Malware Analysis Report

2024-10-23 22:20

Sample ID 240506-2h9hwsec81
Target 1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118
SHA256 caf8a53c2a1bbc6169474702cd71a047176f4e4c78244e2a1c2a82352ca97c25
Tags
formbook hx232 rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

caf8a53c2a1bbc6169474702cd71a047176f4e4c78244e2a1c2a82352ca97c25

Threat Level: Known bad

The file 1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

formbook hx232 rat spyware stealer trojan

Formbook family

Formbook

Formbook payload

Formbook payload

Executes dropped EXE

Loads dropped DLL

Suspicious use of SetThreadContext

Program crash

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-06 22:36

Signatures

Formbook family

formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-06 22:36

Reported

2024-05-06 22:38

Platform

win7-20240419-en

Max time kernel

150s

Max time network

120s

Command Line

C:\Windows\Explorer.EXE

Signatures

Formbook

trojan spyware stealer formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\cmstp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2284 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
PID 2284 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
PID 2284 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
PID 2284 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
PID 2284 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
PID 2284 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
PID 2284 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
PID 2284 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
PID 2284 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
PID 2284 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
PID 2284 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
PID 2284 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
PID 2748 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 2748 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 2748 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 2748 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 2748 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 2748 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 2748 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 2748 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 2748 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 2748 wrote to memory of 3060 N/A C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 3060 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\RegAsm.exe C:\Windows\SysWOW64\cmstp.exe
PID 3060 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\RegAsm.exe C:\Windows\SysWOW64\cmstp.exe
PID 3060 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\RegAsm.exe C:\Windows\SysWOW64\cmstp.exe
PID 3060 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\RegAsm.exe C:\Windows\SysWOW64\cmstp.exe
PID 3060 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\RegAsm.exe C:\Windows\SysWOW64\cmstp.exe
PID 3060 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\RegAsm.exe C:\Windows\SysWOW64\cmstp.exe
PID 3060 wrote to memory of 1452 N/A C:\Users\Admin\AppData\Local\Temp\RegAsm.exe C:\Windows\SysWOW64\cmstp.exe
PID 1452 wrote to memory of 2760 N/A C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmd.exe
PID 1452 wrote to memory of 2760 N/A C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmd.exe
PID 1452 wrote to memory of 2760 N/A C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmd.exe
PID 1452 wrote to memory of 2760 N/A C:\Windows\SysWOW64\cmstp.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Users\Admin\AppData\Local\Temp\1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe

"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

"C:\Users\Admin\AppData\Local\Temp\RegAsm.exe"

C:\Windows\SysWOW64\cmstp.exe

"C:\Windows\SysWOW64\cmstp.exe"

C:\Windows\SysWOW64\cmd.exe

/c del "C:\Users\Admin\AppData\Local\Temp\RegAsm.exe"

Network

N/A

Files

memory/2284-0-0x0000000073FBE000-0x0000000073FBF000-memory.dmp

memory/2284-1-0x0000000001140000-0x000000000127E000-memory.dmp

memory/2284-2-0x00000000004D0000-0x00000000004DA000-memory.dmp

memory/2284-3-0x0000000073FB0000-0x000000007469E000-memory.dmp

memory/2284-5-0x0000000073FB0000-0x000000007469E000-memory.dmp

memory/2284-6-0x0000000073FBE000-0x0000000073FBF000-memory.dmp

memory/2284-7-0x0000000073FB0000-0x000000007469E000-memory.dmp

memory/2284-8-0x00000000005C0000-0x00000000005C8000-memory.dmp

\Users\Admin\AppData\Local\Temp\InstallUtil.exe

MD5 91c9ae9c9a17a9db5e08b120e668c74c
SHA1 50770954c1ceb0bb6f1d5d3f2de2a0a065773723
SHA256 e56a7e5d3ab9675555e2897fc3faa2dd9265008a4967a7d54030ab8184d2d38f
SHA512 ca504af192e3318359d4742a2ef26ae1b5d040a4f9942782e02549a310158d5d5dbf919b4c748c31ee609d2046bd23ee0c22712891c86ae4a1e3a58c6e67647e

memory/2748-12-0x0000000000400000-0x000000000048E000-memory.dmp

memory/2748-19-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2748-18-0x0000000000400000-0x000000000048E000-memory.dmp

memory/2748-16-0x0000000000400000-0x000000000048E000-memory.dmp

memory/2748-14-0x0000000000400000-0x000000000048E000-memory.dmp

memory/2748-21-0x0000000000400000-0x000000000048E000-memory.dmp

memory/2748-24-0x0000000000400000-0x000000000048E000-memory.dmp

memory/2748-47-0x0000000000400000-0x000000000048E000-memory.dmp

memory/2748-50-0x0000000073FB0000-0x000000007469E000-memory.dmp

memory/2284-48-0x0000000073FB0000-0x000000007469E000-memory.dmp

memory/2748-45-0x0000000000400000-0x000000000048E000-memory.dmp

memory/2748-44-0x0000000000400000-0x000000000048E000-memory.dmp

memory/2748-41-0x0000000000400000-0x000000000048E000-memory.dmp

memory/2748-40-0x0000000000400000-0x000000000048E000-memory.dmp

memory/2748-38-0x0000000000400000-0x000000000048E000-memory.dmp

memory/2748-36-0x0000000000400000-0x000000000048E000-memory.dmp

memory/2748-28-0x0000000000400000-0x000000000048E000-memory.dmp

memory/2748-51-0x0000000073FB0000-0x000000007469E000-memory.dmp

memory/2748-52-0x0000000073FB0000-0x000000007469E000-memory.dmp

\Users\Admin\AppData\Local\Temp\RegAsm.exe

MD5 b58b926c3574d28d5b7fdd2ca3ec30d5
SHA1 d260c4ffd603a9cfc057fcb83d678b1cecdf86f9
SHA256 6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3
SHA512 b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab

memory/3060-60-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/3060-58-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3060-56-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3060-62-0x0000000000400000-0x000000000042D000-memory.dmp

memory/2748-66-0x0000000073FB0000-0x000000007469E000-memory.dmp

memory/1188-71-0x00000000046A0000-0x000000000475F000-memory.dmp

memory/3060-70-0x00000000001A0000-0x00000000001B4000-memory.dmp

memory/3060-69-0x0000000002730000-0x0000000002A33000-memory.dmp

memory/1188-68-0x0000000003AE0000-0x0000000003BE0000-memory.dmp

memory/3060-72-0x0000000000400000-0x000000000042D000-memory.dmp

memory/3060-74-0x0000000000230000-0x0000000000244000-memory.dmp

memory/1188-73-0x00000000046A0000-0x000000000475F000-memory.dmp

memory/1188-75-0x0000000004D70000-0x0000000004E89000-memory.dmp

memory/1452-76-0x0000000000AA0000-0x0000000000AB8000-memory.dmp

memory/3060-77-0x0000000000400000-0x000000000042D000-memory.dmp

memory/1452-78-0x0000000000AA0000-0x0000000000AB8000-memory.dmp

memory/1188-80-0x0000000004D70000-0x0000000004E89000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-06 22:36

Reported

2024-05-06 22:38

Platform

win10v2004-20240419-en

Max time kernel

138s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exe"

Signatures

Formbook

trojan spyware stealer formbook

Formbook payload

rat
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RegAsm.exe N/A

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3092 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
PID 3092 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
PID 3092 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
PID 3092 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
PID 3092 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
PID 3092 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
PID 3092 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
PID 3092 wrote to memory of 1940 N/A C:\Users\Admin\AppData\Local\Temp\1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
PID 1940 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 1940 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 1940 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 1940 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 1940 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
PID 1940 wrote to memory of 4348 N/A C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1e96b55fdd95824b3f3c5f2156be44c5_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe

"C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

"C:\Users\Admin\AppData\Local\Temp\RegAsm.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4348 -ip 4348

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4348 -s 540

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 51.15.97.104.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/3092-0-0x0000000074F2E000-0x0000000074F2F000-memory.dmp

memory/3092-1-0x0000000000E40000-0x0000000000F7E000-memory.dmp

memory/3092-2-0x0000000005F30000-0x00000000064D4000-memory.dmp

memory/3092-3-0x0000000003200000-0x000000000320A000-memory.dmp

memory/3092-4-0x0000000005A60000-0x0000000005AF2000-memory.dmp

memory/3092-5-0x0000000074F20000-0x00000000756D0000-memory.dmp

memory/3092-7-0x0000000074F20000-0x00000000756D0000-memory.dmp

memory/3092-8-0x0000000074F2E000-0x0000000074F2F000-memory.dmp

memory/3092-9-0x0000000074F20000-0x00000000756D0000-memory.dmp

memory/3092-10-0x0000000005C80000-0x0000000005C88000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe

MD5 5d4073b2eb6d217c19f2b22f21bf8d57
SHA1 f0209900fbf08d004b886a0b3ba33ea2b0bf9da8
SHA256 ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3
SHA512 9ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159

memory/1940-12-0x0000000000400000-0x000000000048E000-memory.dmp

memory/1940-27-0x0000000000400000-0x000000000048E000-memory.dmp

memory/3092-35-0x0000000074F20000-0x00000000756D0000-memory.dmp

memory/1940-36-0x0000000074F20000-0x00000000756D0000-memory.dmp

memory/1940-34-0x0000000000400000-0x000000000048E000-memory.dmp

memory/1940-32-0x0000000000400000-0x000000000048E000-memory.dmp

memory/1940-31-0x0000000000400000-0x000000000048E000-memory.dmp

memory/1940-28-0x0000000000400000-0x000000000048E000-memory.dmp

memory/1940-37-0x0000000074F20000-0x00000000756D0000-memory.dmp

memory/1940-25-0x0000000000400000-0x000000000048E000-memory.dmp

memory/1940-23-0x0000000000400000-0x000000000048E000-memory.dmp

memory/1940-39-0x0000000074F20000-0x00000000756D0000-memory.dmp

memory/1940-40-0x0000000074F20000-0x00000000756D0000-memory.dmp

memory/4348-43-0x0000000000580000-0x00000000005AD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RegAsm.exe

MD5 0d5df43af2916f47d00c1573797c1a13
SHA1 230ab5559e806574d26b4c20847c368ed55483b0
SHA256 c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc
SHA512 f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2

memory/1940-47-0x0000000074F20000-0x00000000756D0000-memory.dmp