\Windows\SysWOW64\MCBFIX\LDB.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\MCBFIX\LDB.004 C:\Users\Admin\AppData\Local\Temp\Install.exe N/A
File created C:\Windows\SysWOW64\MCBFIX\LDB.001 C:\Users\Admin\AppData\Local\Temp\Install.exe N/A
File created C:\Windows\SysWOW64\MCBFIX\LDB.002 C:\Users\Admin\AppData\Local\Temp\Install.exe N/A
File created C:\Windows\SysWOW64\MCBFIX\LDB.003 C:\Users\Admin\AppData\Local\Temp\Install.exe N/A
File created C:\Windows\SysWOW64\MCBFIX\LDB.exe C:\Users\Admin\AppData\Local\Temp\Install.exe N/A
File opened for modification C:\Windows\SysWOW64\MCBFIX\ C:\Windows\SysWOW64\MCBFIX\LDB.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\MCBFIX\LDB.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6d9645853f6a14a564f7be1110327e6f_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Kermit.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\SysWOW64\MCBFIX\LDB.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\MCBFIX\LDB.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\MCBFIX\LDB.exe N/A
N/A N/A C:\Windows\SysWOW64\MCBFIX\LDB.exe N/A
N/A N/A C:\Windows\SysWOW64\MCBFIX\LDB.exe N/A
N/A N/A C:\Windows\SysWOW64\MCBFIX\LDB.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\6d9645853f6a14a564f7be1110327e6f_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\6d9645853f6a14a564f7be1110327e6f_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\Install.exe

"C:\Users\Admin\AppData\Local\Temp\Install.exe"

C:\Users\Admin\AppData\Local\Temp\Kermit.exe

"C:\Users\Admin\AppData\Local\Temp\Kermit.exe"

C:\Windows\SysWOW64\MCBFIX\LDB.exe

"C:\Windows\system32\MCBFIX\LDB.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\Install.exe

MD5 7852b729c3ac6da81dc48173058c1e51
SHA1 f66fb8c96bdaf5e4f6901280f1b4096b31efc496
SHA256 9f8a15c488dc42ee3694996d10df1cc734107b62afb526ef2a157f45bc63ee26
SHA512 72a0a8359b02a832eb2d493bf663ad8b312ca2bc25b69e55ccd26b3b4879a01e379712e49dc2ffb2711dab49e595713909549c225a2f6654533904660f4add09

C:\Users\Admin\AppData\Local\Temp\Kermit.exe

MD5 6146c7becde8f5aa3f06c56a5c7876c6
SHA1 599b289ae7ddd6fd3a1e3ded4b6a7db0b627603b
SHA256 94b2bd510e45e2e4611d8106a88fe26d3beafae9acb5f1f94d9042a705605e84
SHA512 4260e85d70b98855ebb234ba180a3056d4bc181ba4f3628c16a6953474e50d9001178cf933f4dd8462e70e438e51df9e380724ce8daa59c62505ab4d0e62c347

C:\Windows\SysWOW64\MCBFIX\LDB.exe

MD5 3cd29c0df98a7aeb69a9692843ca3edb
SHA1 7c86aea093f1979d18901bd1b89a2b02a60ac3e2
SHA256 5a37cd66508fa3fc85ae547de3498e709bd45167cb57f5e9b271dc3a1cb71a32
SHA512 e78f3206b1878e8db1766d4038a375bbebcbcdb8d1b0a0cb9b0dc72c54881392b9c27e2864ad9118702da58f203f13e0ad5d230980ad1ef2370391a2c4acffc9

C:\Users\Admin\AppData\Local\Temp\nsx730F.tmp\InstallOptions.dll

MD5 325b008aec81e5aaa57096f05d4212b5
SHA1 27a2d89747a20305b6518438eff5b9f57f7df5c3
SHA256 c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b
SHA512 18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

C:\Users\Admin\AppData\Local\Temp\nsx730F.tmp\ioSpecial.ini

MD5 5fa641f0f97ef5509b876afc3624ca14
SHA1 f8d5897f4bc1e897e9e95da59dda09b8fcad3634
SHA256 b9302a4bf6dd9f707b3cdcd4ac9170a6d0b8bfcca7b26646b9635f4bec72c193
SHA512 7b68e8e4e7cfdd5c59f8a8852539a89e0124bcc3f4034eacb4ebf3e1dd8f931f08365d4eaca49132c5bd9a0822b1f74490a12f17859945b093f627b9c19e9400

C:\Windows\SysWOW64\MCBFIX\LDB.004

MD5 12184213127875905ed91975d1972e48
SHA1 42431004f6a147e75875361ee8dc029fb5add072
SHA256 c2c838072aa40b9b29ce12e0051c11bc2b0b46efc814b4462ac4502136f4e983
SHA512 7c8a48270f8804205ced0cbfefd4ce63fc7cf53bdf866416d941e805655d637f31f3650d24da3b6fbe7407e3ce43d3a7f14658b28adb457281e1d552d654b8f9

C:\Windows\SysWOW64\MCBFIX\LDB.001

MD5 383d5f5d4240d590e7dec3f7312a4ac7
SHA1 f6bcade8d37afb80cf52a89b3e84683f4643fbce
SHA256 7e87f6817b17a75106d34ce9884c40ddfb381bf8f2013930916498d1df0a6422
SHA512 e652c41ec95d653940b869426bc2cbd8e5b3159110ffaab7d623e23eebe1f34ca65be6a9a9cdcd5f41aec7567469d6b4d6362d24ae92267cddb8940e1265806a

C:\Windows\SysWOW64\MCBFIX\LDB.003

MD5 cefd6e9c8a039ab9a7833414dfb03f76
SHA1 2a026d0514e0119d0fd545a0d2f6deb198806b70
SHA256 4d71cf9a598c7babd938c2635a755441da18502118cc3336ae25389510c7d01f
SHA512 efcfd6654bf0c45158f43a8c8fd45cc8d40cac227926faa0cd368f1d8012df1bc271f3c7d5db539b1bf282087e533e5a809cf040ac087fcfab58bb320c5a5502

C:\Windows\SysWOW64\MCBFIX\LDB.002

MD5 93df156c4bd9d7341f4c4a4847616a69
SHA1 c7663b32c3c8e247bc16b51aff87b45484652dc1
SHA256 e55b6eabf0f99b90bd4cf3777c25813bded7b6fc5c9955188c8aa5224d299c3e
SHA512 ed2e98c5fd1f0d49e5bac8baa515d489c89f8d42772ae05e4b7a32da8f06d511adad27867034ca0865beae9f78223e95c7d0f826154fc663f2fab9bd61e36e35

memory/2756-111-0x0000000002360000-0x0000000002375000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-25 01:22

Reported

2024-07-25 02:02

Platform

win7-20240705-en

Max time kernel

120s

Max time network

118s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6d9645853f6a14a564f7be1110327e6f_JaffaCakes118.exe"

Signatures

Ardamax

keylogger stealer ardamax

Ardamax main executable

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Install.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kermit.exe N/A
N/A N/A C:\Windows\SysWOW64\MCBFIX\LDB.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\LDB Start = "C:\\Windows\\SysWOW64\\MCBFIX\\LDB.exe" C:\Windows\SysWOW64\MCBFIX\LDB.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\MCBFIX\LDB.exe C:\Users\Admin\AppData\Local\Temp\Install.exe N/A
File opened for modification C:\Windows\SysWOW64\MCBFIX\ C:\Windows\SysWOW64\MCBFIX\LDB.exe N/A
File created C:\Windows\SysWOW64\MCBFIX\LDB.004 C:\Users\Admin\AppData\Local\Temp\Install.exe N/A
File created C:\Windows\SysWOW64\MCBFIX\LDB.001 C:\Users\Admin\AppData\Local\Temp\Install.exe N/A
File created C:\Windows\SysWOW64\MCBFIX\LDB.002 C:\Users\Admin\AppData\Local\Temp\Install.exe N/A
File created C:\Windows\SysWOW64\MCBFIX\LDB.003 C:\Users\Admin\AppData\Local\Temp\Install.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6d9645853f6a14a564f7be1110327e6f_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Install.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\Kermit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\MCBFIX\LDB.exe N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Kermit.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\SysWOW64\MCBFIX\LDB.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\MCBFIX\LDB.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\MCBFIX\LDB.exe N/A
N/A N/A C:\Windows\SysWOW64\MCBFIX\LDB.exe N/A
N/A N/A C:\Windows\SysWOW64\MCBFIX\LDB.exe N/A
N/A N/A C:\Windows\SysWOW64\MCBFIX\LDB.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2440 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\6d9645853f6a14a564f7be1110327e6f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Install.exe
PID 2440 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\6d9645853f6a14a564f7be1110327e6f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Install.exe
PID 2440 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\6d9645853f6a14a564f7be1110327e6f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Install.exe
PID 2440 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\6d9645853f6a14a564f7be1110327e6f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Install.exe
PID 2440 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\6d9645853f6a14a564f7be1110327e6f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Install.exe
PID 2440 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\6d9645853f6a14a564f7be1110327e6f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Install.exe
PID 2440 wrote to memory of 1464 N/A C:\Users\Admin\AppData\Local\Temp\6d9645853f6a14a564f7be1110327e6f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Install.exe
PID 2440 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\6d9645853f6a14a564f7be1110327e6f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Kermit.exe
PID 2440 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\6d9645853f6a14a564f7be1110327e6f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Kermit.exe
PID 2440 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\6d9645853f6a14a564f7be1110327e6f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Kermit.exe
PID 2440 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\6d9645853f6a14a564f7be1110327e6f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Kermit.exe
PID 2440 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\6d9645853f6a14a564f7be1110327e6f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Kermit.exe
PID 2440 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\6d9645853f6a14a564f7be1110327e6f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Kermit.exe
PID 2440 wrote to memory of 884 N/A C:\Users\Admin\AppData\Local\Temp\6d9645853f6a14a564f7be1110327e6f_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\Kermit.exe
PID 1464 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\Install.exe C:\Windows\SysWOW64\MCBFIX\LDB.exe
PID 1464 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\Install.exe C:\Windows\SysWOW64\MCBFIX\LDB.exe
PID 1464 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\Install.exe C:\Windows\SysWOW64\MCBFIX\LDB.exe
PID 1464 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\Install.exe C:\Windows\SysWOW64\MCBFIX\LDB.exe
PID 1464 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\Install.exe C:\Windows\SysWOW64\MCBFIX\LDB.exe
PID 1464 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\Install.exe C:\Windows\SysWOW64\MCBFIX\LDB.exe
PID 1464 wrote to memory of 1060 N/A C:\Users\Admin\AppData\Local\Temp\Install.exe C:\Windows\SysWOW64\MCBFIX\LDB.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6d9645853f6a14a564f7be1110327e6f_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\6d9645853f6a14a564f7be1110327e6f_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\Install.exe

"C:\Users\Admin\AppData\Local\Temp\Install.exe"

C:\Users\Admin\AppData\Local\Temp\Kermit.exe

"C:\Users\Admin\AppData\Local\Temp\Kermit.exe"

C:\Windows\SysWOW64\MCBFIX\LDB.exe

"C:\Windows\system32\MCBFIX\LDB.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\Install.exe

MD5 7852b729c3ac6da81dc48173058c1e51
SHA1 f66fb8c96bdaf5e4f6901280f1b4096b31efc496
SHA256 9f8a15c488dc42ee3694996d10df1cc734107b62afb526ef2a157f45bc63ee26
SHA512 72a0a8359b02a832eb2d493bf663ad8b312ca2bc25b69e55ccd26b3b4879a01e379712e49dc2ffb2711dab49e595713909549c225a2f6654533904660f4add09

\Users\Admin\AppData\Local\Temp\Kermit.exe

MD5 6146c7becde8f5aa3f06c56a5c7876c6
SHA1 599b289ae7ddd6fd3a1e3ded4b6a7db0b627603b
SHA256 94b2bd510e45e2e4611d8106a88fe26d3beafae9acb5f1f94d9042a705605e84
SHA512 4260e85d70b98855ebb234ba180a3056d4bc181ba4f3628c16a6953474e50d9001178cf933f4dd8462e70e438e51df9e380724ce8daa59c62505ab4d0e62c347

\Windows\SysWOW64\MCBFIX\LDB.exe

MD5 3cd29c0df98a7aeb69a9692843ca3edb
SHA1 7c86aea093f1979d18901bd1b89a2b02a60ac3e2
SHA256 5a37cd66508fa3fc85ae547de3498e709bd45167cb57f5e9b271dc3a1cb71a32
SHA512 e78f3206b1878e8db1766d4038a375bbebcbcdb8d1b0a0cb9b0dc72c54881392b9c27e2864ad9118702da58f203f13e0ad5d230980ad1ef2370391a2c4acffc9

C:\Windows\SysWOW64\MCBFIX\LDB.004

MD5 12184213127875905ed91975d1972e48
SHA1 42431004f6a147e75875361ee8dc029fb5add072
SHA256 c2c838072aa40b9b29ce12e0051c11bc2b0b46efc814b4462ac4502136f4e983
SHA512 7c8a48270f8804205ced0cbfefd4ce63fc7cf53bdf866416d941e805655d637f31f3650d24da3b6fbe7407e3ce43d3a7f14658b28adb457281e1d552d654b8f9

C:\Windows\SysWOW64\MCBFIX\LDB.003

MD5 cefd6e9c8a039ab9a7833414dfb03f76
SHA1 2a026d0514e0119d0fd545a0d2f6deb198806b70
SHA256 4d71cf9a598c7babd938c2635a755441da18502118cc3336ae25389510c7d01f
SHA512 efcfd6654bf0c45158f43a8c8fd45cc8d40cac227926faa0cd368f1d8012df1bc271f3c7d5db539b1bf282087e533e5a809cf040ac087fcfab58bb320c5a5502

C:\Users\Admin\AppData\Local\Temp\nsoB83A.tmp\ioSpecial.ini

MD5 b7a080223bb6819cac4c87328c46fabf
SHA1 42f7c5ea7e67248e2ce4648c6f54f2425cd5518e
SHA256 315871214e27b9acfda09f5f32e837f8b99f6dd03a76618e9793bfd46b831282
SHA512 dc8722efb3fb40646511e1fbe30ae7b4654e44e06ba23806f9d4f5601f0000494dbe13a1ba82f746c7abf4cfab3b83cfe00a08a4c19c4d86fedd0bf699b151a5

\Users\Admin\AppData\Local\Temp\nsoB83A.tmp\InstallOptions.dll

MD5 325b008aec81e5aaa57096f05d4212b5
SHA1 27a2d89747a20305b6518438eff5b9f57f7df5c3
SHA256 c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b
SHA512 18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf

C:\Windows\SysWOW64\MCBFIX\LDB.002

MD5 93df156c4bd9d7341f4c4a4847616a69
SHA1 c7663b32c3c8e247bc16b51aff87b45484652dc1
SHA256 e55b6eabf0f99b90bd4cf3777c25813bded7b6fc5c9955188c8aa5224d299c3e
SHA512 ed2e98c5fd1f0d49e5bac8baa515d489c89f8d42772ae05e4b7a32da8f06d511adad27867034ca0865beae9f78223e95c7d0f826154fc663f2fab9bd61e36e35

C:\Windows\SysWOW64\MCBFIX\LDB.001

MD5 383d5f5d4240d590e7dec3f7312a4ac7
SHA1 f6bcade8d37afb80cf52a89b3e84683f4643fbce
SHA256 7e87f6817b17a75106d34ce9884c40ddfb381bf8f2013930916498d1df0a6422
SHA512 e652c41ec95d653940b869426bc2cbd8e5b3159110ffaab7d623e23eebe1f34ca65be6a9a9cdcd5f41aec7567469d6b4d6362d24ae92267cddb8940e1265806a

memory/884-113-0x00000000003C0000-0x00000000003D5000-memory.dmp