Malware Analysis Report

2024-10-19 10:25

Sample ID 240909-sx4fravgrp
Target d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118
SHA256 7d27252ef87acae8a2b583d920e52d8210ee69c4f9591ed20de1cfd55bf01650
Tags
netwire botnet discovery rat stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7d27252ef87acae8a2b583d920e52d8210ee69c4f9591ed20de1cfd55bf01650

Threat Level: Known bad

The file d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

netwire botnet discovery rat stealer

NetWire RAT payload

Netwire

Drops startup file

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-09-09 15:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-09-09 15:31

Reported

2024-09-09 15:33

Platform

win7-20240903-en

Max time kernel

141s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe"

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Netwire

botnet stealer netwire

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TVnkRn.url C:\Users\Admin\AppData\Local\Temp\d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe N/A

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2720 set thread context of 2608 N/A C:\Users\Admin\AppData\Local\Temp\d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2720 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2720 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2720 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2720 wrote to memory of 2784 N/A C:\Users\Admin\AppData\Local\Temp\d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 2784 wrote to memory of 1792 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2784 wrote to memory of 1792 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2784 wrote to memory of 1792 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2784 wrote to memory of 1792 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 2720 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2720 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2720 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2720 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2720 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2720 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2720 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2720 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2720 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2720 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2720 wrote to memory of 2608 N/A C:\Users\Admin\AppData\Local\Temp\d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ylvjgbrd\ylvjgbrd.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF4F9.tmp" "c:\Users\Admin\AppData\Local\Temp\ylvjgbrd\CSCC482708DAAAF4C1D87EA3686476BF663.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 extensions14718.sytes.net udp
US 8.8.8.8:53 extensions14718sec.sytes.net udp

Files

memory/2720-0-0x00000000749CE000-0x00000000749CF000-memory.dmp

memory/2720-1-0x0000000000E70000-0x0000000000EB6000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\ylvjgbrd\ylvjgbrd.cmdline

MD5 11177b781f03b0761859c41b315b64b6
SHA1 f5335dfdce53da77c4912bd3c35895ee6045a82e
SHA256 44f7263d9e2f1d6ddaebb7bf1467e8e45679a1ba426e995497b0fbdd738098d8
SHA512 d64cd151bbb32a830e3230e2540969008b277555c24c09e0a49d459148809eca03369bc1465b8314b9568c5055d9dd5e14b6b4b8084733f5ece9df5b053f3377

memory/2720-5-0x00000000749C0000-0x00000000750AE000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\ylvjgbrd\ylvjgbrd.0.cs

MD5 9fafd44315a524486b84e23bedaec8bf
SHA1 0d2820c6a0d71d57200dccafa2c6fb421269f2ec
SHA256 549faa466584fa74103c11227ef0b811cf96bda2d27b5c1c53fc2f053e96db74
SHA512 e5f2023c15f49f7758d11972e4edf00731956cf69b0b52df6a1bed00dbe756ce87b1a76af9c7dacd3abdae374da8452d6c9790f5e1ebee4ceee9c74e23778280

\??\c:\Users\Admin\AppData\Local\Temp\ylvjgbrd\CSCC482708DAAAF4C1D87EA3686476BF663.TMP

MD5 d6007bac205a9a3a6dc6eb5f35877526
SHA1 ddc2f0053823449ac3b3891f3c9b0bc22a83073f
SHA256 751f4c51152069035c25846dab26a9e5ebee49ae3ca43543c40fed544f98915f
SHA512 e2833447f9ebd8c80bc020b853565ed015af60558828969cd7769e89be55660e67173703118b717c732a14157b95b2312107621d24c1e33aece24fad71785b06

C:\Users\Admin\AppData\Local\Temp\RESF4F9.tmp

MD5 71eb1c8a86fdbf92445016924cbac14c
SHA1 bff575815e17c5424e6639fbd2806f8fe6471a3d
SHA256 a528948ea0e1ae10f8361dec9606d6448272b289d9058815c2fc9c3616d80cc4
SHA512 7454161d925305e5aaa949fd15bc4361237d35450f15f6b0ab8b6adfd344ca3e03c88fcb552b370040acfb61717cf3c1b76957a69f1ebd9f00084c72df9a898c

C:\Users\Admin\AppData\Local\Temp\ylvjgbrd\ylvjgbrd.pdb

MD5 ee37d19534cb08c17cb0b17588ab92ef
SHA1 be219a1e7fd49d14460f11141f9eba139afa5dae
SHA256 46ea0446d09b0bb2fe54854c5737c8b99c03e3f0d34c71a0127e00a2b07c9956
SHA512 6741517ab0c400cb6e4fa87545eaf848b2fb455f4243953667a16e820d59e9a9ea7403daf2773898c8c71f58cbd62524a0d4d179532d22cef5bbeecb04dfd556

C:\Users\Admin\AppData\Local\Temp\ylvjgbrd\ylvjgbrd.dll

MD5 9054d80aa07f7a998564cd332bf788bf
SHA1 e5c4ab117eac903a531f28f4a2a8bf274f99a22c
SHA256 75c28e0242f3000015372de26bc6f56048ca41fe2f1cfb4b2c3bc1c0f5537f6c
SHA512 768d6e24aada4c4bb50add342ecebc1373a3f9281f34396c244dee9291976865fad16dd41cf4f06a32b3f77783287d8470d6cff5ab0145e18af31ecf08e89027

memory/2720-17-0x00000000003A0000-0x00000000003AA000-memory.dmp

memory/2720-19-0x0000000000860000-0x0000000000892000-memory.dmp

memory/2720-20-0x0000000000490000-0x000000000049C000-memory.dmp

memory/2720-23-0x0000000000890000-0x00000000008BC000-memory.dmp

memory/2608-34-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2608-38-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2608-36-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2608-32-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2608-30-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2608-26-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2608-28-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2608-24-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2608-40-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2720-41-0x00000000749C0000-0x00000000750AE000-memory.dmp

memory/2608-42-0x0000000000400000-0x000000000042C000-memory.dmp

memory/2608-49-0x0000000000400000-0x000000000042C000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-09-09 15:31

Reported

2024-09-09 15:33

Platform

win10v2004-20240802-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe"

Signatures

NetWire RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Netwire

botnet stealer netwire

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TVnkRn.url C:\Users\Admin\AppData\Local\Temp\d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe N/A

Uses the VBS compiler for execution

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3156 set thread context of 708 N/A C:\Users\Admin\AppData\Local\Temp\d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3156 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 3156 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 3156 wrote to memory of 1504 N/A C:\Users\Admin\AppData\Local\Temp\d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
PID 1504 wrote to memory of 2436 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1504 wrote to memory of 2436 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 1504 wrote to memory of 2436 N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe
PID 3156 wrote to memory of 708 N/A C:\Users\Admin\AppData\Local\Temp\d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3156 wrote to memory of 708 N/A C:\Users\Admin\AppData\Local\Temp\d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3156 wrote to memory of 708 N/A C:\Users\Admin\AppData\Local\Temp\d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3156 wrote to memory of 708 N/A C:\Users\Admin\AppData\Local\Temp\d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3156 wrote to memory of 708 N/A C:\Users\Admin\AppData\Local\Temp\d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3156 wrote to memory of 708 N/A C:\Users\Admin\AppData\Local\Temp\d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3156 wrote to memory of 708 N/A C:\Users\Admin\AppData\Local\Temp\d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3156 wrote to memory of 708 N/A C:\Users\Admin\AppData\Local\Temp\d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3156 wrote to memory of 708 N/A C:\Users\Admin\AppData\Local\Temp\d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3156 wrote to memory of 708 N/A C:\Users\Admin\AppData\Local\Temp\d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\d699e0316ff32d7b7d551ad6abface4c_JaffaCakes118.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\wtdvwpgm\wtdvwpgm.cmdline"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8702.tmp" "c:\Users\Admin\AppData\Local\Temp\wtdvwpgm\CSC436D0B4487CD4416A574D5DEA2CE508.TMP"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 extensions14718.sytes.net udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 22.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 45.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 42.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 extensions14718sec.sytes.net udp
US 8.8.8.8:53 73.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp

Files

memory/3156-0-0x000000007442E000-0x000000007442F000-memory.dmp

memory/3156-1-0x00000000005F0000-0x0000000000636000-memory.dmp

memory/3156-5-0x0000000074420000-0x0000000074BD0000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\wtdvwpgm\wtdvwpgm.cmdline

MD5 8d7473375381ef41de8ac2a722845ece
SHA1 6d3602d8f7072e14e3575dbdaff87039289ea7cd
SHA256 d3964d7904e05c174531fe052a915e86d1ec64cf2f47c6f17747daab8318e3e7
SHA512 2e7e481358b868bb3b73aaaea5f1fc2e4164a2b545072e73488c06502d2c828737a95d8042df154c054fdedf2cc4c084eb83e8a2c324a4e17330d3eb25fffa6e

\??\c:\Users\Admin\AppData\Local\Temp\wtdvwpgm\wtdvwpgm.0.cs

MD5 9fafd44315a524486b84e23bedaec8bf
SHA1 0d2820c6a0d71d57200dccafa2c6fb421269f2ec
SHA256 549faa466584fa74103c11227ef0b811cf96bda2d27b5c1c53fc2f053e96db74
SHA512 e5f2023c15f49f7758d11972e4edf00731956cf69b0b52df6a1bed00dbe756ce87b1a76af9c7dacd3abdae374da8452d6c9790f5e1ebee4ceee9c74e23778280

\??\c:\Users\Admin\AppData\Local\Temp\wtdvwpgm\CSC436D0B4487CD4416A574D5DEA2CE508.TMP

MD5 c75e52af1e9dbbe5b5214e74d86e81ff
SHA1 8cbfa7491740703292aa74555e332af8e8d511aa
SHA256 323dda5f5e09dd206b0783aab1d98c2edf4f09dad51a5a80a32da1c4fc4ea219
SHA512 a4a6651bcabe6a60288649d7de75123e9e8a0e04ee71ce5d835cd98291b9d6880f641c24216a316a98ccf2ef68cacbb9096dbeda99505a2bb3d2d5b25803014b

C:\Users\Admin\AppData\Local\Temp\RES8702.tmp

MD5 fac0403a5765ecca79f2e12ad6decdcd
SHA1 e2e6c6a169898041cc660750406c846bff6d600d
SHA256 eff2c9ec7e78513e73446825e1fc9c02f84e75e02911b575274dc5380ab61d8a
SHA512 1c4db78d7ea4d3259078f3cb179c72ec70b8d72a5718e0e5d2f64259a80be370af10c0f002bc15fd78a4b2913a55d664dbcf898a221286f74a55b61afcac83ad

C:\Users\Admin\AppData\Local\Temp\wtdvwpgm\wtdvwpgm.pdb

MD5 73a49a7618521b0a60b6bb95ef17a7ea
SHA1 edc395797476c61e98c65781633bfb5485f09076
SHA256 893f3e83aa95eb0776fa293446fc41ab1496a1221be4a17e1908ea2ab5b8ffc3
SHA512 c4381da83b3cc26e9dce270f62b277deea5805568e7fcaab35169e1ee029b3a87f8fa4586b5dc33a87374ddc61c223a9f6a875b75a67cfe8df9acbccaf73e545

C:\Users\Admin\AppData\Local\Temp\wtdvwpgm\wtdvwpgm.dll

MD5 dbdd9916aa96ca0ad4e17debd86b5f79
SHA1 c5b441a65afa8b0ad2293253c30dca23dd1b803a
SHA256 66ee71ae21bb9405aecfd6c07954af4af599ea7f91087f34da24405539dceb1b
SHA512 5026b6faaf71a83f495be9f4ca6a3d42c4da36927b852e016ec760317e811ed6f74dbf9fdad90809986374be0ff16d1d13b144c9f049a268f996afe69a34b9d0

memory/3156-17-0x0000000004EF0000-0x0000000004EFA000-memory.dmp

memory/3156-19-0x0000000005040000-0x00000000050D2000-memory.dmp

memory/3156-20-0x0000000005010000-0x0000000005042000-memory.dmp

memory/3156-21-0x0000000005430000-0x000000000543C000-memory.dmp

memory/3156-24-0x0000000005460000-0x000000000548C000-memory.dmp

memory/3156-25-0x00000000056E0000-0x000000000577C000-memory.dmp

memory/708-26-0x0000000000400000-0x000000000042C000-memory.dmp

memory/708-30-0x0000000000400000-0x000000000042C000-memory.dmp

memory/708-29-0x0000000000400000-0x000000000042C000-memory.dmp

memory/708-31-0x0000000000400000-0x000000000042C000-memory.dmp

memory/708-38-0x0000000000400000-0x000000000042C000-memory.dmp