Malware Analysis Report

2024-10-18 23:06

Sample ID 240725-dxxwmsyeqf
Target d70981a07b9cb09a0ee1b300f2944cdf6c8ce3f0c048c702c9b319b1e9903168
SHA256 d70981a07b9cb09a0ee1b300f2944cdf6c8ce3f0c048c702c9b319b1e9903168
Tags
ardamax discovery keylogger persistence stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d70981a07b9cb09a0ee1b300f2944cdf6c8ce3f0c048c702c9b319b1e9903168

Threat Level: Known bad

The file d70981a07b9cb09a0ee1b300f2944cdf6c8ce3f0c048c702c9b319b1e9903168 was found to be: Known bad.

Malicious Activity Summary

ardamax discovery keylogger persistence stealer

Ardamax main executable

Ardamax

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Checks installed software on the system

Adds Run key to start application

Drops file in System32 directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-25 03:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-25 03:23

Reported

2024-07-25 03:26

Platform

win7-20240708-en

Max time kernel

117s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d70981a07b9cb09a0ee1b300f2944cdf6c8ce3f0c048c702c9b319b1e9903168.exe"

Signatures

Ardamax

keylogger stealer ardamax

Ardamax main executable

Description Indicator Process Target
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ko3.exe N/A
N/A N/A C:\ko2.exe N/A
N/A N/A C:\ko1.exe N/A
N/A N/A C:\ko.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\SAQB.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\ko.exe N/A
N/A N/A C:\ko.exe N/A
N/A N/A C:\ko.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\SAQB.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\SAQB.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\SAQB Agent = "C:\\Windows\\SysWOW64\\28463\\SAQB.exe" C:\Windows\SysWOW64\28463\SAQB.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\28463\SAQB.001 C:\ko.exe N/A
File created C:\Windows\SysWOW64\28463\SAQB.006 C:\ko.exe N/A
File created C:\Windows\SysWOW64\28463\SAQB.007 C:\ko.exe N/A
File created C:\Windows\SysWOW64\28463\SAQB.exe C:\ko.exe N/A
File created C:\Windows\SysWOW64\28463\AKV.exe C:\ko.exe N/A
File opened for modification C:\Windows\SysWOW64\28463 C:\Windows\SysWOW64\28463\SAQB.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d70981a07b9cb09a0ee1b300f2944cdf6c8ce3f0c048c702c9b319b1e9903168.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ko3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ko2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ko1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ko.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\28463\SAQB.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\SysWOW64\28463\SAQB.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\28463\SAQB.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\28463\SAQB.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\SAQB.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\SAQB.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\SAQB.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\SAQB.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1708 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\d70981a07b9cb09a0ee1b300f2944cdf6c8ce3f0c048c702c9b319b1e9903168.exe C:\ko3.exe
PID 1708 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\d70981a07b9cb09a0ee1b300f2944cdf6c8ce3f0c048c702c9b319b1e9903168.exe C:\ko3.exe
PID 1708 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\d70981a07b9cb09a0ee1b300f2944cdf6c8ce3f0c048c702c9b319b1e9903168.exe C:\ko3.exe
PID 1708 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\d70981a07b9cb09a0ee1b300f2944cdf6c8ce3f0c048c702c9b319b1e9903168.exe C:\ko3.exe
PID 2128 wrote to memory of 2704 N/A C:\ko3.exe C:\ko2.exe
PID 2128 wrote to memory of 2704 N/A C:\ko3.exe C:\ko2.exe
PID 2128 wrote to memory of 2704 N/A C:\ko3.exe C:\ko2.exe
PID 2128 wrote to memory of 2704 N/A C:\ko3.exe C:\ko2.exe
PID 2704 wrote to memory of 2300 N/A C:\ko2.exe C:\ko1.exe
PID 2704 wrote to memory of 2300 N/A C:\ko2.exe C:\ko1.exe
PID 2704 wrote to memory of 2300 N/A C:\ko2.exe C:\ko1.exe
PID 2704 wrote to memory of 2300 N/A C:\ko2.exe C:\ko1.exe
PID 2300 wrote to memory of 2724 N/A C:\ko1.exe C:\ko.exe
PID 2300 wrote to memory of 2724 N/A C:\ko1.exe C:\ko.exe
PID 2300 wrote to memory of 2724 N/A C:\ko1.exe C:\ko.exe
PID 2300 wrote to memory of 2724 N/A C:\ko1.exe C:\ko.exe
PID 2724 wrote to memory of 2668 N/A C:\ko.exe C:\Windows\SysWOW64\28463\SAQB.exe
PID 2724 wrote to memory of 2668 N/A C:\ko.exe C:\Windows\SysWOW64\28463\SAQB.exe
PID 2724 wrote to memory of 2668 N/A C:\ko.exe C:\Windows\SysWOW64\28463\SAQB.exe
PID 2724 wrote to memory of 2668 N/A C:\ko.exe C:\Windows\SysWOW64\28463\SAQB.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d70981a07b9cb09a0ee1b300f2944cdf6c8ce3f0c048c702c9b319b1e9903168.exe

"C:\Users\Admin\AppData\Local\Temp\d70981a07b9cb09a0ee1b300f2944cdf6c8ce3f0c048c702c9b319b1e9903168.exe"

C:\ko3.exe

"C:\ko3.exe"

C:\ko2.exe

"C:\ko2.exe"

C:\ko1.exe

"C:\ko1.exe"

C:\ko.exe

"C:\ko.exe"

C:\Windows\SysWOW64\28463\SAQB.exe

"C:\Windows\system32\28463\SAQB.exe"

Network

N/A

Files

C:\ko3.exe

MD5 1fed04ad8e3b3b0a790e3b32c518791a
SHA1 bbb888a766983a23a09fd30aa4c346a8d070a38d
SHA256 0b1f54811f672911028698ce2a4ebaf272022d599d5c283fe231fddc99252711
SHA512 19b30de9e57887af1d8a73c418a389d06837cfcd0bdb6baab28c51b5c0c82778130574a880fc42acecd7e91690f56bea19087b01eddb5c580d6ad5e1c1d7e88a

memory/1708-6-0x0000000000400000-0x0000000000438000-memory.dmp

memory/2128-14-0x0000000000400000-0x0000000000438000-memory.dmp

C:\ko2.exe

MD5 4d4870a6642592b363c884ad6e3fa3c6
SHA1 7fdc6772670cd39254494d90aa729ddb368fd7b8
SHA256 0d54c2beedb53e70205138aceb3a73eee295952fdaab01c7665b7651aba9a406
SHA512 b92f1e6dff2848d01c667eae85c8c4a7b5578f68a90c0c5c3563bbcce8e954611dc2f6a000e76b6687496fdfc20ebfb0c8d2b5f764f0916121c27f1f9ac5a9c7

C:\ko1.exe

MD5 780057e0802c7a29926c240f4e8e1dc9
SHA1 0c9eb2fd1206c9e92881852b0f96e6535fab2040
SHA256 4cde4b0bce630e9465a437f53cbbc7a960e752f82d31c7b9db2acc7b87a34631
SHA512 ad9a92d5655be686c44584fa80aaf3b75c49a5021c4bedbfa279dbd62e54f5725e757b4f2ec2a875ccbb3dd06565f897c2404adbf8fb53cfa98334a399c90cf1

memory/2704-22-0x0000000000400000-0x0000000000438000-memory.dmp

C:\ko.exe

MD5 d90810f314bfd521a2efefc11936c0c2
SHA1 dc7aae03013b2cead6e1e1113dce87e5c48d792a
SHA256 395d117e2821e702b6d30ffcea59dabc71053a011796d610244b27304e580e33
SHA512 a1242594f5b4e379a1c1fba82a1c0855e6a9a68c7c1565b009c587cbf8bff1758e90f68707da2c9eef91371e1d649bb306d211ce0b2855c22c27cf32b6580029

memory/2300-32-0x0000000000400000-0x0000000000438000-memory.dmp

\Users\Admin\AppData\Local\Temp\@27CC.tmp

MD5 908f7f4b0cf93759447afca95cd84aa6
SHA1 d1903a49b211bcb4a460904019ee7441420aa961
SHA256 3e6378164f9dc4148b86c9312b63c5a6b1fabcfebf9557f182d331e9cb32fc23
SHA512 958e0880565b008cdb045d6aba5103f0ba820ac037facf24b78924187a119258e3a8a97de4c3874694962114ef672d41a55feb71b92d5038e7d45bc3d91d6b0d

C:\Windows\SysWOW64\28463\SAQB.exe

MD5 d7bd4739313a8e2fc9e080b7d0ba13b2
SHA1 808fcbe663bc02780b1d9962873a1e3066d55f05
SHA256 c9b47519386b1b7cd6dfecd42e586883d301b7a99c0c3d67a4beabc3ae3dcd6b
SHA512 d70e04444a2cc0f5b1fc5c81873b2c93582afa013f9aafe0e7c0eaaac36582b736b6ad8ef23a3d3aa4e3541fd478cbdcb8596dd4d233ada85f861c858c94b398

C:\Windows\SysWOW64\28463\SAQB.007

MD5 ca72cd485d116033f1b776903ce7ee0a
SHA1 85b0b73a75b0498f56200dd1a5cf0de5371e42a3
SHA256 e583532d6b4d8cfc1def5e550674e9e1a4eef2a107adacddf729fddac64f49c4
SHA512 8dbf6920af64aac6a80c3da4a567473dc20c8d4e24078f7e66bb5aa1a08641e5081b0a1ee05f82fb1dd14218b62572c198ff39b1add5f19893008b3d8e54538f

C:\Windows\SysWOW64\28463\SAQB.006

MD5 e0fcfa7cad88d1a8a462cee6b06cf668
SHA1 a7e49078517abc929a6da261df06556c8f5a8cf0
SHA256 340ff9f7f784e299030abb9982c88547e67251a6cca07d30ca8073d01a2840c4
SHA512 430fd640432769047de7bb4432f710193855a5121fe5944ef07f6b68749608312e7c22b29834967d429637fc9b285671cd10bbc9e1cfb43654695a206ba9cf82

C:\Windows\SysWOW64\28463\SAQB.001

MD5 3589585abc6d566fd05be470bfac1804
SHA1 35d67e1acea7776243c40a3c733665b812f020d1
SHA256 b04b82b1d1b39fc54c07a48fb8ebcfa52dc8c4f141ac368f5dad29c9688e6011
SHA512 8abe65bbce0b1f7a0154d3a4dec647083fd2271f9a01323e3ec7b7b1e8f3f7e3f2d51ba9a4c53619d8bbf8eb06972bee00942a0cc9d5be2dc355b6c50d608613

C:\Windows\SysWOW64\28463\AKV.exe

MD5 b0b09699ea39c0107af1c0833f07c054
SHA1 b730e2fb0bda9bf4a1b1f8768a00838e3ca9dcc1
SHA256 be63e3b5a6c3fbec11a737332d4e0040a23cc2d17182b4bc5e7d5dd41d930ee1
SHA512 55430e53058964961808f37d738c31f1502c3ec4a14b0296bef7bad22e468734bcd119eedba14cc87894d4acc81c9266572aff9919b18bd584823c47fa149796

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-25 03:23

Reported

2024-07-25 03:26

Platform

win10v2004-20240709-en

Max time kernel

94s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d70981a07b9cb09a0ee1b300f2944cdf6c8ce3f0c048c702c9b319b1e9903168.exe"

Signatures

Ardamax

keylogger stealer ardamax

Ardamax main executable

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\ko1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\ko.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d70981a07b9cb09a0ee1b300f2944cdf6c8ce3f0c048c702c9b319b1e9903168.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\ko3.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2636447293-1148739154-93880854-1000\Control Panel\International\Geo\Nation C:\ko2.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\ko3.exe N/A
N/A N/A C:\ko2.exe N/A
N/A N/A C:\ko1.exe N/A
N/A N/A C:\ko.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\SAQB.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\ko.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\SAQB.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\SAQB.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\SAQB.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\SAQB Agent = "C:\\Windows\\SysWOW64\\28463\\SAQB.exe" C:\Windows\SysWOW64\28463\SAQB.exe N/A

Checks installed software on the system

discovery

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\28463\SAQB.exe C:\ko.exe N/A
File created C:\Windows\SysWOW64\28463\AKV.exe C:\ko.exe N/A
File opened for modification C:\Windows\SysWOW64\28463 C:\Windows\SysWOW64\28463\SAQB.exe N/A
File created C:\Windows\SysWOW64\28463\SAQB.001 C:\ko.exe N/A
File created C:\Windows\SysWOW64\28463\SAQB.006 C:\ko.exe N/A
File created C:\Windows\SysWOW64\28463\SAQB.007 C:\ko.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ko3.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ko2.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ko1.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\ko.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\28463\SAQB.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d70981a07b9cb09a0ee1b300f2944cdf6c8ce3f0c048c702c9b319b1e9903168.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\SysWOW64\28463\SAQB.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\28463\SAQB.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\28463\SAQB.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\SAQB.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\SAQB.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\SAQB.exe N/A
N/A N/A C:\Windows\SysWOW64\28463\SAQB.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3112 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\d70981a07b9cb09a0ee1b300f2944cdf6c8ce3f0c048c702c9b319b1e9903168.exe C:\ko3.exe
PID 3112 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\d70981a07b9cb09a0ee1b300f2944cdf6c8ce3f0c048c702c9b319b1e9903168.exe C:\ko3.exe
PID 3112 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\d70981a07b9cb09a0ee1b300f2944cdf6c8ce3f0c048c702c9b319b1e9903168.exe C:\ko3.exe
PID 2384 wrote to memory of 2556 N/A C:\ko3.exe C:\ko2.exe
PID 2384 wrote to memory of 2556 N/A C:\ko3.exe C:\ko2.exe
PID 2384 wrote to memory of 2556 N/A C:\ko3.exe C:\ko2.exe
PID 2556 wrote to memory of 2060 N/A C:\ko2.exe C:\ko1.exe
PID 2556 wrote to memory of 2060 N/A C:\ko2.exe C:\ko1.exe
PID 2556 wrote to memory of 2060 N/A C:\ko2.exe C:\ko1.exe
PID 2060 wrote to memory of 3272 N/A C:\ko1.exe C:\ko.exe
PID 2060 wrote to memory of 3272 N/A C:\ko1.exe C:\ko.exe
PID 2060 wrote to memory of 3272 N/A C:\ko1.exe C:\ko.exe
PID 3272 wrote to memory of 4612 N/A C:\ko.exe C:\Windows\SysWOW64\28463\SAQB.exe
PID 3272 wrote to memory of 4612 N/A C:\ko.exe C:\Windows\SysWOW64\28463\SAQB.exe
PID 3272 wrote to memory of 4612 N/A C:\ko.exe C:\Windows\SysWOW64\28463\SAQB.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d70981a07b9cb09a0ee1b300f2944cdf6c8ce3f0c048c702c9b319b1e9903168.exe

"C:\Users\Admin\AppData\Local\Temp\d70981a07b9cb09a0ee1b300f2944cdf6c8ce3f0c048c702c9b319b1e9903168.exe"

C:\ko3.exe

"C:\ko3.exe"

C:\ko2.exe

"C:\ko2.exe"

C:\ko1.exe

"C:\ko1.exe"

C:\ko.exe

"C:\ko.exe"

C:\Windows\SysWOW64\28463\SAQB.exe

"C:\Windows\system32\28463\SAQB.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp

Files

C:\ko3.exe

MD5 1fed04ad8e3b3b0a790e3b32c518791a
SHA1 bbb888a766983a23a09fd30aa4c346a8d070a38d
SHA256 0b1f54811f672911028698ce2a4ebaf272022d599d5c283fe231fddc99252711
SHA512 19b30de9e57887af1d8a73c418a389d06837cfcd0bdb6baab28c51b5c0c82778130574a880fc42acecd7e91690f56bea19087b01eddb5c580d6ad5e1c1d7e88a

memory/3112-9-0x0000000000400000-0x0000000000438000-memory.dmp

C:\ko2.exe

MD5 4d4870a6642592b363c884ad6e3fa3c6
SHA1 7fdc6772670cd39254494d90aa729ddb368fd7b8
SHA256 0d54c2beedb53e70205138aceb3a73eee295952fdaab01c7665b7651aba9a406
SHA512 b92f1e6dff2848d01c667eae85c8c4a7b5578f68a90c0c5c3563bbcce8e954611dc2f6a000e76b6687496fdfc20ebfb0c8d2b5f764f0916121c27f1f9ac5a9c7

memory/2384-19-0x0000000000400000-0x0000000000438000-memory.dmp

C:\ko1.exe

MD5 780057e0802c7a29926c240f4e8e1dc9
SHA1 0c9eb2fd1206c9e92881852b0f96e6535fab2040
SHA256 4cde4b0bce630e9465a437f53cbbc7a960e752f82d31c7b9db2acc7b87a34631
SHA512 ad9a92d5655be686c44584fa80aaf3b75c49a5021c4bedbfa279dbd62e54f5725e757b4f2ec2a875ccbb3dd06565f897c2404adbf8fb53cfa98334a399c90cf1

memory/2556-29-0x0000000000400000-0x0000000000438000-memory.dmp

C:\ko.exe

MD5 d90810f314bfd521a2efefc11936c0c2
SHA1 dc7aae03013b2cead6e1e1113dce87e5c48d792a
SHA256 395d117e2821e702b6d30ffcea59dabc71053a011796d610244b27304e580e33
SHA512 a1242594f5b4e379a1c1fba82a1c0855e6a9a68c7c1565b009c587cbf8bff1758e90f68707da2c9eef91371e1d649bb306d211ce0b2855c22c27cf32b6580029

C:\Users\Admin\AppData\Local\Temp\@AEC4.tmp

MD5 908f7f4b0cf93759447afca95cd84aa6
SHA1 d1903a49b211bcb4a460904019ee7441420aa961
SHA256 3e6378164f9dc4148b86c9312b63c5a6b1fabcfebf9557f182d331e9cb32fc23
SHA512 958e0880565b008cdb045d6aba5103f0ba820ac037facf24b78924187a119258e3a8a97de4c3874694962114ef672d41a55feb71b92d5038e7d45bc3d91d6b0d

memory/2060-44-0x0000000000400000-0x0000000000438000-memory.dmp

C:\Windows\SysWOW64\28463\SAQB.exe

MD5 d7bd4739313a8e2fc9e080b7d0ba13b2
SHA1 808fcbe663bc02780b1d9962873a1e3066d55f05
SHA256 c9b47519386b1b7cd6dfecd42e586883d301b7a99c0c3d67a4beabc3ae3dcd6b
SHA512 d70e04444a2cc0f5b1fc5c81873b2c93582afa013f9aafe0e7c0eaaac36582b736b6ad8ef23a3d3aa4e3541fd478cbdcb8596dd4d233ada85f861c858c94b398

C:\Windows\SysWOW64\28463\SAQB.006

MD5 e0fcfa7cad88d1a8a462cee6b06cf668
SHA1 a7e49078517abc929a6da261df06556c8f5a8cf0
SHA256 340ff9f7f784e299030abb9982c88547e67251a6cca07d30ca8073d01a2840c4
SHA512 430fd640432769047de7bb4432f710193855a5121fe5944ef07f6b68749608312e7c22b29834967d429637fc9b285671cd10bbc9e1cfb43654695a206ba9cf82

C:\Windows\SysWOW64\28463\SAQB.007

MD5 ca72cd485d116033f1b776903ce7ee0a
SHA1 85b0b73a75b0498f56200dd1a5cf0de5371e42a3
SHA256 e583532d6b4d8cfc1def5e550674e9e1a4eef2a107adacddf729fddac64f49c4
SHA512 8dbf6920af64aac6a80c3da4a567473dc20c8d4e24078f7e66bb5aa1a08641e5081b0a1ee05f82fb1dd14218b62572c198ff39b1add5f19893008b3d8e54538f

C:\Windows\SysWOW64\28463\SAQB.001

MD5 3589585abc6d566fd05be470bfac1804
SHA1 35d67e1acea7776243c40a3c733665b812f020d1
SHA256 b04b82b1d1b39fc54c07a48fb8ebcfa52dc8c4f141ac368f5dad29c9688e6011
SHA512 8abe65bbce0b1f7a0154d3a4dec647083fd2271f9a01323e3ec7b7b1e8f3f7e3f2d51ba9a4c53619d8bbf8eb06972bee00942a0cc9d5be2dc355b6c50d608613

C:\Windows\SysWOW64\28463\AKV.exe

MD5 b0b09699ea39c0107af1c0833f07c054
SHA1 b730e2fb0bda9bf4a1b1f8768a00838e3ca9dcc1
SHA256 be63e3b5a6c3fbec11a737332d4e0040a23cc2d17182b4bc5e7d5dd41d930ee1
SHA512 55430e53058964961808f37d738c31f1502c3ec4a14b0296bef7bad22e468734bcd119eedba14cc87894d4acc81c9266572aff9919b18bd584823c47fa149796