Malware Analysis Report

2025-06-15 20:09

Sample ID 240602-ss7ydagd82
Target 8e894d99ad6d4bb1c36f47d6a740aec9_JaffaCakes118
SHA256 ed4ccdec9be51c7d3193f74c1506164e963cecb72b1dab2bbd71c26db55475a4
Tags
spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

ed4ccdec9be51c7d3193f74c1506164e963cecb72b1dab2bbd71c26db55475a4

Threat Level: Shows suspicious behavior

The file 8e894d99ad6d4bb1c36f47d6a740aec9_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

spyware stealer

Reads user/profile data of web browsers

Downloads MZ/PE file

Drops file in Program Files directory

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

Enumerates system info in registry

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-02 15:24

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-02 15:24

Reported

2024-06-02 15:26

Platform

win7-20240220-en

Max time kernel

140s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8e894d99ad6d4bb1c36f47d6a740aec9_JaffaCakes118.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Downloads MZ/PE file

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\0F761989.log C:\Users\Admin\AppData\Local\Temp\is-7SM0U.tmp\8e894d99ad6d4bb1c36f47d6a740aec9_JaffaCakes118.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7SM0U.tmp\8e894d99ad6d4bb1c36f47d6a740aec9_JaffaCakes118.tmp N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\is-7SM0U.tmp\8e894d99ad6d4bb1c36f47d6a740aec9_JaffaCakes118.tmp N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\is-7SM0U.tmp\8e894d99ad6d4bb1c36f47d6a740aec9_JaffaCakes118.tmp N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\is-7SM0U.tmp\8e894d99ad6d4bb1c36f47d6a740aec9_JaffaCakes118.tmp N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\is-7SM0U.tmp\8e894d99ad6d4bb1c36f47d6a740aec9_JaffaCakes118.tmp N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\is-7SM0U.tmp\8e894d99ad6d4bb1c36f47d6a740aec9_JaffaCakes118.tmp N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7SM0U.tmp\8e894d99ad6d4bb1c36f47d6a740aec9_JaffaCakes118.tmp N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\is-7SM0U.tmp\8e894d99ad6d4bb1c36f47d6a740aec9_JaffaCakes118.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2728 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\8e894d99ad6d4bb1c36f47d6a740aec9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\is-7SM0U.tmp\8e894d99ad6d4bb1c36f47d6a740aec9_JaffaCakes118.tmp
PID 2728 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\8e894d99ad6d4bb1c36f47d6a740aec9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\is-7SM0U.tmp\8e894d99ad6d4bb1c36f47d6a740aec9_JaffaCakes118.tmp
PID 2728 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\8e894d99ad6d4bb1c36f47d6a740aec9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\is-7SM0U.tmp\8e894d99ad6d4bb1c36f47d6a740aec9_JaffaCakes118.tmp
PID 2728 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\8e894d99ad6d4bb1c36f47d6a740aec9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\is-7SM0U.tmp\8e894d99ad6d4bb1c36f47d6a740aec9_JaffaCakes118.tmp
PID 2728 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\8e894d99ad6d4bb1c36f47d6a740aec9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\is-7SM0U.tmp\8e894d99ad6d4bb1c36f47d6a740aec9_JaffaCakes118.tmp
PID 2728 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\8e894d99ad6d4bb1c36f47d6a740aec9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\is-7SM0U.tmp\8e894d99ad6d4bb1c36f47d6a740aec9_JaffaCakes118.tmp
PID 2728 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\8e894d99ad6d4bb1c36f47d6a740aec9_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\is-7SM0U.tmp\8e894d99ad6d4bb1c36f47d6a740aec9_JaffaCakes118.tmp

Processes

C:\Users\Admin\AppData\Local\Temp\8e894d99ad6d4bb1c36f47d6a740aec9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8e894d99ad6d4bb1c36f47d6a740aec9_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\is-7SM0U.tmp\8e894d99ad6d4bb1c36f47d6a740aec9_JaffaCakes118.tmp

"C:\Users\Admin\AppData\Local\Temp\is-7SM0U.tmp\8e894d99ad6d4bb1c36f47d6a740aec9_JaffaCakes118.tmp" /SL5="$400F4,9177237,721408,C:\Users\Admin\AppData\Local\Temp\8e894d99ad6d4bb1c36f47d6a740aec9_JaffaCakes118.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 rp.appuniverseapplication.com udp
US 8.8.8.8:53 os.appuniverseapplication.com udp
US 8.8.8.8:53 post.securestudies.com udp
US 165.193.78.234:80 post.securestudies.com tcp
US 8.8.8.8:53 os2.appuniverseapplication.com udp
US 165.193.78.234:80 post.securestudies.com tcp
US 8.8.8.8:53 dpd.securestudies.com udp
FR 52.222.201.92:443 dpd.securestudies.com tcp
FR 52.222.201.92:443 dpd.securestudies.com tcp

Files

memory/2728-2-0x0000000000401000-0x00000000004A9000-memory.dmp

memory/2728-0-0x0000000000400000-0x00000000004BE000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-7SM0U.tmp\8e894d99ad6d4bb1c36f47d6a740aec9_JaffaCakes118.tmp

MD5 54bad05ebd524e34598af9089dcf316f
SHA1 a370bd0394cce4f5d2ad149c59a0aeb2fdabae63
SHA256 01854585f6ba9aa13848fb9a855ebaa91fb16d964c5aa95e52743c58883e3e63
SHA512 186b12e6e3ee4a20b1c1fa2de9d26ebbd156e37ece24d1f3ee97d4274546cfc29681c70f6d8abcf1a4b332a7432ab9b89a7721deb247e01691a543570eb43cca

memory/2952-9-0x0000000000400000-0x0000000000679000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-HPFJN.tmp\itdownload.dll

MD5 d82a429efd885ca0f324dd92afb6b7b8
SHA1 86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea
SHA256 b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3
SHA512 5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

memory/2952-12-0x00000000024C0000-0x00000000024FC000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-HPFJN.tmp\ezdatzsazzxt.dll

MD5 afa76a2892c84ccd3293abe93b9f0fe2
SHA1 65e8bb102ae4f4beab9ce3599d329dffadb3ac26
SHA256 2b664154bf818b1517e4359fbfbfa7851a3c912a21de0fd330bb395fb87d9533
SHA512 ba8e0a9f01c64b1cf0d5ee4f9d9610e543377ba94d3e7d3d7d4d469cef2abb131a4f500bc2ef503ea0c1ecd7ed76121e1a848c1cc04f063167ab73a3a2f71e3f

memory/2952-16-0x00000000042A0000-0x000000000439E000-memory.dmp

memory/2952-18-0x0000000004D90000-0x0000000004F9C000-memory.dmp

memory/2952-21-0x0000000004D90000-0x0000000004F9C000-memory.dmp

memory/2952-23-0x0000000004D90000-0x0000000004F9C000-memory.dmp

memory/2952-24-0x0000000004D90000-0x0000000004F9C000-memory.dmp

memory/2952-267-0x0000000004D90000-0x0000000004F9C000-memory.dmp

memory/2952-262-0x0000000004D90000-0x0000000004F9C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsd25939729238619\bootstrap_20962.html

MD5 1ea9e5b417811379e874ad4870d5c51a
SHA1 a4bd01f828454f3619a815dbe5423b181ec4051c
SHA256 f076773a6e3ae0f1cee3c69232779a1aaaf05202db472040c0c8ea4a70af173a
SHA512 965c10d2aa5312602153338da873e8866d2782e0cf633befe5a552b770e08abf47a4d2e007cdef7010c212ebcb9fefea5610c41c7ed1553440eaeab7ddd72daa

memory/2952-277-0x0000000004D90000-0x0000000004F9C000-memory.dmp

memory/2952-280-0x0000000004D90000-0x0000000004F9C000-memory.dmp

memory/2952-279-0x0000000004D90000-0x0000000004F9C000-memory.dmp

memory/2952-281-0x0000000004D90000-0x0000000004F9C000-memory.dmp

memory/2952-283-0x0000000004D90000-0x0000000004F9C000-memory.dmp

memory/2952-282-0x0000000004D90000-0x0000000004F9C000-memory.dmp

memory/2952-284-0x0000000004D90000-0x0000000004F9C000-memory.dmp

memory/2952-285-0x0000000004D90000-0x0000000004F9C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsd25939729238619\css\main.css

MD5 9b27e2a266fe15a3aabfe635c29e8923
SHA1 403afe68c7ee99698c0e8873ce1cd424b503c4c8
SHA256 166aa42bc5216c5791388847ae114ec0671a0d97b9952d14f29419b8be3fb23f
SHA512 4b07c11db91ce5750d81959c7b2c278ed41bb64c1d1aa29da87344c5177b8eb82d7d710b426f401b069fd05062395655d985ca031489544cdf9b72fe533afa61

memory/2952-293-0x0000000004D90000-0x0000000004F9C000-memory.dmp

memory/2952-292-0x0000000004D90000-0x0000000004F9C000-memory.dmp

memory/2952-296-0x0000000004D90000-0x0000000004F9C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsd25939729238619\images\Loader.gif

MD5 57ca1a2085d82f0574e3ef740b9a5ead
SHA1 2974f4bf37231205a256f2648189a461e74869c0
SHA256 476a7b1085cc64de1c0eb74a6776fa8385d57eb18774f199df83fc4d7bbcc24e
SHA512 2d50b9095d06ffd15eeeccf0eb438026ca8d09ba57141fed87a60edd2384e2139320fb5539144a2f16de885c49b0919a93690974f32b73654debca01d9d7d55c

memory/2952-300-0x0000000004D90000-0x0000000004F9C000-memory.dmp

memory/2952-301-0x0000000004D90000-0x0000000004F9C000-memory.dmp

memory/2952-302-0x0000000004D90000-0x0000000004F9C000-memory.dmp

memory/2952-303-0x0000000004D90000-0x0000000004F9C000-memory.dmp

memory/2952-304-0x0000000004D90000-0x0000000004F9C000-memory.dmp

memory/2952-305-0x0000000004D90000-0x0000000004F9C000-memory.dmp

memory/2952-306-0x0000000004D90000-0x0000000004F9C000-memory.dmp

memory/2728-309-0x0000000000400000-0x00000000004BE000-memory.dmp

memory/2952-312-0x00000000042A0000-0x000000000439E000-memory.dmp

memory/2952-311-0x00000000024C0000-0x00000000024FC000-memory.dmp

memory/2952-310-0x0000000000400000-0x0000000000679000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-02 15:24

Reported

2024-06-02 15:27

Platform

win10v2004-20240226-en

Max time kernel

150s

Max time network

157s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8e894d99ad6d4bb1c36f47d6a740aec9_JaffaCakes118.exe"

Signatures

Reads user/profile data of web browsers

spyware stealer

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\0E584E79.log C:\Users\Admin\AppData\Local\Temp\is-DJH22.tmp\8e894d99ad6d4bb1c36f47d6a740aec9_JaffaCakes118.tmp N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-DJH22.tmp\8e894d99ad6d4bb1c36f47d6a740aec9_JaffaCakes118.tmp N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\is-DJH22.tmp\8e894d99ad6d4bb1c36f47d6a740aec9_JaffaCakes118.tmp N/A
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\is-DJH22.tmp\8e894d99ad6d4bb1c36f47d6a740aec9_JaffaCakes118.tmp N/A

Enumerates system info in registry

Description Indicator Process Target
Key value enumerated \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\is-DJH22.tmp\8e894d99ad6d4bb1c36f47d6a740aec9_JaffaCakes118.tmp N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\is-DJH22.tmp\8e894d99ad6d4bb1c36f47d6a740aec9_JaffaCakes118.tmp N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\is-DJH22.tmp\8e894d99ad6d4bb1c36f47d6a740aec9_JaffaCakes118.tmp N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\is-DJH22.tmp\8e894d99ad6d4bb1c36f47d6a740aec9_JaffaCakes118.tmp N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8e894d99ad6d4bb1c36f47d6a740aec9_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8e894d99ad6d4bb1c36f47d6a740aec9_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\is-DJH22.tmp\8e894d99ad6d4bb1c36f47d6a740aec9_JaffaCakes118.tmp

"C:\Users\Admin\AppData\Local\Temp\is-DJH22.tmp\8e894d99ad6d4bb1c36f47d6a740aec9_JaffaCakes118.tmp" /SL5="$A002E,9177237,721408,C:\Users\Admin\AppData\Local\Temp\8e894d99ad6d4bb1c36f47d6a740aec9_JaffaCakes118.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3756 --field-trial-handle=2248,i,10247514684337323751,15511974759131734137,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 rp.appuniverseapplication.com udp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 os.appuniverseapplication.com udp
US 8.8.8.8:53 os2.appuniverseapplication.com udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 13.107.246.64:443 tcp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 14.179.89.13.in-addr.arpa udp

Files

memory/4416-1-0x0000000000400000-0x00000000004BE000-memory.dmp

memory/4416-2-0x0000000000401000-0x00000000004A9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-DJH22.tmp\8e894d99ad6d4bb1c36f47d6a740aec9_JaffaCakes118.tmp

MD5 54bad05ebd524e34598af9089dcf316f
SHA1 a370bd0394cce4f5d2ad149c59a0aeb2fdabae63
SHA256 01854585f6ba9aa13848fb9a855ebaa91fb16d964c5aa95e52743c58883e3e63
SHA512 186b12e6e3ee4a20b1c1fa2de9d26ebbd156e37ece24d1f3ee97d4274546cfc29681c70f6d8abcf1a4b332a7432ab9b89a7721deb247e01691a543570eb43cca

memory/640-6-0x0000000000400000-0x0000000000679000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-AR5S9.tmp\itdownload.dll

MD5 d82a429efd885ca0f324dd92afb6b7b8
SHA1 86bbdaa15e6fc5c7779ac69c84e53c43c9eb20ea
SHA256 b258c4d7d2113dee2168ed7e35568c8e03341e24e3eafc7a22a0d62e32122ef3
SHA512 5bf0c3b8fa5db63205a263c4fa5337188173248bef609ba4d03508c50db1fd1e336f3041ce96d78cc97659357a83e6e422f5b079d893a20a683270e05f5438df

memory/640-12-0x0000000003540000-0x000000000357C000-memory.dmp

memory/4416-14-0x0000000000400000-0x00000000004BE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-AR5S9.tmp\ezdatzsazzxt.dll

MD5 afa76a2892c84ccd3293abe93b9f0fe2
SHA1 65e8bb102ae4f4beab9ce3599d329dffadb3ac26
SHA256 2b664154bf818b1517e4359fbfbfa7851a3c912a21de0fd330bb395fb87d9533
SHA512 ba8e0a9f01c64b1cf0d5ee4f9d9610e543377ba94d3e7d3d7d4d469cef2abb131a4f500bc2ef503ea0c1ecd7ed76121e1a848c1cc04f063167ab73a3a2f71e3f

memory/640-19-0x00000000064D0000-0x00000000065CE000-memory.dmp

memory/640-27-0x0000000006F50000-0x000000000715C000-memory.dmp

memory/640-29-0x00000000064D0000-0x00000000065CE000-memory.dmp

memory/640-28-0x0000000003540000-0x000000000357C000-memory.dmp

memory/640-26-0x0000000000400000-0x0000000000679000-memory.dmp

memory/640-24-0x0000000006F50000-0x000000000715C000-memory.dmp

memory/640-21-0x0000000006F50000-0x000000000715C000-memory.dmp

memory/640-30-0x0000000006F50000-0x000000000715C000-memory.dmp

memory/640-273-0x0000000006F50000-0x000000000715C000-memory.dmp

memory/640-268-0x0000000006F50000-0x000000000715C000-memory.dmp

memory/640-275-0x0000000006F50000-0x000000000715C000-memory.dmp

memory/640-277-0x0000000006F50000-0x000000000715C000-memory.dmp

memory/640-282-0x0000000006F50000-0x000000000715C000-memory.dmp

memory/640-283-0x0000000006F50000-0x000000000715C000-memory.dmp

memory/640-285-0x0000000006F50000-0x000000000715C000-memory.dmp

memory/640-287-0x0000000006F50000-0x000000000715C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsd24066359325108\bootstrap_45122.html

MD5 1ea9e5b417811379e874ad4870d5c51a
SHA1 a4bd01f828454f3619a815dbe5423b181ec4051c
SHA256 f076773a6e3ae0f1cee3c69232779a1aaaf05202db472040c0c8ea4a70af173a
SHA512 965c10d2aa5312602153338da873e8866d2782e0cf633befe5a552b770e08abf47a4d2e007cdef7010c212ebcb9fefea5610c41c7ed1553440eaeab7ddd72daa

C:\Users\Admin\AppData\Local\Temp\nsd24066359325108\css\main.css

MD5 9b27e2a266fe15a3aabfe635c29e8923
SHA1 403afe68c7ee99698c0e8873ce1cd424b503c4c8
SHA256 166aa42bc5216c5791388847ae114ec0671a0d97b9952d14f29419b8be3fb23f
SHA512 4b07c11db91ce5750d81959c7b2c278ed41bb64c1d1aa29da87344c5177b8eb82d7d710b426f401b069fd05062395655d985ca031489544cdf9b72fe533afa61

memory/640-296-0x0000000006F50000-0x000000000715C000-memory.dmp

memory/640-297-0x0000000006F50000-0x000000000715C000-memory.dmp

memory/640-299-0x0000000006F50000-0x000000000715C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\nsd24066359325108\images\Loader.gif

MD5 57ca1a2085d82f0574e3ef740b9a5ead
SHA1 2974f4bf37231205a256f2648189a461e74869c0
SHA256 476a7b1085cc64de1c0eb74a6776fa8385d57eb18774f199df83fc4d7bbcc24e
SHA512 2d50b9095d06ffd15eeeccf0eb438026ca8d09ba57141fed87a60edd2384e2139320fb5539144a2f16de885c49b0919a93690974f32b73654debca01d9d7d55c

memory/640-303-0x0000000006F50000-0x000000000715C000-memory.dmp

memory/640-304-0x0000000006F50000-0x000000000715C000-memory.dmp

memory/640-305-0x0000000006F50000-0x000000000715C000-memory.dmp

memory/640-307-0x0000000006F50000-0x000000000715C000-memory.dmp

memory/640-309-0x0000000006F50000-0x000000000715C000-memory.dmp

memory/640-310-0x0000000000400000-0x0000000000679000-memory.dmp