Analysis Overview
SHA256
08e5e7e5f30801b363f08a6106425faa1c505bd048a18c846a5b3e5959a4998e
Threat Level: Likely malicious
The file 906c4effd6a20be22ea026a43a3cb7b3_JaffaCakes118 was found to be: Likely malicious.
Malicious Activity Summary
Modifies boot configuration data using bcdedit
Executes dropped EXE
Loads dropped DLL
Enumerates connected drives
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 03:40
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 03:40
Reported
2024-06-03 03:42
Platform
win7-20240508-en
Max time kernel
142s
Max time network
124s
Command Line
Signatures
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\bcdedit.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\906c4effd6a20be22ea026a43a3cb7b3_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\906c4effd6a20be22ea026a43a3cb7b3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\906c4effd6a20be22ea026a43a3cb7b3_JaffaCakes118.exe"
C:\Windows\system32\cmd.exe
cmd.exe /c bcdedit.exe > "C:\Users\Admin\AppData\Local\Temp\usb343A.tmp"
C:\Windows\system32\bcdedit.exe
bcdedit.exe
C:\Windows\system32\bcdedit.exe
bcdedit.exe /set testsigning on
C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\QualcommWindowsDriverInstaller.msi" REBOOTNEEDED=1
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding D0C9DF6317ADDF2742D799C15122DCF1 C
C:\Users\Admin\AppData\Local\Temp\{2CFB83C8-9CC1-4834-8239-F92EA883E843}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{2CFB83C8-9CC1-4834-8239-F92EA883E843}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{81D96D21-22FB-4CAE-96D7-605EBFCDF17E}
C:\Users\Admin\AppData\Local\Temp\{2CFB83C8-9CC1-4834-8239-F92EA883E843}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{2CFB83C8-9CC1-4834-8239-F92EA883E843}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{30800951-EE10-4792-90B6-C65BDE1BAB57}
C:\Users\Admin\AppData\Local\Temp\{2CFB83C8-9CC1-4834-8239-F92EA883E843}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{2CFB83C8-9CC1-4834-8239-F92EA883E843}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{97BACE8B-0229-41A8-9C9E-D67D3A21AFCE}
C:\Users\Admin\AppData\Local\Temp\{2CFB83C8-9CC1-4834-8239-F92EA883E843}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{2CFB83C8-9CC1-4834-8239-F92EA883E843}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F89F8BD4-C35D-40CE-AEA6-98E6737EABF4}
C:\Users\Admin\AppData\Local\Temp\{2CFB83C8-9CC1-4834-8239-F92EA883E843}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{2CFB83C8-9CC1-4834-8239-F92EA883E843}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8119C05A-A801-4B12-82FF-0085996E880A}
C:\Users\Admin\AppData\Local\Temp\{2CFB83C8-9CC1-4834-8239-F92EA883E843}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{2CFB83C8-9CC1-4834-8239-F92EA883E843}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{DC0D47C2-16B2-4C2E-B1C9-867C49C707FD}
C:\Users\Admin\AppData\Local\Temp\{2CFB83C8-9CC1-4834-8239-F92EA883E843}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{2CFB83C8-9CC1-4834-8239-F92EA883E843}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{0A89F21B-C9B8-4C52-A4C5-3A3498DE43D5}
C:\Users\Admin\AppData\Local\Temp\{2CFB83C8-9CC1-4834-8239-F92EA883E843}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{2CFB83C8-9CC1-4834-8239-F92EA883E843}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{A38E201D-AA3C-48D3-8860-4B4064F88D67}
C:\Users\Admin\AppData\Local\Temp\{2CFB83C8-9CC1-4834-8239-F92EA883E843}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{2CFB83C8-9CC1-4834-8239-F92EA883E843}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FAB04425-C584-44AE-9159-F54054F9F4BA}
C:\Users\Admin\AppData\Local\Temp\{2CFB83C8-9CC1-4834-8239-F92EA883E843}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{2CFB83C8-9CC1-4834-8239-F92EA883E843}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{E9F0CF3A-3277-42DE-89F4-C11F94F06E2C}
C:\Users\Admin\AppData\Local\Temp\{2CFB83C8-9CC1-4834-8239-F92EA883E843}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{2CFB83C8-9CC1-4834-8239-F92EA883E843}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{AF843DAD-31B2-4A83-9C97-9E1C9B1681A3}
Network
Files
C:\Users\Admin\AppData\Local\Temp\usb343A.tmp
| MD5 | b29137fabacbaffd06344b24cc6ff015 |
| SHA1 | ed9fda988d5b3cb4aef5281789c27627fc4486e3 |
| SHA256 | 09e29dde461114b1040749d9cfa04f5d0aa9ba11b2879f91177204f4ed846be6 |
| SHA512 | 902824267f555e1bac819357a97eec016fce90d412d8d00b076090b830913ed24b05a9c7923013476662f6e25ea71dedc74e1c693f140930a9868b8efccda5cf |
C:\Users\Admin\AppData\Local\Temp\QualcommWindowsDriverInstaller.msi
| MD5 | 2c35cb1d6bc7e9e2c1fd18e401de3a02 |
| SHA1 | cfba57b4d521dc1d9bd5f226ab954f7ec8da3108 |
| SHA256 | ec29ea59edf79119f5cb06fc7e742cd191652e2afebb223d94a98b38dc7c3c5b |
| SHA512 | fe2ee417f6bd8687116297c4c09872aa8d5c9e1cb048fe792befc494dddc0f2a100f21680b210fcace2b0562055ce9443091e409e74e1136c8b2c9643c0ed2b5 |
C:\Users\Admin\AppData\Local\Temp\MSI3765.tmp
| MD5 | 7a2798d06f6ff4bb08381e75e1202277 |
| SHA1 | 123875bd02231d8e06d234e400f64ebb6ce622f2 |
| SHA256 | c73541a041134a4e9d7e9e5f68aef83fa3f6caad9e9b44b7cba52cd5441a38de |
| SHA512 | 16784c47c85b5c446422d6c17c933fbe1bd0b4f02bf43d487b404180c2b53567e587c527b5c4b23c4af96780499e01e5871fb67ccbf83d5ed90df433f15a120a |
memory/2628-8-0x0000000010000000-0x00000000101B5000-memory.dmp
\Users\Admin\AppData\Local\Temp\{2CFB83C8-9CC1-4834-8239-F92EA883E843}\ISBEW64.exe
| MD5 | c3b2acc07bb0610405fc786e3432bef9 |
| SHA1 | 333d5f2b55bd00ad4311ba104af7db984f953924 |
| SHA256 | 9acc6cb5d01a4e4dbc92c8774c6999fab5f0e49f097e83098ba740842f5a2894 |
| SHA512 | 2438e5dd11c8322101d9dc2d0f89ed0b1fc3cb5a65f644a1cf07f4c5a7f353c648e715fb910e09a444b623b3384eecd628e312608bcec63aa3b0107630df32bd |
\Users\Admin\AppData\Local\Temp\{2CFB83C8-9CC1-4834-8239-F92EA883E843}\ISRT.dll
| MD5 | a93f625ef42b54c2b0f4d38201e67606 |
| SHA1 | cbfebc1f736ccfc65562ede79a5ae1a8afb116a1 |
| SHA256 | e91a865c3d60d9d0bce5d5a0a2f551c5e032d5bc13bc40f85091ce46d38064e0 |
| SHA512 | 805f0d535022de3d03aa191239fd90c54f2f6745bf02e0ce9cbe59ea34eecac7f9ebb600864c7cbcad5d011fa61bdb5b65889136617edc44178f87bd3970b198 |
memory/2628-32-0x0000000002E30000-0x0000000002ED7000-memory.dmp
\Users\Admin\AppData\Local\Temp\{2CFB83C8-9CC1-4834-8239-F92EA883E843}\_isres_0x0409.dll
| MD5 | d6bbf7ff6984213c7f1f0f8f07c51e6a |
| SHA1 | cfe933fc3b634f7333adec7ec124c14e9d19ac21 |
| SHA256 | 6366e18a8cbf609c9573f341004e5c2725c23a12973affa90ee7bcc7934ae1b2 |
| SHA512 | a1364c96848f54b241c8e92ed1887ca599255c8046e31af11cd4b0b23d97c00243808dff9086a536c0084d6815223685283844a9e27f2c20c4d3b85a794a9e9d |
memory/2628-35-0x0000000003170000-0x00000000031F9000-memory.dmp
memory/2628-52-0x0000000002E30000-0x0000000002ED7000-memory.dmp
memory/2628-51-0x0000000010000000-0x00000000101B5000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 03:40
Reported
2024-06-03 03:42
Platform
win10v2004-20240508-en
Max time kernel
143s
Max time network
97s
Command Line
Signatures
Modifies boot configuration data using bcdedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\bcdedit.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
| N/A | N/A | C:\Windows\syswow64\MsiExec.exe | N/A |
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\I: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\N: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Y: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\T: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\R: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\X: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\S: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\B: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\K: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\H: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\I: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\M: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\O: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\P: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\U: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\V: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\J: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\A: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\E: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\G: | C:\Windows\SysWOW64\msiexec.exe | N/A |
| File opened (read-only) | \??\Z: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\L: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\Q: | C:\Windows\system32\msiexec.exe | N/A |
| File opened (read-only) | \??\W: | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeMachineAccountPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreatePermanentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAuditPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeSyncAgentPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeEnableDelegationPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeCreateTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeAssignPrimaryTokenPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeLockMemoryPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\906c4effd6a20be22ea026a43a3cb7b3_JaffaCakes118.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\906c4effd6a20be22ea026a43a3cb7b3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\906c4effd6a20be22ea026a43a3cb7b3_JaffaCakes118.exe"
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c bcdedit.exe > "C:\Users\Admin\AppData\Local\Temp\usb701F.tmp"
C:\Windows\system32\bcdedit.exe
bcdedit.exe
C:\Windows\SYSTEM32\bcdedit.exe
bcdedit.exe /set testsigning on
C:\Windows\SysWOW64\msiexec.exe
msiexec.exe /i "C:\Users\Admin\AppData\Local\Temp\QualcommWindowsDriverInstaller.msi" REBOOTNEEDED=1
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 78428D6170137DDC6D9DEB76952F1A08 C
C:\Users\Admin\AppData\Local\Temp\{6A81BB54-BFD2-47A0-868C-0E3117087A64}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{6A81BB54-BFD2-47A0-868C-0E3117087A64}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B5E24028-63DD-4538-AC84-405A441BD2CF}
C:\Users\Admin\AppData\Local\Temp\{6A81BB54-BFD2-47A0-868C-0E3117087A64}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{6A81BB54-BFD2-47A0-868C-0E3117087A64}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{22B7427C-3724-4BE4-86D0-4629E6D608AD}
C:\Users\Admin\AppData\Local\Temp\{6A81BB54-BFD2-47A0-868C-0E3117087A64}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{6A81BB54-BFD2-47A0-868C-0E3117087A64}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{8AB096F5-7B49-4A2B-9309-9F8010AD85E6}
C:\Users\Admin\AppData\Local\Temp\{6A81BB54-BFD2-47A0-868C-0E3117087A64}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{6A81BB54-BFD2-47A0-868C-0E3117087A64}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{F30B0C79-7504-48E2-A24A-3CA7E6214F7F}
C:\Users\Admin\AppData\Local\Temp\{6A81BB54-BFD2-47A0-868C-0E3117087A64}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{6A81BB54-BFD2-47A0-868C-0E3117087A64}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{124B2B01-0167-4B24-8660-7D723B7F9F85}
C:\Users\Admin\AppData\Local\Temp\{6A81BB54-BFD2-47A0-868C-0E3117087A64}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{6A81BB54-BFD2-47A0-868C-0E3117087A64}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{B7CD3E7D-7B34-4873-B857-A23956FD119A}
C:\Users\Admin\AppData\Local\Temp\{6A81BB54-BFD2-47A0-868C-0E3117087A64}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{6A81BB54-BFD2-47A0-868C-0E3117087A64}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{07441B02-C815-498C-8450-0152E61B9EE5}
C:\Users\Admin\AppData\Local\Temp\{6A81BB54-BFD2-47A0-868C-0E3117087A64}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{6A81BB54-BFD2-47A0-868C-0E3117087A64}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{63289CF8-3977-4955-A804-F7EC21A16E61}
C:\Users\Admin\AppData\Local\Temp\{6A81BB54-BFD2-47A0-868C-0E3117087A64}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{6A81BB54-BFD2-47A0-868C-0E3117087A64}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{EDD58BE7-39F1-42AA-B394-1E0950D20C92}
C:\Users\Admin\AppData\Local\Temp\{6A81BB54-BFD2-47A0-868C-0E3117087A64}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{6A81BB54-BFD2-47A0-868C-0E3117087A64}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{FAD35A6F-AC18-48C1-98DE-B12E44543347}
C:\Users\Admin\AppData\Local\Temp\{6A81BB54-BFD2-47A0-868C-0E3117087A64}\ISBEW64.exe
C:\Users\Admin\AppData\Local\Temp\{6A81BB54-BFD2-47A0-868C-0E3117087A64}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{7AFFED01-E21B-4DC3-AA33-4D5F437A5AED}
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\usb701F.tmp
| MD5 | 40323f90d4b6fadfa1652b951b17a43b |
| SHA1 | 6f2a7849eddee6a26439efded23228ec9c557ebf |
| SHA256 | 0b82c6f01bf8c62768d48e5c52adb69131df0225b12563e974854139472fd457 |
| SHA512 | c81044cda91d40a4f2d340902cf7e4bbb8eee943b92eed10e60a7b4aee3d3f2091ef8b48de5e2e80d9d5c2c914cf02a482d4885241ff000f27c4da2aee4bf8f8 |
C:\Users\Admin\AppData\Local\Temp\QualcommWindowsDriverInstaller.msi
| MD5 | 2c35cb1d6bc7e9e2c1fd18e401de3a02 |
| SHA1 | cfba57b4d521dc1d9bd5f226ab954f7ec8da3108 |
| SHA256 | ec29ea59edf79119f5cb06fc7e742cd191652e2afebb223d94a98b38dc7c3c5b |
| SHA512 | fe2ee417f6bd8687116297c4c09872aa8d5c9e1cb048fe792befc494dddc0f2a100f21680b210fcace2b0562055ce9443091e409e74e1136c8b2c9643c0ed2b5 |
C:\Users\Admin\AppData\Local\Temp\MSI7649.tmp
| MD5 | 7a2798d06f6ff4bb08381e75e1202277 |
| SHA1 | 123875bd02231d8e06d234e400f64ebb6ce622f2 |
| SHA256 | c73541a041134a4e9d7e9e5f68aef83fa3f6caad9e9b44b7cba52cd5441a38de |
| SHA512 | 16784c47c85b5c446422d6c17c933fbe1bd0b4f02bf43d487b404180c2b53567e587c527b5c4b23c4af96780499e01e5871fb67ccbf83d5ed90df433f15a120a |
memory/2020-8-0x0000000010000000-0x00000000101B5000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\{6A81BB54-BFD2-47A0-868C-0E3117087A64}\ISBEW64.exe
| MD5 | c3b2acc07bb0610405fc786e3432bef9 |
| SHA1 | 333d5f2b55bd00ad4311ba104af7db984f953924 |
| SHA256 | 9acc6cb5d01a4e4dbc92c8774c6999fab5f0e49f097e83098ba740842f5a2894 |
| SHA512 | 2438e5dd11c8322101d9dc2d0f89ed0b1fc3cb5a65f644a1cf07f4c5a7f353c648e715fb910e09a444b623b3384eecd628e312608bcec63aa3b0107630df32bd |
C:\Users\Admin\AppData\Local\Temp\{6A81BB54-BFD2-47A0-868C-0E3117087A64}\ISRT.dll
| MD5 | a93f625ef42b54c2b0f4d38201e67606 |
| SHA1 | cbfebc1f736ccfc65562ede79a5ae1a8afb116a1 |
| SHA256 | e91a865c3d60d9d0bce5d5a0a2f551c5e032d5bc13bc40f85091ce46d38064e0 |
| SHA512 | 805f0d535022de3d03aa191239fd90c54f2f6745bf02e0ce9cbe59ea34eecac7f9ebb600864c7cbcad5d011fa61bdb5b65889136617edc44178f87bd3970b198 |
C:\Users\Admin\AppData\Local\Temp\{6A81BB54-BFD2-47A0-868C-0E3117087A64}\_isres_0x0409.dll
| MD5 | d6bbf7ff6984213c7f1f0f8f07c51e6a |
| SHA1 | cfe933fc3b634f7333adec7ec124c14e9d19ac21 |
| SHA256 | 6366e18a8cbf609c9573f341004e5c2725c23a12973affa90ee7bcc7934ae1b2 |
| SHA512 | a1364c96848f54b241c8e92ed1887ca599255c8046e31af11cd4b0b23d97c00243808dff9086a536c0084d6815223685283844a9e27f2c20c4d3b85a794a9e9d |
memory/2020-35-0x0000000003090000-0x0000000003119000-memory.dmp
memory/2020-33-0x0000000002F20000-0x0000000002FC7000-memory.dmp
memory/2020-47-0x0000000002F20000-0x0000000002FC7000-memory.dmp
memory/2020-46-0x0000000010000000-0x00000000101B5000-memory.dmp