Malware Analysis Report

2025-03-14 22:26

Sample ID 240407-26872ahe76
Target e614c22d5cab478df232f482eb20f1db_JaffaCakes118
SHA256 89d3301c45deaf65710058e037afc627eaee1dd00dd4e287d3f68f5eaafaa095
Tags
persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

89d3301c45deaf65710058e037afc627eaee1dd00dd4e287d3f68f5eaafaa095

Threat Level: Shows suspicious behavior

The file e614c22d5cab478df232f482eb20f1db_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

persistence

Unexpected DNS network traffic destination

Deletes itself

Loads dropped DLL

Executes dropped EXE

Registers COM server for autorun

Drops desktop.ini file(s)

Suspicious use of SetThreadContext

Drops file in Windows directory

Unsigned PE

Suspicious use of UnmapMainImage

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-07 23:12

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-07 23:12

Reported

2024-04-07 23:15

Platform

win7-20240215-en

Max time kernel

86s

Max time network

149s

Command Line

C:\Windows\system32\services.exe

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A
N/A N/A C:\Windows\system32\services.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\e614c22d5cab478df232f482eb20f1db_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ThreadingModel = "Both" C:\Users\Admin\AppData\Local\Temp\e614c22d5cab478df232f482eb20f1db_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\{b9c33cdc-3369-bc6d-6238-6e5af2d2dd3f}\\n." C:\Users\Admin\AppData\Local\Temp\e614c22d5cab478df232f482eb20f1db_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32\ = "\\\\.\\globalroot\\systemroot\\Installer\\{b9c33cdc-3369-bc6d-6238-6e5af2d2dd3f}\\n." C:\Users\Admin\AppData\Local\Temp\e614c22d5cab478df232f482eb20f1db_JaffaCakes118.exe N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 83.133.123.20 N/A N/A
Destination IP 83.133.123.20 N/A N/A
Destination IP 83.133.123.20 N/A N/A
Destination IP 83.133.123.20 N/A N/A
Destination IP 83.133.123.20 N/A N/A
Destination IP 83.133.123.20 N/A N/A
Destination IP 83.133.123.20 N/A N/A
Destination IP 83.133.123.20 N/A N/A
Destination IP 83.133.123.20 N/A N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created \systemroot\assembly\GAC_64\Desktop.ini C:\Windows\system32\services.exe N/A
File created \systemroot\assembly\GAC_32\Desktop.ini C:\Windows\system32\services.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1600 set thread context of 2876 N/A C:\Users\Admin\AppData\Local\Temp\e614c22d5cab478df232f482eb20f1db_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\Installer\{b9c33cdc-3369-bc6d-6238-6e5af2d2dd3f}\@ C:\Users\Admin\AppData\Local\Temp\e614c22d5cab478df232f482eb20f1db_JaffaCakes118.exe N/A
File created C:\Windows\Installer\{b9c33cdc-3369-bc6d-6238-6e5af2d2dd3f}\n C:\Users\Admin\AppData\Local\Temp\e614c22d5cab478df232f482eb20f1db_JaffaCakes118.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\e614c22d5cab478df232f482eb20f1db_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ThreadingModel = "Both" C:\Users\Admin\AppData\Local\Temp\e614c22d5cab478df232f482eb20f1db_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\{b9c33cdc-3369-bc6d-6238-6e5af2d2dd3f}\\n." C:\Users\Admin\AppData\Local\Temp\e614c22d5cab478df232f482eb20f1db_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1}\InprocServer32\ = "\\\\.\\globalroot\\systemroot\\Installer\\{b9c33cdc-3369-bc6d-6238-6e5af2d2dd3f}\\n." C:\Users\Admin\AppData\Local\Temp\e614c22d5cab478df232f482eb20f1db_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\clsid C:\Users\Admin\AppData\Local\Temp\e614c22d5cab478df232f482eb20f1db_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} C:\Users\Admin\AppData\Local\Temp\e614c22d5cab478df232f482eb20f1db_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e614c22d5cab478df232f482eb20f1db_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e614c22d5cab478df232f482eb20f1db_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e614c22d5cab478df232f482eb20f1db_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\services.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\services.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\services.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\services.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\services.exe N/A

Processes

C:\Windows\system32\services.exe

C:\Windows\system32\services.exe

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\e614c22d5cab478df232f482eb20f1db_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e614c22d5cab478df232f482eb20f1db_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\system32\cmd.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 promos.fling.com udp
US 64.210.151.32:80 promos.fling.com tcp
US 209.208.79.128:80 tcp
DE 83.133.123.20:53 udp
US 209.208.79.128:80 tcp
DE 83.133.123.20:53 udp
US 209.208.79.128:80 tcp
DE 83.133.123.20:53 udp
US 209.208.79.128:80 tcp
DE 83.133.123.20:53 udp
US 209.208.79.128:80 tcp
DE 83.133.123.20:53 udp
US 209.208.79.128:80 tcp
DE 83.133.123.20:53 udp
US 209.208.79.128:80 tcp
DE 83.133.123.20:53 udp
US 209.208.79.128:80 tcp
DE 83.133.123.20:53 udp
US 209.208.79.128:80 tcp
DE 83.133.123.20:53 udp
US 68.244.254.255:16470 udp
AU 120.153.254.255:16470 udp
DE 85.179.252.255:16470 udp
TR 46.155.252.255:16470 udp
GB 2.99.252.255:16470 udp
FR 78.251.251.255:16470 udp
US 67.237.251.255:16470 udp
CO 190.28.251.255:16470 udp
GH 41.218.250.255:16470 udp
US 69.148.250.255:16470 udp
KG 195.114.250.255:16470 udp
US 24.92.250.255:16470 udp
TH 110.49.250.255:16470 udp
US 108.153.249.255:16470 udp
TR 88.234.248.255:16470 udp
JP 61.199.42.249:16470 udp
US 75.70.134.247:16470 udp
DK 86.52.233.246:16470 udp
US 72.231.211.246:16470 udp
US 66.41.203.246:16470 udp
TW 122.122.9.246:16470 udp
US 67.177.72.243:16470 udp
CN 125.75.5.243:16470 udp
RU 83.69.22.242:16470 udp
RO 79.112.33.241:16470 udp
US 173.172.202.237:16470 udp
US 68.185.140.2:16470 udp
JP 221.132.156.2:16470 udp
SE 95.155.234.234:16470 udp
JP 125.4.186.3:16470 udp
HR 188.252.252.4:16470 udp
US 75.135.4.231:16470 udp
US 75.118.241.5:16470 udp
US 66.27.18.6:16470 udp
FR 188.165.200.228:16470 udp
JP 61.27.110.227:16470 udp
US 67.8.169.6:16470 udp
RO 79.117.136.224:16470 udp
JP 219.175.12.10:16470 udp
JP 219.23.42.11:16470 udp
IN 117.231.213.12:16470 udp
AE 86.97.41.13:16470 udp
SK 109.230.17.14:16470 udp
US 98.127.140.220:16470 udp
PL 89.73.6.220:16470 udp
CA 96.53.234.219:16470 udp
US 76.124.30.14:16470 udp
BE 178.119.78.14:16470 udp
CA 173.35.218.216:16470 udp
JP 180.34.63.214:16470 udp
CH 80.219.88.211:16470 udp
DK 62.107.139.14:16470 udp
SE 94.254.58.16:16470 udp
DE 178.25.189.16:16470 udp
US 71.88.166.17:16470 udp
AU 220.239.122.208:16470 udp
NO 129.242.66.208:16470 udp
US 24.253.145.18:16470 udp
FI 91.154.5.19:16470 udp
US 216.253.154.206:16470 udp
US 69.144.36.19:16470 udp
US 173.19.215.205:16470 udp
US 173.218.167.205:16470 udp
US 97.100.186.19:16470 udp
US 24.170.71.205:16470 udp
KR 112.164.26.205:16470 udp
IN 115.241.76.21:16470 udp
US 75.108.73.204:16470 udp
LV 213.175.69.22:16470 udp
US 69.204.84.202:16470 udp
DK 85.24.101.22:16470 udp
FI 93.106.126.201:16470 udp
CH 172.162.162.22:16470 udp
US 24.163.44.23:16470 udp
CH 217.162.155.23:16470 udp
US 71.74.142.198:16470 udp
RU 178.204.124.198:16470 udp
JP 125.14.166.23:16470 udp
DE 86.56.13.198:16470 udp
RO 188.173.91.197:16470 udp
US 68.103.34.195:16470 udp
CA 70.66.2.24:16470 udp
JP 180.57.178.28:16470 udp
US 24.32.5.32:16470 udp
ES 81.202.131.191:16470 udp
US 75.131.225.32:16470 udp
DE 141.44.198.33:16470 udp
US 75.65.64.189:16470 udp
US 69.125.88.34:16470 udp
KR 49.1.102.36:16470 udp
TR 176.54.42.37:16470 udp
US 64.203.60.39:16470 udp
US 98.30.249.42:16470 udp
US 69.119.93.43:16470 udp
US 98.251.206.182:16470 udp
US 96.35.121.44:16470 udp
US 100.42.150.181:16470 udp
US 98.246.136.181:16470 udp
US 50.14.239.180:16470 udp
US 69.143.172.44:16470 udp
JP 222.150.221.44:16470 udp
BR 189.55.180.180:16470 udp
JP 61.44.236.179:16470 udp
JP 180.25.184.45:16470 udp
US 76.18.211.178:16470 udp
DE 84.58.153.47:16470 udp
RS 188.2.26.48:16470 udp
SE 95.209.65.177:16470 udp
CA 216.108.166.176:16470 udp
HU 86.101.138.48:16470 udp
RO 89.45.97.174:16470 udp
US 96.38.59.174:16470 udp
CA 96.51.28.49:16470 udp
CA 70.81.147.173:16470 udp
CA 24.79.14.173:16470 udp
DK 80.163.45.55:16470 udp
US 71.197.187.55:16470 udp
US 67.241.94.171:16470 udp
IR 5.22.86.169:16470 udp
GB 188.28.121.167:16470 udp
JP 219.110.33.167:16470 udp
US 74.136.102.166:16470 udp
JP 101.1.113.165:16470 udp
US 71.74.11.165:16470 udp
JP 180.9.0.164:16470 udp
US 64.121.42.162:16470 udp
JP 1.113.25.161:16470 udp
SE 78.79.11.160:16470 udp
IT 109.53.176.159:16470 udp
FR 88.121.20.156:16470 udp
SE 95.209.8.155:16470 udp
AR 190.107.116.153:16470 udp
FR 178.32.153.152:16470 udp
US 24.23.108.152:16470 udp
US 24.167.112.150:16470 udp
DE 88.73.66.150:16470 udp
US 68.60.80.146:16470 udp
RO 79.119.31.146:16470 udp
US 67.86.246.145:16470 udp
US 67.181.134.142:16470 udp
JP 60.62.72.142:16470 udp
CA 50.101.230.139:16470 udp
JP 61.22.156.138:16470 udp
US 69.254.69.135:16470 udp
US 50.130.32.134:16470 udp
CA 99.236.2.134:16470 udp
US 174.54.98.132:16470 udp
PL 89.231.183.131:16470 udp

Files

memory/1600-0-0x0000000000220000-0x0000000000221000-memory.dmp

memory/1600-1-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1600-2-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1600-3-0x0000000000230000-0x000000000025D000-memory.dmp

memory/1600-4-0x0000000000260000-0x0000000000261000-memory.dmp

memory/1088-6-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1600-5-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Local\{b9c33cdc-3369-bc6d-6238-6e5af2d2dd3f}\n

MD5 bfa0c9ec67cd0f1b2dabfc7777aae294
SHA1 c15a4686bda91546e4c3abba58530423c40da3dc
SHA256 f3a8ac1721abb9068c5c281dafeaebdf3a66f96954c9e882ef71dee9c44bc585
SHA512 e2e7b989e17dcf2f0c2b93e53671a6f34230b31b0daa152fd9ec84aa14055b1350960d5dbc7da02a03d4eda7c68f9082f6c8be053ec56c0bed5b2bd0ef38556f

\systemroot\Installer\{b9c33cdc-3369-bc6d-6238-6e5af2d2dd3f}\@

MD5 34e3d459c21117b885b23ab2fcc58ca6
SHA1 cee3c08e3f422d90956655e7a4995f5e52ecebe6
SHA256 26c021e35cd777dba5da341f3db373acb6d1074dae026205d824d8c741bf75ec
SHA512 15d5562f56d28707b0e875ed48d17acfcffe7ec21d0d17322d126ce4e9b8a2a136b9ce97474d7bd64ed6b329c41ec35e6e52e9b2f6ff5c8a0d84ec74f30f365a

memory/480-16-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1600-19-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1600-20-0x0000000000230000-0x000000000025D000-memory.dmp

memory/1088-22-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1600-23-0x0000000000400000-0x000000000042D000-memory.dmp

memory/480-24-0x0000000000400000-0x000000000042D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-07 23:12

Reported

2024-04-07 23:15

Platform

win10v2004-20240226-en

Max time kernel

134s

Max time network

120s

Command Line

C:\Windows\Explorer.EXE

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\e614c22d5cab478df232f482eb20f1db_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ThreadingModel = "Both" C:\Users\Admin\AppData\Local\Temp\e614c22d5cab478df232f482eb20f1db_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\{f764a837-015e-cbb3-f301-3aa7a9dbd8d8}\\n." C:\Users\Admin\AppData\Local\Temp\e614c22d5cab478df232f482eb20f1db_JaffaCakes118.exe N/A

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 83.133.123.20 N/A N/A
Destination IP 83.133.123.20 N/A N/A
Destination IP 83.133.123.20 N/A N/A
Destination IP 83.133.123.20 N/A N/A
Destination IP 83.133.123.20 N/A N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\clsid C:\Users\Admin\AppData\Local\Temp\e614c22d5cab478df232f482eb20f1db_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1} C:\Users\Admin\AppData\Local\Temp\e614c22d5cab478df232f482eb20f1db_JaffaCakes118.exe N/A
Key created \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\e614c22d5cab478df232f482eb20f1db_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ThreadingModel = "Both" C:\Users\Admin\AppData\Local\Temp\e614c22d5cab478df232f482eb20f1db_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000_Classes\CLSID\{42aedc87-2188-41fd-b9a3-0c966feabec1}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\{f764a837-015e-cbb3-f301-3aa7a9dbd8d8}\\n." C:\Users\Admin\AppData\Local\Temp\e614c22d5cab478df232f482eb20f1db_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e614c22d5cab478df232f482eb20f1db_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e614c22d5cab478df232f482eb20f1db_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e614c22d5cab478df232f482eb20f1db_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Explorer.EXE N/A

Suspicious use of UnmapMainImage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\e614c22d5cab478df232f482eb20f1db_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\e614c22d5cab478df232f482eb20f1db_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 promos.fling.com udp
US 64.210.151.32:80 promos.fling.com tcp
US 209.208.79.128:80 tcp
DE 83.133.123.20:53 udp
US 209.208.79.128:80 tcp
DE 83.133.123.20:53 udp
US 209.208.79.128:80 tcp
DE 83.133.123.20:53 udp
US 209.208.79.128:80 tcp
DE 83.133.123.20:53 udp
US 209.208.79.128:80 tcp
DE 83.133.123.20:53 udp
US 8.8.8.8:53 32.151.210.64.in-addr.arpa udp
US 8.8.8.8:53 20.123.133.83.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp

Files

memory/3488-1-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3488-0-0x00000000005D0000-0x00000000005D1000-memory.dmp

memory/3488-3-0x00000000024E0000-0x000000000250D000-memory.dmp

memory/3488-2-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3488-4-0x00000000005E0000-0x00000000005E1000-memory.dmp

memory/3488-5-0x0000000000400000-0x000000000042D000-memory.dmp

C:\Users\Admin\AppData\Local\{f764a837-015e-cbb3-f301-3aa7a9dbd8d8}\n

MD5 bfa0c9ec67cd0f1b2dabfc7777aae294
SHA1 c15a4686bda91546e4c3abba58530423c40da3dc
SHA256 f3a8ac1721abb9068c5c281dafeaebdf3a66f96954c9e882ef71dee9c44bc585
SHA512 e2e7b989e17dcf2f0c2b93e53671a6f34230b31b0daa152fd9ec84aa14055b1350960d5dbc7da02a03d4eda7c68f9082f6c8be053ec56c0bed5b2bd0ef38556f

memory/3392-10-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

memory/3488-11-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3488-12-0x00000000024E0000-0x000000000250D000-memory.dmp

memory/3392-13-0x0000000000CB0000-0x0000000000CB1000-memory.dmp

memory/3392-14-0x0000000000CB0000-0x0000000000CB1000-memory.dmp