Malware Analysis Report

2025-01-18 12:24

Sample ID 240828-3pkc1svaml
Target c7db2f2dc554de12f13d17e18475c84d_JaffaCakes118
SHA256 55e4fe94a51a73a2201d449c54315c5428a4a7a2e778cf33ba387bd0b158e6df
Tags
formbook bi discovery rat spyware stealer trojan credential_access persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

55e4fe94a51a73a2201d449c54315c5428a4a7a2e778cf33ba387bd0b158e6df

Threat Level: Known bad

The file c7db2f2dc554de12f13d17e18475c84d_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

formbook bi discovery rat spyware stealer trojan credential_access persistence

Formbook

Formbook payload

Credentials from Password Stores: Credentials from Web Browsers

Loads dropped DLL

Reads user/profile data of web browsers

Executes dropped EXE

Adds Run key to start application

Drops desktop.ini file(s)

Suspicious use of SetThreadContext

Drops file in Program Files directory

Drops file in Windows directory

System Location Discovery: System Language Discovery

Unsigned PE

Modifies registry class

Modifies Internet Explorer settings

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: MapViewOfSection

Suspicious behavior: EnumeratesProcesses

Suspicious use of UnmapMainImage

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-28 23:41

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-28 23:41

Reported

2024-08-28 23:43

Platform

win7-20240729-en

Max time kernel

17s

Max time network

21s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7db2f2dc554de12f13d17e18475c84d_JaffaCakes118.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2616 set thread context of 2384 N/A C:\Users\Admin\AppData\Local\Temp\c7db2f2dc554de12f13d17e18475c84d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2384 set thread context of 1184 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\Explorer.EXE
PID 2384 set thread context of 1184 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\Explorer.EXE

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c7db2f2dc554de12f13d17e18475c84d_JaffaCakes118.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c7db2f2dc554de12f13d17e18475c84d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\c7db2f2dc554de12f13d17e18475c84d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\c7db2f2dc554de12f13d17e18475c84d_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\svhost.exe

"C:\Users\Admin\AppData\Local\Temp\svhost.exe"

Network

N/A

Files

memory/2616-0-0x0000000074681000-0x0000000074682000-memory.dmp

memory/2616-1-0x0000000074680000-0x0000000074C2B000-memory.dmp

memory/2616-2-0x0000000074680000-0x0000000074C2B000-memory.dmp

\Users\Admin\AppData\Local\Temp\svhost.exe

MD5 32827e69b293b99013bbbe37d029245d
SHA1 bc9f80a38f09354d71467a05b0c5a82c3f7dac53
SHA256 9250b89157770e3ab59a2c7e2dd6b12b3c61d9b7c6620c3b4727e4bfff10f01f
SHA512 58c9a072e2bea0a8f22b4e69512abafad271ca91f2e3d2b4233796dd3d83021aad1c6da69fc8f7e7ca7919d34bde941cb8b5d185b668168866d1180558b93cf5

memory/2384-10-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2384-9-0x0000000000080000-0x00000000000AA000-memory.dmp

memory/2384-13-0x0000000000080000-0x00000000000AA000-memory.dmp

memory/2384-7-0x0000000000080000-0x00000000000AA000-memory.dmp

memory/2384-15-0x0000000000920000-0x0000000000C23000-memory.dmp

memory/2384-16-0x0000000000080000-0x00000000000AA000-memory.dmp

memory/2384-17-0x00000000002D0000-0x00000000002E4000-memory.dmp

memory/1184-18-0x0000000006C40000-0x0000000006D4D000-memory.dmp

memory/2616-19-0x0000000074680000-0x0000000074C2B000-memory.dmp

memory/1184-23-0x0000000006C40000-0x0000000006D4D000-memory.dmp

memory/2384-22-0x0000000000650000-0x0000000000664000-memory.dmp

memory/2384-21-0x0000000000080000-0x00000000000AA000-memory.dmp

memory/1184-24-0x0000000004080000-0x0000000004164000-memory.dmp

memory/2616-25-0x0000000074680000-0x0000000074C2B000-memory.dmp

memory/1184-26-0x0000000004080000-0x0000000004164000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-28 23:41

Reported

2024-08-28 23:43

Platform

win10v2004-20240802-en

Max time kernel

148s

Max time network

148s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Credentials from Password Stores: Credentials from Web Browsers

credential_access stealer

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RPQXOHQ84R = "C:\\Program Files (x86)\\Sobk8ftb\\xjd4gtbpb070ann.exe" C:\Windows\SysWOW64\explorer.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\c7db2f2dc554de12f13d17e18475c84d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\c7db2f2dc554de12f13d17e18475c84d_JaffaCakes118.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2444 set thread context of 220 N/A C:\Users\Admin\AppData\Local\Temp\c7db2f2dc554de12f13d17e18475c84d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 220 set thread context of 3556 N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe C:\Windows\Explorer.EXE
PID 3740 set thread context of 3556 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\Explorer.EXE

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Sobk8ftb\xjd4gtbpb070ann.exe C:\Windows\SysWOW64\explorer.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\c7db2f2dc554de12f13d17e18475c84d_JaffaCakes118.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\c7db2f2dc554de12f13d17e18475c84d_JaffaCakes118.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\c7db2f2dc554de12f13d17e18475c84d_JaffaCakes118.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\c7db2f2dc554de12f13d17e18475c84d_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\explorer.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \Registry\User\S-1-5-21-4182098368-2521458979-3782681353-1000\SOFTWARE\Microsoft\Internet Explorer\IntelliForms\Storage2 C:\Windows\SysWOW64\explorer.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\Explorer.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\Explorer.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\c7db2f2dc554de12f13d17e18475c84d_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A
N/A N/A C:\Windows\SysWOW64\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\c7db2f2dc554de12f13d17e18475c84d_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svhost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.EXE N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2444 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\c7db2f2dc554de12f13d17e18475c84d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2444 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\c7db2f2dc554de12f13d17e18475c84d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2444 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\c7db2f2dc554de12f13d17e18475c84d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2444 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\c7db2f2dc554de12f13d17e18475c84d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2444 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\c7db2f2dc554de12f13d17e18475c84d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 2444 wrote to memory of 220 N/A C:\Users\Admin\AppData\Local\Temp\c7db2f2dc554de12f13d17e18475c84d_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svhost.exe
PID 3556 wrote to memory of 3740 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3556 wrote to memory of 3740 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3556 wrote to memory of 3740 N/A C:\Windows\Explorer.EXE C:\Windows\SysWOW64\explorer.exe
PID 3740 wrote to memory of 4308 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 3740 wrote to memory of 4308 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 3740 wrote to memory of 4308 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 3740 wrote to memory of 1224 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 3740 wrote to memory of 1224 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\cmd.exe
PID 3740 wrote to memory of 1224 N/A C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\c7db2f2dc554de12f13d17e18475c84d_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\c7db2f2dc554de12f13d17e18475c84d_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\svhost.exe

"C:\Users\Admin\AppData\Local\Temp\svhost.exe"

C:\Windows\SysWOW64\explorer.exe

"C:\Windows\SysWOW64\explorer.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Local\Temp\svhost.exe"

C:\Windows\SysWOW64\cmd.exe

/c copy "C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Login Data" "C:\Users\Admin\AppData\Local\Temp\DB1" /V

Network

Country Destination Domain Proto
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 www.drivesafetv.com udp
US 8.8.8.8:53 www.scaker.com udp
US 8.8.8.8:53 www.ahchoices.com udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 www.onva.online udp
US 104.21.47.185:80 www.onva.online tcp
US 8.8.8.8:53 185.47.21.104.in-addr.arpa udp
US 8.8.8.8:53 www.haichenge.com udp
US 8.8.8.8:53 www.obedenie.com udp
RU 91.106.207.25:80 www.obedenie.com tcp
US 8.8.8.8:53 25.207.106.91.in-addr.arpa udp
RU 91.106.207.25:80 www.obedenie.com tcp
RU 91.106.207.25:80 www.obedenie.com tcp

Files

memory/2444-0-0x0000000074782000-0x0000000074783000-memory.dmp

memory/2444-1-0x0000000074780000-0x0000000074D31000-memory.dmp

memory/2444-2-0x0000000074780000-0x0000000074D31000-memory.dmp

memory/220-7-0x0000000000400000-0x000000000042A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svhost.exe

MD5 1c9ff7df71493896054a91bee0322ebf
SHA1 38f1c85965d58b910d8e8381b6b1099d5dfcbfe4
SHA256 e8b5da3394bbdd7868122ffd88d9d06afe31bd69d656857910d2f820c32d0efa
SHA512 aa0def62b663743e6c3c022182b35cff33cb9abf08453d5098f3c5d32b2a8b0cd1cc5de64b93e39680c1d1396fef1fd50b642ca3ea4ba1f6d1078321d96916ab

memory/220-10-0x0000000001770000-0x0000000001ABA000-memory.dmp

memory/220-12-0x0000000000400000-0x000000000042A000-memory.dmp

memory/220-13-0x0000000001150000-0x0000000001164000-memory.dmp

memory/3556-14-0x00000000025F0000-0x00000000026B8000-memory.dmp

memory/2444-15-0x0000000074782000-0x0000000074783000-memory.dmp

memory/2444-16-0x0000000074780000-0x0000000074D31000-memory.dmp

memory/3740-17-0x0000000000250000-0x0000000000683000-memory.dmp

memory/3740-19-0x0000000000250000-0x0000000000683000-memory.dmp

memory/3556-20-0x00000000025F0000-0x00000000026B8000-memory.dmp

memory/2444-22-0x0000000074780000-0x0000000074D31000-memory.dmp

memory/3556-26-0x0000000002A10000-0x0000000002AFA000-memory.dmp

memory/3556-27-0x0000000002A10000-0x0000000002AFA000-memory.dmp

memory/3556-29-0x0000000002A10000-0x0000000002AFA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DB1

MD5 a182561a527f929489bf4b8f74f65cd7
SHA1 8cd6866594759711ea1836e86a5b7ca64ee8911f
SHA256 42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914
SHA512 9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

C:\Users\Admin\AppData\Roaming\N553200E\N55logri.ini

MD5 d63a82e5d81e02e399090af26db0b9cb
SHA1 91d0014c8f54743bba141fd60c9d963f869d76c9
SHA256 eaece2eba6310253249603033c744dd5914089b0bb26bde6685ec9813611baae
SHA512 38afb05016d8f3c69d246321573997aaac8a51c34e61749a02bf5e8b2b56b94d9544d65801511044e1495906a86dc2100f2e20ff4fcbed09e01904cc780fdbad

C:\Users\Admin\AppData\Roaming\N553200E\N55logrv.ini

MD5 bbc41c78bae6c71e63cb544a6a284d94
SHA1 33f2c1d9fa0e9c99b80bc2500621e95af38b1f9a
SHA256 ee83c6bcea9353c74bfc0a7e739f3c4a765ace894470e09cdcdebba700b8d4cb
SHA512 0aea424b57adae3e14ad6491cab585f554b4dffe601b5a17bad6ee6177d2f0f995e419cde576e2d1782b9bddc0661aada11a2c9f1454ae625d9e3223635ec9f4

C:\Users\Admin\AppData\Roaming\N553200E\N55logrg.ini

MD5 4aadf49fed30e4c9b3fe4a3dd6445ebe
SHA1 1e332822167c6f351b99615eada2c30a538ff037
SHA256 75034beb7bded9aeab5748f4592b9e1419256caec474065d43e531ec5cc21c56
SHA512 eb5b3908d5e7b43ba02165e092f05578f45f15a148b4c3769036aa542c23a0f7cd2bc2770cf4119a7e437de3f681d9e398511f69f66824c516d9b451bb95f945

C:\Users\Admin\AppData\Roaming\N553200E\N55logim.jpeg

MD5 3e82d2be4c661ae0d1372c8e96f728f7
SHA1 70d750f6dcd257a50f0142db0706b82f3f37cc94
SHA256 43c8038249c854f753c6a1b18dc50f8c23c3bb1f2a5788e209904b5d02fdb4ee
SHA512 5f3958e9ce5379d295b13ec84b2d1fdb88b463026d6753a616400ef58c13c2e0f74df5dd0c6bb108c38f6824392399b715228016ae7d290334770a2c1f72f81f