Malware Analysis Report

2024-11-15 08:31

Sample ID 240405-pbmpbsbe51
Target d35381609a7837b54625620b260ceba0_JaffaCakes118
SHA256 e451310ccd2dc212d3c4233ef75c6bd4a6b238e6ef44119ae4769cac2a2e5f54
Tags
agilenet
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

e451310ccd2dc212d3c4233ef75c6bd4a6b238e6ef44119ae4769cac2a2e5f54

Threat Level: Shows suspicious behavior

The file d35381609a7837b54625620b260ceba0_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

agilenet

Checks computer location settings

Drops startup file

Loads dropped DLL

Executes dropped EXE

Obfuscated with Agile.Net obfuscator

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-05 12:09

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-05 12:09

Reported

2024-04-05 12:12

Platform

win7-20240221-en

Max time kernel

151s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d35381609a7837b54625620b260ceba0_JaffaCakes118.exe"

Signatures

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\steamerrorreporter.qtsfdaax.lnk C:\Users\Admin\AppData\Local\Temp\d35381609a7837b54625620b260ceba0_JaffaCakes118.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2780 set thread context of 2196 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 set thread context of 268 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 set thread context of 472 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 set thread context of 1616 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 set thread context of 1600 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 set thread context of 2068 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 set thread context of 1404 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 set thread context of 396 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 set thread context of 2244 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 set thread context of 984 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 set thread context of 1072 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 set thread context of 2228 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 set thread context of 1628 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d35381609a7837b54625620b260ceba0_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d35381609a7837b54625620b260ceba0_JaffaCakes118.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d35381609a7837b54625620b260ceba0_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2444 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\d35381609a7837b54625620b260ceba0_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe
PID 2444 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\d35381609a7837b54625620b260ceba0_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe
PID 2444 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\d35381609a7837b54625620b260ceba0_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe
PID 2444 wrote to memory of 2780 N/A C:\Users\Admin\AppData\Local\Temp\d35381609a7837b54625620b260ceba0_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe
PID 2780 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe
PID 2780 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe
PID 2780 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe
PID 2780 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe
PID 2780 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 wrote to memory of 2196 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 wrote to memory of 268 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 wrote to memory of 268 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 wrote to memory of 268 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 wrote to memory of 268 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 wrote to memory of 268 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 wrote to memory of 268 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 wrote to memory of 268 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 wrote to memory of 472 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 wrote to memory of 472 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 wrote to memory of 472 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 wrote to memory of 472 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 wrote to memory of 472 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 wrote to memory of 472 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 wrote to memory of 472 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 wrote to memory of 472 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 wrote to memory of 268 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 wrote to memory of 472 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 wrote to memory of 268 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 wrote to memory of 472 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 wrote to memory of 268 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 wrote to memory of 472 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 wrote to memory of 268 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 wrote to memory of 268 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 wrote to memory of 472 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 wrote to memory of 1600 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 2780 wrote to memory of 1616 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d35381609a7837b54625620b260ceba0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\d35381609a7837b54625620b260ceba0_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

Network

N/A

Files

memory/2444-0-0x0000000074780000-0x0000000074D2B000-memory.dmp

memory/2444-1-0x0000000074780000-0x0000000074D2B000-memory.dmp

memory/2444-2-0x0000000000480000-0x00000000004C0000-memory.dmp

memory/2444-3-0x0000000000480000-0x00000000004C0000-memory.dmp

\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe

MD5 d35381609a7837b54625620b260ceba0
SHA1 e2a849cd29fe4584fe183ec4a3d231b96c11510f
SHA256 e451310ccd2dc212d3c4233ef75c6bd4a6b238e6ef44119ae4769cac2a2e5f54
SHA512 a12e110cba61403f88f16ce101297d221f29050c5b7111245c73ed6dbd797493d3f96ed18a175106a1f49d57bd628b2e69695c637e624319a848dc513fd3092e

memory/2780-11-0x0000000074780000-0x0000000074D2B000-memory.dmp

memory/2780-12-0x0000000074780000-0x0000000074D2B000-memory.dmp

memory/2444-15-0x0000000074780000-0x0000000074D2B000-memory.dmp

memory/2396-17-0x0000000074780000-0x0000000074D2B000-memory.dmp

memory/2396-18-0x0000000074780000-0x0000000074D2B000-memory.dmp

memory/2396-19-0x0000000002010000-0x0000000002050000-memory.dmp

memory/2780-20-0x0000000074780000-0x0000000074D2B000-memory.dmp

memory/2196-21-0x0000000000400000-0x000000000046E000-memory.dmp

memory/2196-23-0x0000000000400000-0x000000000046E000-memory.dmp

memory/2196-25-0x0000000000400000-0x000000000046E000-memory.dmp

memory/2196-26-0x0000000074780000-0x0000000074D2B000-memory.dmp

\Users\Admin\AppData\Local\Temp\ee50048c-b6eb-4ad3-b983-551cd617a0fd\AgileDotNetRT.dll

MD5 9af5eb006bb0bab7f226272d82c896c7
SHA1 c2a5bb42a5f08f4dc821be374b700652262308f0
SHA256 77dc05a6bda90757f66552ee3f469b09f1e00732b4edca0f542872fb591ed9db
SHA512 7badd41be4c1039302fda9bba19d374ec9446ce24b7db33b66bee4ef38180d1abcd666d2aea468e7e452aa1e1565eedfefed582bf1c2fe477a4171d99d48772a

memory/2196-34-0x00000000718B0000-0x00000000718E7000-memory.dmp

memory/2196-33-0x0000000074E40000-0x0000000074E9B000-memory.dmp

memory/2196-35-0x0000000074780000-0x0000000074D2B000-memory.dmp

memory/2196-36-0x00000000718B0000-0x00000000718E7000-memory.dmp

memory/2396-37-0x0000000074780000-0x0000000074D2B000-memory.dmp

memory/268-52-0x0000000074E40000-0x0000000074E9B000-memory.dmp

memory/472-54-0x0000000074780000-0x0000000074D2B000-memory.dmp

memory/268-55-0x0000000071B00000-0x0000000071B37000-memory.dmp

memory/472-56-0x0000000071B00000-0x0000000071B37000-memory.dmp

memory/472-53-0x0000000074E40000-0x0000000074E9B000-memory.dmp

memory/268-51-0x0000000074780000-0x0000000074D2B000-memory.dmp

memory/472-57-0x0000000071B00000-0x0000000071B37000-memory.dmp

memory/472-58-0x0000000074780000-0x0000000074D2B000-memory.dmp

memory/268-59-0x0000000071B00000-0x0000000071B37000-memory.dmp

memory/268-60-0x0000000074780000-0x0000000074D2B000-memory.dmp

memory/1616-72-0x0000000074E40000-0x0000000074E9B000-memory.dmp

memory/1616-73-0x0000000074780000-0x0000000074D2B000-memory.dmp

memory/1600-76-0x0000000074780000-0x0000000074D2B000-memory.dmp

memory/1616-77-0x00000000718E0000-0x0000000071917000-memory.dmp

memory/1600-78-0x00000000718E0000-0x0000000071917000-memory.dmp

memory/1600-75-0x0000000074E40000-0x0000000074E9B000-memory.dmp

memory/1600-79-0x00000000718E0000-0x0000000071917000-memory.dmp

memory/1600-80-0x0000000074780000-0x0000000074D2B000-memory.dmp

memory/1616-81-0x00000000718E0000-0x0000000071917000-memory.dmp

memory/1616-82-0x0000000074780000-0x0000000074D2B000-memory.dmp

memory/2068-94-0x0000000074E40000-0x0000000074E9B000-memory.dmp

memory/2068-95-0x0000000074780000-0x0000000074D2B000-memory.dmp

memory/1404-96-0x0000000074780000-0x0000000074D2B000-memory.dmp

memory/2068-99-0x0000000071B00000-0x0000000071B37000-memory.dmp

memory/1404-100-0x0000000071B00000-0x0000000071B37000-memory.dmp

memory/1404-98-0x0000000074E40000-0x0000000074E9B000-memory.dmp

memory/1404-101-0x0000000071B00000-0x0000000071B37000-memory.dmp

memory/1404-102-0x0000000074780000-0x0000000074D2B000-memory.dmp

memory/2068-103-0x0000000071B00000-0x0000000071B37000-memory.dmp

memory/2068-104-0x0000000074780000-0x0000000074D2B000-memory.dmp

memory/396-113-0x0000000074E40000-0x0000000074E9B000-memory.dmp

memory/396-112-0x0000000074780000-0x0000000074D2B000-memory.dmp

memory/396-114-0x00000000718E0000-0x0000000071917000-memory.dmp

memory/2244-116-0x00000000000A0000-0x000000000010E000-memory.dmp

memory/2244-120-0x00000000000A0000-0x000000000010E000-memory.dmp

memory/2244-123-0x00000000000A0000-0x000000000010E000-memory.dmp

memory/2244-126-0x0000000074780000-0x0000000074D2B000-memory.dmp

memory/2244-125-0x0000000074E40000-0x0000000074E9B000-memory.dmp

memory/2244-127-0x00000000718E0000-0x0000000071917000-memory.dmp

memory/2244-128-0x00000000718E0000-0x0000000071917000-memory.dmp

memory/2244-129-0x0000000074780000-0x0000000074D2B000-memory.dmp

memory/396-130-0x00000000718E0000-0x0000000071917000-memory.dmp

memory/396-131-0x0000000074780000-0x0000000074D2B000-memory.dmp

memory/984-146-0x0000000074780000-0x0000000074D2B000-memory.dmp

memory/1072-147-0x0000000074780000-0x0000000074D2B000-memory.dmp

memory/1072-148-0x0000000071B00000-0x0000000071B37000-memory.dmp

memory/984-149-0x0000000071B00000-0x0000000071B37000-memory.dmp

memory/1072-150-0x0000000074780000-0x0000000074D2B000-memory.dmp

memory/1072-151-0x0000000071B00000-0x0000000071B37000-memory.dmp

memory/984-152-0x0000000071B00000-0x0000000071B37000-memory.dmp

memory/984-153-0x0000000074780000-0x0000000074D2B000-memory.dmp

memory/2228-162-0x0000000074780000-0x0000000074D2B000-memory.dmp

memory/2228-163-0x00000000718E0000-0x0000000071917000-memory.dmp

memory/1628-174-0x0000000074780000-0x0000000074D2B000-memory.dmp

memory/1628-176-0x0000000074780000-0x0000000074D2B000-memory.dmp

memory/1628-177-0x00000000718E0000-0x0000000071917000-memory.dmp

memory/1628-178-0x00000000718E0000-0x0000000071917000-memory.dmp

memory/1628-179-0x0000000074780000-0x0000000074D2B000-memory.dmp

memory/2228-180-0x00000000718E0000-0x0000000071917000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-05 12:09

Reported

2024-04-05 12:11

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\d35381609a7837b54625620b260ceba0_JaffaCakes118.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d35381609a7837b54625620b260ceba0_JaffaCakes118.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\steamerrorreporter.b2bqemce.lnk C:\Users\Admin\AppData\Local\Temp\d35381609a7837b54625620b260ceba0_JaffaCakes118.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3752 set thread context of 544 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3752 set thread context of 3316 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3752 set thread context of 1576 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3752 set thread context of 692 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3752 set thread context of 4448 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3752 set thread context of 4032 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3752 set thread context of 1592 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3752 set thread context of 4628 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3752 set thread context of 2856 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3752 set thread context of 396 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3752 set thread context of 1872 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3752 set thread context of 4568 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3752 set thread context of 3960 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\d35381609a7837b54625620b260ceba0_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d35381609a7837b54625620b260ceba0_JaffaCakes118.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\d35381609a7837b54625620b260ceba0_JaffaCakes118.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1600 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\d35381609a7837b54625620b260ceba0_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe
PID 1600 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\d35381609a7837b54625620b260ceba0_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe
PID 1600 wrote to memory of 3752 N/A C:\Users\Admin\AppData\Local\Temp\d35381609a7837b54625620b260ceba0_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe
PID 3752 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe
PID 3752 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe
PID 3752 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe
PID 3752 wrote to memory of 544 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3752 wrote to memory of 544 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3752 wrote to memory of 544 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3752 wrote to memory of 544 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3752 wrote to memory of 544 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3752 wrote to memory of 544 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3752 wrote to memory of 544 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3752 wrote to memory of 544 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3752 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3752 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3752 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3752 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3752 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3752 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3752 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3752 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3752 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3752 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3752 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3752 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3752 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3752 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3752 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3752 wrote to memory of 1576 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3752 wrote to memory of 692 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3752 wrote to memory of 692 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3752 wrote to memory of 692 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3752 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3752 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3752 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3752 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3752 wrote to memory of 692 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3752 wrote to memory of 692 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3752 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3752 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3752 wrote to memory of 692 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3752 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3752 wrote to memory of 692 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3752 wrote to memory of 4448 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3752 wrote to memory of 692 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3752 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3752 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3752 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3752 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3752 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3752 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3752 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3752 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3752 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3752 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3752 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3752 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3752 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3752 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3752 wrote to memory of 4032 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3752 wrote to memory of 1592 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3752 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe
PID 3752 wrote to memory of 2856 N/A C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\d35381609a7837b54625620b260ceba0_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\d35381609a7837b54625620b260ceba0_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\RegAsm.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 81.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
NL 52.111.243.31:443 tcp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 19.40.53.23.in-addr.arpa udp
US 8.8.8.8:53 7.173.189.20.in-addr.arpa udp

Files

memory/1600-0-0x0000000075470000-0x0000000075A21000-memory.dmp

memory/1600-1-0x0000000075470000-0x0000000075A21000-memory.dmp

memory/1600-2-0x00000000014F0000-0x0000000001500000-memory.dmp

memory/1600-3-0x00000000014F0000-0x0000000001500000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\steamerrorreporter.exe

MD5 d35381609a7837b54625620b260ceba0
SHA1 e2a849cd29fe4584fe183ec4a3d231b96c11510f
SHA256 e451310ccd2dc212d3c4233ef75c6bd4a6b238e6ef44119ae4769cac2a2e5f54
SHA512 a12e110cba61403f88f16ce101297d221f29050c5b7111245c73ed6dbd797493d3f96ed18a175106a1f49d57bd628b2e69695c637e624319a848dc513fd3092e

memory/3752-15-0x0000000075470000-0x0000000075A21000-memory.dmp

memory/3752-16-0x00000000018D0000-0x00000000018E0000-memory.dmp

memory/3752-19-0x0000000075470000-0x0000000075A21000-memory.dmp

memory/1600-20-0x0000000075470000-0x0000000075A21000-memory.dmp

memory/3752-21-0x00000000018D0000-0x00000000018E0000-memory.dmp

memory/1588-23-0x0000000075470000-0x0000000075A21000-memory.dmp

memory/1588-24-0x0000000000F50000-0x0000000000F60000-memory.dmp

memory/1588-25-0x0000000075470000-0x0000000075A21000-memory.dmp

memory/1588-26-0x0000000000F50000-0x0000000000F60000-memory.dmp

memory/544-27-0x0000000000400000-0x000000000046E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ee50048c-b6eb-4ad3-b983-551cd617a0fd\AgileDotNetRT.dll

MD5 9af5eb006bb0bab7f226272d82c896c7
SHA1 c2a5bb42a5f08f4dc821be374b700652262308f0
SHA256 77dc05a6bda90757f66552ee3f469b09f1e00732b4edca0f542872fb591ed9db
SHA512 7badd41be4c1039302fda9bba19d374ec9446ce24b7db33b66bee4ef38180d1abcd666d2aea468e7e452aa1e1565eedfefed582bf1c2fe477a4171d99d48772a

memory/544-35-0x0000000075470000-0x0000000075A21000-memory.dmp

memory/544-37-0x0000000074190000-0x00000000741EB000-memory.dmp

memory/544-36-0x0000000003060000-0x0000000003070000-memory.dmp

memory/3752-39-0x0000000075470000-0x0000000075A21000-memory.dmp

memory/544-38-0x0000000075470000-0x0000000075A21000-memory.dmp

memory/3752-40-0x00000000018D0000-0x00000000018E0000-memory.dmp

memory/544-41-0x00000000722A0000-0x00000000722D7000-memory.dmp

memory/3752-42-0x00000000018D0000-0x00000000018E0000-memory.dmp

memory/544-44-0x00000000722A0000-0x00000000722D7000-memory.dmp

memory/544-45-0x0000000075470000-0x0000000075A21000-memory.dmp

memory/1588-46-0x0000000075470000-0x0000000075A21000-memory.dmp

memory/1588-47-0x0000000000F50000-0x0000000000F60000-memory.dmp

memory/1588-48-0x0000000000F50000-0x0000000000F60000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\RegAsm.exe.log

MD5 a5dcc7c9c08af7dddd82be5b036a4416
SHA1 4f998ca1526d199e355ffb435bae111a2779b994
SHA256 e24033ceec97fd03402b03acaaabd1d1e378e83bb1683afbccac760e00f8ead5
SHA512 56035de734836c0c39f0b48641c51c26adb6e79c6c65e23ca96603f71c95b8673e2ef853146e87efc899dd1878d0bbc2c82d91fbf0fce81c552048e986f9bb5a

memory/3316-52-0x0000000075470000-0x0000000075A21000-memory.dmp

memory/1576-57-0x0000000074190000-0x00000000741EB000-memory.dmp

memory/3316-58-0x0000000002D40000-0x0000000002D50000-memory.dmp

memory/1576-59-0x0000000075470000-0x0000000075A21000-memory.dmp

memory/3316-60-0x0000000075470000-0x0000000075A21000-memory.dmp

memory/1576-61-0x0000000002BA0000-0x0000000002BB0000-memory.dmp

memory/3316-63-0x00000000722D0000-0x0000000072307000-memory.dmp

memory/1576-62-0x00000000722D0000-0x0000000072307000-memory.dmp

memory/3316-56-0x0000000074190000-0x00000000741EB000-memory.dmp

memory/1576-64-0x0000000075470000-0x0000000075A21000-memory.dmp

memory/1576-65-0x00000000722D0000-0x0000000072307000-memory.dmp

memory/3316-66-0x00000000722D0000-0x0000000072307000-memory.dmp

memory/3316-67-0x0000000075470000-0x0000000075A21000-memory.dmp

memory/4448-72-0x0000000075470000-0x0000000075A21000-memory.dmp

memory/4448-75-0x0000000002860000-0x0000000002870000-memory.dmp

memory/692-71-0x0000000074190000-0x00000000741EB000-memory.dmp

memory/4448-74-0x0000000074190000-0x00000000741EB000-memory.dmp

memory/4448-76-0x0000000075470000-0x0000000075A21000-memory.dmp

memory/692-77-0x0000000075470000-0x0000000075A21000-memory.dmp

memory/692-78-0x00000000029B0000-0x00000000029C0000-memory.dmp

memory/4448-79-0x00000000722D0000-0x0000000072307000-memory.dmp

memory/692-80-0x00000000722D0000-0x0000000072307000-memory.dmp

memory/4448-81-0x0000000075470000-0x0000000075A21000-memory.dmp

memory/4448-82-0x00000000722D0000-0x0000000072307000-memory.dmp

memory/692-83-0x00000000722D0000-0x0000000072307000-memory.dmp

memory/692-84-0x0000000075470000-0x0000000075A21000-memory.dmp

memory/1592-91-0x0000000074190000-0x00000000741EB000-memory.dmp

memory/4032-93-0x0000000002D30000-0x0000000002D40000-memory.dmp

memory/1592-92-0x0000000075470000-0x0000000075A21000-memory.dmp

memory/4032-89-0x0000000074190000-0x00000000741EB000-memory.dmp

memory/4032-87-0x0000000075470000-0x0000000075A21000-memory.dmp

memory/4032-94-0x0000000075470000-0x0000000075A21000-memory.dmp

memory/1592-95-0x00000000722D0000-0x0000000072307000-memory.dmp

memory/4032-96-0x00000000722D0000-0x0000000072307000-memory.dmp

memory/1592-97-0x0000000075470000-0x0000000075A21000-memory.dmp

memory/1592-98-0x00000000722D0000-0x0000000072307000-memory.dmp

memory/4032-99-0x00000000722D0000-0x0000000072307000-memory.dmp

memory/4032-100-0x0000000075470000-0x0000000075A21000-memory.dmp

memory/4628-105-0x0000000074190000-0x00000000741EB000-memory.dmp

memory/4628-104-0x0000000075470000-0x0000000075A21000-memory.dmp

memory/4628-106-0x0000000002CB0000-0x0000000002CC0000-memory.dmp

memory/4628-107-0x0000000075470000-0x0000000075A21000-memory.dmp

memory/4628-108-0x00000000722D0000-0x0000000072307000-memory.dmp

memory/2856-109-0x0000000075470000-0x0000000075A21000-memory.dmp

memory/2856-110-0x0000000000BD0000-0x0000000000BE0000-memory.dmp

memory/2856-113-0x0000000074190000-0x00000000741EB000-memory.dmp

memory/2856-111-0x0000000075470000-0x0000000075A21000-memory.dmp

memory/396-123-0x0000000074190000-0x00000000741EB000-memory.dmp

memory/1872-130-0x0000000074190000-0x00000000741EB000-memory.dmp

memory/3960-140-0x0000000074190000-0x00000000741EB000-memory.dmp

memory/4568-143-0x0000000074190000-0x00000000741EB000-memory.dmp