Malware Analysis Report

2025-03-14 22:41

Sample ID 240406-1qq6vacg22
Target e35d8ebfa688954d46ced5a019d6d7d6_JaffaCakes118
SHA256 cf79d7fa8b6a8ef362ea9a7fbc5134e8ae8fa2fc675ce366d74a279dec54b8db
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

cf79d7fa8b6a8ef362ea9a7fbc5134e8ae8fa2fc675ce366d74a279dec54b8db

Threat Level: Shows suspicious behavior

The file e35d8ebfa688954d46ced5a019d6d7d6_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Loads dropped DLL

Executes dropped EXE

Adds Run key to start application

Suspicious use of SetThreadContext

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of UnmapMainImage

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-06 21:51

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-06 21:51

Reported

2024-04-06 21:54

Platform

win10v2004-20231215-en

Max time kernel

90s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e35d8ebfa688954d46ced5a019d6d7d6_JaffaCakes118.exe"

Signatures

N/A

Processes

C:\Users\Admin\AppData\Local\Temp\e35d8ebfa688954d46ced5a019d6d7d6_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e35d8ebfa688954d46ced5a019d6d7d6_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 79.121.231.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp

Files

memory/2636-0-0x00000000021F0000-0x0000000002231000-memory.dmp

memory/2636-1-0x0000000002240000-0x0000000002291000-memory.dmp

memory/2636-2-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2636-3-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2636-5-0x0000000002240000-0x0000000002291000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-06 21:51

Reported

2024-04-06 21:54

Platform

win7-20240221-en

Max time kernel

166s

Max time network

169s

Command Line

"taskhost.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Windows\CurrentVersion\Run\{716CE7C8-8449-AD4E-8B2B-CDD0BB2BEECD} = "C:\\Users\\Admin\\AppData\\Roaming\\Keozg\\iqumf.exe" C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2992 set thread context of 756 N/A C:\Users\Admin\AppData\Local\Temp\e35d8ebfa688954d46ced5a019d6d7d6_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\cmd.exe

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Privacy C:\Users\Admin\AppData\Local\Temp\e35d8ebfa688954d46ced5a019d6d7d6_JaffaCakes118.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2461186416-2307104501-1787948496-1000\Software\Microsoft\Internet Explorer\Privacy\CleanCookies = "0" C:\Users\Admin\AppData\Local\Temp\e35d8ebfa688954d46ced5a019d6d7d6_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e35d8ebfa688954d46ced5a019d6d7d6_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e35d8ebfa688954d46ced5a019d6d7d6_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e35d8ebfa688954d46ced5a019d6d7d6_JaffaCakes118.exe N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\e35d8ebfa688954d46ced5a019d6d7d6_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2992 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\e35d8ebfa688954d46ced5a019d6d7d6_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe
PID 2992 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\e35d8ebfa688954d46ced5a019d6d7d6_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe
PID 2992 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\e35d8ebfa688954d46ced5a019d6d7d6_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe
PID 2992 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\e35d8ebfa688954d46ced5a019d6d7d6_JaffaCakes118.exe C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe
PID 1948 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe C:\Windows\system32\taskhost.exe
PID 1948 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe C:\Windows\system32\taskhost.exe
PID 1948 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe C:\Windows\system32\taskhost.exe
PID 1948 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe C:\Windows\system32\taskhost.exe
PID 1948 wrote to memory of 1140 N/A C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe C:\Windows\system32\taskhost.exe
PID 1948 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe C:\Windows\system32\Dwm.exe
PID 1948 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe C:\Windows\system32\Dwm.exe
PID 1948 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe C:\Windows\system32\Dwm.exe
PID 1948 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe C:\Windows\system32\Dwm.exe
PID 1948 wrote to memory of 1240 N/A C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe C:\Windows\system32\Dwm.exe
PID 1948 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe C:\Windows\Explorer.EXE
PID 1948 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe C:\Windows\Explorer.EXE
PID 1948 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe C:\Windows\Explorer.EXE
PID 1948 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe C:\Windows\Explorer.EXE
PID 1948 wrote to memory of 1300 N/A C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe C:\Windows\Explorer.EXE
PID 1948 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe C:\Users\Admin\AppData\Local\Temp\e35d8ebfa688954d46ced5a019d6d7d6_JaffaCakes118.exe
PID 1948 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe C:\Users\Admin\AppData\Local\Temp\e35d8ebfa688954d46ced5a019d6d7d6_JaffaCakes118.exe
PID 1948 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe C:\Users\Admin\AppData\Local\Temp\e35d8ebfa688954d46ced5a019d6d7d6_JaffaCakes118.exe
PID 1948 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe C:\Users\Admin\AppData\Local\Temp\e35d8ebfa688954d46ced5a019d6d7d6_JaffaCakes118.exe
PID 1948 wrote to memory of 2992 N/A C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe C:\Users\Admin\AppData\Local\Temp\e35d8ebfa688954d46ced5a019d6d7d6_JaffaCakes118.exe
PID 2992 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\e35d8ebfa688954d46ced5a019d6d7d6_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\e35d8ebfa688954d46ced5a019d6d7d6_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\e35d8ebfa688954d46ced5a019d6d7d6_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\e35d8ebfa688954d46ced5a019d6d7d6_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\e35d8ebfa688954d46ced5a019d6d7d6_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\e35d8ebfa688954d46ced5a019d6d7d6_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\e35d8ebfa688954d46ced5a019d6d7d6_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\e35d8ebfa688954d46ced5a019d6d7d6_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2992 wrote to memory of 756 N/A C:\Users\Admin\AppData\Local\Temp\e35d8ebfa688954d46ced5a019d6d7d6_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 756 wrote to memory of 1908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WerFault.exe
PID 756 wrote to memory of 1908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WerFault.exe
PID 756 wrote to memory of 1908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WerFault.exe
PID 756 wrote to memory of 1908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WerFault.exe
PID 1948 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe C:\Windows\system32\conhost.exe
PID 1948 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe C:\Windows\system32\conhost.exe
PID 1948 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe C:\Windows\system32\conhost.exe
PID 1948 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe C:\Windows\system32\conhost.exe
PID 1948 wrote to memory of 2708 N/A C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe C:\Windows\system32\conhost.exe
PID 1948 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe C:\Windows\SysWOW64\WerFault.exe
PID 1948 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe C:\Windows\SysWOW64\WerFault.exe
PID 1948 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe C:\Windows\SysWOW64\WerFault.exe
PID 1948 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe C:\Windows\SysWOW64\WerFault.exe
PID 1948 wrote to memory of 1908 N/A C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe C:\Windows\SysWOW64\WerFault.exe

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\e35d8ebfa688954d46ced5a019d6d7d6_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e35d8ebfa688954d46ced5a019d6d7d6_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe

"C:\Users\Admin\AppData\Roaming\Keozg\iqumf.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\tmpff8c17aa.bat"

C:\Windows\system32\conhost.exe

\??\C:\Windows\system32\conhost.exe "291121692-802443451-227281910-208957908013849630101267076644-963725818422595924"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 756 -s 116

Network

Country Destination Domain Proto
US 99.127.226.43:17423 udp
AR 190.30.106.158:23269 udp
IT 2.197.52.187:13559 udp
SK 95.103.212.37:14979 udp
GR 94.68.141.75:12140 udp
TW 118.167.244.37:16916 udp
US 76.160.18.224:18542 udp
IT 87.29.198.169:28564 udp
AU 60.240.144.102:20921 udp

Files

memory/2992-0-0x0000000000270000-0x00000000002B1000-memory.dmp

memory/2992-1-0x0000000000350000-0x00000000003A1000-memory.dmp

memory/2992-2-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2992-4-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2992-5-0x0000000000400000-0x0000000000441000-memory.dmp

\Users\Admin\AppData\Roaming\Keozg\iqumf.exe

MD5 c2f673a201fea35a04c861ce6af8a68c
SHA1 2d3bb0a13c7daf8770b700bb1df7cec9c88c6be3
SHA256 43aef23a8d5c5badce790e2a28efa85e69d74486a8cf5e1d92f070330186812f
SHA512 a29b6984f0739c06e4072921842cf3780ce31056254d748dd44f79640a6fe57c99d9ce9eae625738ce3741f8f798b2f9b1d1e7d80bc55620686334a651772699

memory/1948-15-0x0000000000270000-0x00000000002B1000-memory.dmp

memory/1948-17-0x00000000002E0000-0x0000000000331000-memory.dmp

memory/1140-18-0x0000000001F50000-0x0000000001F91000-memory.dmp

memory/1948-19-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1140-21-0x0000000001F50000-0x0000000001F91000-memory.dmp

memory/1140-23-0x0000000001F50000-0x0000000001F91000-memory.dmp

memory/1140-25-0x0000000001F50000-0x0000000001F91000-memory.dmp

memory/1140-27-0x0000000001F50000-0x0000000001F91000-memory.dmp

memory/1240-30-0x0000000001C20000-0x0000000001C61000-memory.dmp

memory/1240-31-0x0000000001C20000-0x0000000001C61000-memory.dmp

memory/1240-32-0x0000000001C20000-0x0000000001C61000-memory.dmp

memory/1240-33-0x0000000001C20000-0x0000000001C61000-memory.dmp

memory/1300-35-0x0000000002AA0000-0x0000000002AE1000-memory.dmp

memory/1300-36-0x0000000002AA0000-0x0000000002AE1000-memory.dmp

memory/1300-37-0x0000000002AA0000-0x0000000002AE1000-memory.dmp

memory/1300-38-0x0000000002AA0000-0x0000000002AE1000-memory.dmp

memory/2992-41-0x0000000000490000-0x00000000004D1000-memory.dmp

memory/2992-42-0x0000000000490000-0x00000000004D1000-memory.dmp

memory/2992-43-0x0000000000490000-0x00000000004D1000-memory.dmp

memory/2992-44-0x0000000000490000-0x00000000004D1000-memory.dmp

memory/2992-40-0x0000000000490000-0x00000000004D1000-memory.dmp

memory/2992-45-0x0000000000560000-0x0000000000561000-memory.dmp

memory/2992-47-0x0000000000490000-0x00000000004D1000-memory.dmp

memory/2992-49-0x0000000077B40000-0x0000000077B41000-memory.dmp

memory/2992-51-0x0000000000560000-0x0000000000561000-memory.dmp

memory/2992-48-0x0000000000560000-0x0000000000561000-memory.dmp

memory/2992-53-0x0000000000560000-0x0000000000561000-memory.dmp

memory/2992-55-0x0000000000560000-0x0000000000561000-memory.dmp

memory/2992-57-0x0000000000560000-0x0000000000561000-memory.dmp

memory/2992-59-0x0000000000560000-0x0000000000561000-memory.dmp

memory/2992-61-0x0000000000560000-0x0000000000561000-memory.dmp

memory/2992-63-0x0000000000560000-0x0000000000561000-memory.dmp

memory/2992-65-0x0000000000560000-0x0000000000561000-memory.dmp

memory/2992-67-0x0000000000560000-0x0000000000561000-memory.dmp

memory/2992-69-0x0000000000560000-0x0000000000561000-memory.dmp

memory/2992-71-0x0000000000560000-0x0000000000561000-memory.dmp

memory/2992-73-0x0000000000560000-0x0000000000561000-memory.dmp

memory/2992-75-0x0000000000560000-0x0000000000561000-memory.dmp

memory/2992-77-0x0000000000560000-0x0000000000561000-memory.dmp

memory/2992-79-0x0000000000560000-0x0000000000561000-memory.dmp

memory/2992-81-0x0000000000560000-0x0000000000561000-memory.dmp

memory/2992-139-0x0000000000560000-0x0000000000561000-memory.dmp

C:\Users\Admin\AppData\Roaming\Otko\mubi.ocu

MD5 d9ecb4aa1218bbce06bafa2800cc1716
SHA1 9f607eca96b4239a356ae3829fb108211e54f416
SHA256 fb383ff8b84aac58763f39f164c1cffdab1700587738e3523abc43003b162c20
SHA512 9ec0ea8021e0eb9c56d8453512387fa656ad6f304fdd4f55d3722667f336940d1546b11191716c59907131e3e69de9abd68cb5bf5712b451a74a8e28975fbd6c

memory/2992-162-0x0000000000350000-0x00000000003A1000-memory.dmp

memory/2992-163-0x0000000000270000-0x00000000002B1000-memory.dmp

memory/2992-164-0x0000000000400000-0x0000000000441000-memory.dmp

memory/2992-165-0x0000000000490000-0x00000000004D1000-memory.dmp

memory/1908-180-0x0000000077B40000-0x0000000077B41000-memory.dmp

memory/1908-182-0x0000000077B40000-0x0000000077B41000-memory.dmp

memory/1908-178-0x0000000000B90000-0x0000000000BD1000-memory.dmp

memory/1908-274-0x00000000002D0000-0x00000000002D1000-memory.dmp

memory/1948-277-0x0000000000400000-0x0000000000441000-memory.dmp

memory/1908-279-0x0000000000B90000-0x0000000000BD1000-memory.dmp