Malware Analysis Report

2025-06-16 00:53

Sample ID 241031-plj17awqat
Target 8303224aaa5db71190160308fe80deed_JaffaCakes118
SHA256 665eb5f535fb0f782e2484a043c69bd500d0ff305571554dde5969588d57a9ca
Tags
credential_access discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

665eb5f535fb0f782e2484a043c69bd500d0ff305571554dde5969588d57a9ca

Threat Level: Shows suspicious behavior

The file 8303224aaa5db71190160308fe80deed_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

credential_access discovery spyware stealer

Reads user/profile data of web browsers

Reads data files stored by FTP clients

Unsecured Credentials: Credentials In Files

Loads dropped DLL

Executes dropped EXE

Reads local data of messenger clients

Suspicious use of SetThreadContext

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-31 12:24

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-31 12:24

Reported

2024-10-31 13:22

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8303224aaa5db71190160308fe80deed_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\ctfmon.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2096 set thread context of 3532 N/A C:\Users\Admin\AppData\Local\Temp\8303224aaa5db71190160308fe80deed_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\ctfmon.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\ctfmon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8303224aaa5db71190160308fe80deed_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8303224aaa5db71190160308fe80deed_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8303224aaa5db71190160308fe80deed_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2096 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\8303224aaa5db71190160308fe80deed_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2096 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\8303224aaa5db71190160308fe80deed_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2096 wrote to memory of 1284 N/A C:\Users\Admin\AppData\Local\Temp\8303224aaa5db71190160308fe80deed_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 1284 wrote to memory of 1524 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1284 wrote to memory of 1524 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1284 wrote to memory of 1524 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2096 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\8303224aaa5db71190160308fe80deed_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\ctfmon.exe
PID 2096 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\8303224aaa5db71190160308fe80deed_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\ctfmon.exe
PID 2096 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\8303224aaa5db71190160308fe80deed_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\ctfmon.exe
PID 2096 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\8303224aaa5db71190160308fe80deed_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\ctfmon.exe
PID 2096 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\8303224aaa5db71190160308fe80deed_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\ctfmon.exe
PID 2096 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\8303224aaa5db71190160308fe80deed_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\ctfmon.exe
PID 2096 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\8303224aaa5db71190160308fe80deed_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\ctfmon.exe
PID 2096 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\8303224aaa5db71190160308fe80deed_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\ctfmon.exe
PID 2096 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\8303224aaa5db71190160308fe80deed_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\ctfmon.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8303224aaa5db71190160308fe80deed_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8303224aaa5db71190160308fe80deed_JaffaCakes118.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\p8rgmf_7.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA336.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA335.tmp"

C:\Users\Admin\AppData\Roaming\ctfmon.exe

C:\Users\Admin\AppData\Roaming\ctfmon.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 197.87.175.4.in-addr.arpa udp
US 8.8.8.8:53 107.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp

Files

memory/2096-0-0x0000000074A62000-0x0000000074A63000-memory.dmp

memory/2096-1-0x0000000074A60000-0x0000000075011000-memory.dmp

memory/2096-2-0x0000000074A60000-0x0000000075011000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\p8rgmf_7.cmdline

MD5 87a5ac72919fa975d063abe109e2fe41
SHA1 08ef8ba471b330866f2fd1ac26b9c0168521b3a9
SHA256 0b6c7ddbbaea6dbcf3d0a2de0db82a51f3cea54fe6f6e1878c314d43c1ed78df
SHA512 8f951f519970c701d7c3f883a216930fae4386cfb5b74c911ccbe986ce779b10094e1be6bfc9ad8bda46cb85fa5b7b8c44dd14ea972e0bcfd3d31fe0c33590a5

\??\c:\Users\Admin\AppData\Local\Temp\p8rgmf_7.0.cs

MD5 2216d197bc442e875016eba15c07a937
SHA1 37528e21ea3271b85d276c6bd003e6c60c81545d
SHA256 2e9e3da7bfa1334706550bb4d6269bf3e64cbbc09fa349af52eb22f32aebb4af
SHA512 7d7bdc3bf83ac0a29e917ead899dcaa1b47ee2660f405fe4883ca2a2546f7924265e1d75a2ea02c0e34fac4d2bb82bbaaa88d06c240afad4e9fd49337cd04d3f

memory/1284-9-0x0000000074A60000-0x0000000075011000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSCA335.tmp

MD5 c07aaa3881e69bce52aa21297480d6e0
SHA1 043ce3f67cc38909bbc9983de4b4a0e7ac9def1b
SHA256 9b4d1d48fb580afa59d299eaaaee605d113f8bafa93b8fce5f52bad5450bd298
SHA512 5708b180c6a4b1bcedc569f611bc254062bd6e7aa66600fc7eb35fa03568cd981d1cdcff9276b379978926c126747e495653dcd065a3fd552239b40989decedf

C:\Users\Admin\AppData\Local\Temp\RESA336.tmp

MD5 28a0995f7c2b0c3675cc827790773dc8
SHA1 765c7cc577c12ce8df1e4ee88c11627481e18eb3
SHA256 4fa0e119c99a780bc87eea3cc3dd37a7f5ffc7301f53b3069ea15e7b20545acb
SHA512 d06994e0220ff34c3e21716f7e289b113845004d29d0cc73b6c65bb4b6c3c3c97f079652310eaa542097aa20aec7a3d7dfb9a028faad95534d9c2b07e7a34e4e

C:\Users\Admin\AppData\Local\Temp\p8rgmf_7.dll

MD5 30dafadade8850dcb3218fe9133aff95
SHA1 5218b9eb01f290934b8ba931722a87aa63b5f586
SHA256 8ed9f75bd8196681462b42c1a08264dc50a0fa515df6a0822e0ca6f93c9d657b
SHA512 aca7aabb3555aaafcaa58702db98ee4f31baf1a48562ff80945b385827e9f86b2423c8e53856429eb3d14750e2f4b74f85daa2a907d27f755bd974df72e314fe

memory/1284-16-0x0000000074A60000-0x0000000075011000-memory.dmp

C:\Users\Admin\AppData\Roaming\ctfmon.exe

MD5 e32cdc2a701efc0c43ba95d99bcf9e32
SHA1 2b293b5c64fabea0e7b4c23e519829ce3fc2da0e
SHA256 da79b35907e16d73c73fdcef017a79cf78091a4b3daeb7834cb72783d8b79e0e
SHA512 7cf10ce268bacef2a222ecd1b4cacf7c99d40175cb754f1dbb4db18977e84831654666265498a895b27d3954bb9905277f2420f07c273051a6e6c59988c141c6

memory/3532-20-0x0000000000400000-0x0000000000458000-memory.dmp

memory/3532-25-0x0000000000400000-0x0000000000458000-memory.dmp

memory/3532-27-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2096-26-0x0000000074A60000-0x0000000075011000-memory.dmp

memory/3532-30-0x0000000000400000-0x0000000000458000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-31 12:24

Reported

2024-10-31 13:22

Platform

win7-20240903-en

Max time kernel

122s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8303224aaa5db71190160308fe80deed_JaffaCakes118.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\ctfmon.exe N/A

Reads data files stored by FTP clients

spyware stealer

Reads local data of messenger clients

spyware stealer

Reads user/profile data of web browsers

spyware stealer

Unsecured Credentials: Credentials In Files

credential_access stealer

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2384 set thread context of 2664 N/A C:\Users\Admin\AppData\Local\Temp\8303224aaa5db71190160308fe80deed_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\ctfmon.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\ctfmon.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8303224aaa5db71190160308fe80deed_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\8303224aaa5db71190160308fe80deed_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\8303224aaa5db71190160308fe80deed_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2384 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\8303224aaa5db71190160308fe80deed_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2384 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\8303224aaa5db71190160308fe80deed_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2384 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\8303224aaa5db71190160308fe80deed_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2384 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\8303224aaa5db71190160308fe80deed_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2744 wrote to memory of 2780 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2744 wrote to memory of 2780 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2744 wrote to memory of 2780 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2744 wrote to memory of 2780 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2384 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\8303224aaa5db71190160308fe80deed_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\ctfmon.exe
PID 2384 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\8303224aaa5db71190160308fe80deed_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\ctfmon.exe
PID 2384 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\8303224aaa5db71190160308fe80deed_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\ctfmon.exe
PID 2384 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\8303224aaa5db71190160308fe80deed_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\ctfmon.exe
PID 2384 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\8303224aaa5db71190160308fe80deed_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\ctfmon.exe
PID 2384 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\8303224aaa5db71190160308fe80deed_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\ctfmon.exe
PID 2384 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\8303224aaa5db71190160308fe80deed_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\ctfmon.exe
PID 2384 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\8303224aaa5db71190160308fe80deed_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\ctfmon.exe
PID 2384 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\8303224aaa5db71190160308fe80deed_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\ctfmon.exe
PID 2384 wrote to memory of 2664 N/A C:\Users\Admin\AppData\Local\Temp\8303224aaa5db71190160308fe80deed_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\ctfmon.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8303224aaa5db71190160308fe80deed_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8303224aaa5db71190160308fe80deed_JaffaCakes118.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\4xavzurb.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF5E4.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCF5E3.tmp"

C:\Users\Admin\AppData\Roaming\ctfmon.exe

C:\Users\Admin\AppData\Roaming\ctfmon.exe

Network

N/A

Files

memory/2384-0-0x0000000074A21000-0x0000000074A22000-memory.dmp

memory/2384-1-0x0000000074A20000-0x0000000074FCB000-memory.dmp

memory/2384-2-0x0000000074A20000-0x0000000074FCB000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\4xavzurb.cmdline

MD5 75e249519e1942172ca77381b71dcf93
SHA1 bdef99d25d60059c1768a3a5fb43bd9b7c045664
SHA256 2969546ead7e1b81f57c03bc4ebee0dee0bb0191eedbc80709c996525beb29ad
SHA512 073e03fc6d107bb08db06e0230fc0c11ee2ee6d5abb034ff27eb29626f3a85fd4d7e819d5836a22b603fba7c5a13a92d092b007f69ea6f394cc3e1dc915daa95

\??\c:\Users\Admin\AppData\Local\Temp\4xavzurb.0.cs

MD5 2216d197bc442e875016eba15c07a937
SHA1 37528e21ea3271b85d276c6bd003e6c60c81545d
SHA256 2e9e3da7bfa1334706550bb4d6269bf3e64cbbc09fa349af52eb22f32aebb4af
SHA512 7d7bdc3bf83ac0a29e917ead899dcaa1b47ee2660f405fe4883ca2a2546f7924265e1d75a2ea02c0e34fac4d2bb82bbaaa88d06c240afad4e9fd49337cd04d3f

memory/2744-9-0x0000000074A20000-0x0000000074FCB000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSCF5E3.tmp

MD5 4080c61ae44490976eaa94f11f2e9de0
SHA1 1a536aec4723fb9bfea9919beb712cc845182c15
SHA256 a7fbb0d557a808ed977d09b8914f2387a2a23e65c93c5e00792e90bc27881d78
SHA512 5efe09c3edfae3acea1f7dcf81d6fb8a3b90f13efdf239d60cd5e3841a5efd2b7812a68f80b79d1c3d097c0f111ae9a8309d20679218c97c4dde145a69f8a042

C:\Users\Admin\AppData\Local\Temp\RESF5E4.tmp

MD5 4bd860abfa72107a70d7a4d3903cbaeb
SHA1 5c23c19e46c1c272d2c1ea6b1d2d78a9ac1fbadc
SHA256 441c8d8439bdb51c829a535bd797c8756b19f0dc95818844d231c064a3523c13
SHA512 958ddb47edc119142beb28f25dfb3b0bf153b307e03ba39d682cde7180322f6c9472cf93c05e051793eced83e8356cc1215811864de0d45aa9ccc09f72fa0d09

memory/2744-16-0x0000000074A20000-0x0000000074FCB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4xavzurb.dll

MD5 1b582355a571c1e18da584d78600be64
SHA1 143b8227eb9aeba18e905a0051c923c03572db9b
SHA256 0c5a111bc81a948fb8fa80bf8f831655b45c0dab8b82687b40e68cb8077399b8
SHA512 417c70e3134effa0b2e0466fac5ceafbf71ca9482e369137732da05d8c2d64e250c745b7c83922d6d677a83c78c280bb7d98c657fb159ea7571bbb3484bf9a53

memory/2664-41-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2664-40-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Users\Admin\AppData\Roaming\ctfmon.exe

MD5 e32cdc2a701efc0c43ba95d99bcf9e32
SHA1 2b293b5c64fabea0e7b4c23e519829ce3fc2da0e
SHA256 da79b35907e16d73c73fdcef017a79cf78091a4b3daeb7834cb72783d8b79e0e
SHA512 7cf10ce268bacef2a222ecd1b4cacf7c99d40175cb754f1dbb4db18977e84831654666265498a895b27d3954bb9905277f2420f07c273051a6e6c59988c141c6

memory/2664-37-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2664-35-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2664-33-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2664-31-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2664-29-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2664-27-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2664-25-0x0000000000400000-0x0000000000458000-memory.dmp

memory/2384-46-0x0000000074A20000-0x0000000074FCB000-memory.dmp

memory/2664-44-0x0000000000400000-0x0000000000458000-memory.dmp