Malware Analysis Report

2024-10-10 12:09

Sample ID 240613-rqbxgswhmp
Target a6001234b63e417f465d7177980369d7_JaffaCakes118
SHA256 1f9ea074336d4002798a75c2431d27adbc09caf302acc1a8fcd73bfb2ac761fd
Tags
discovery persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

1f9ea074336d4002798a75c2431d27adbc09caf302acc1a8fcd73bfb2ac761fd

Threat Level: Shows suspicious behavior

The file a6001234b63e417f465d7177980369d7_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery persistence

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Checks installed software on the system

Adds Run key to start application

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

NSIS installer

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Modifies data under HKEY_USERS

Suspicious behavior: GetForegroundWindowSpam

Checks SCSI registry key(s)

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Uses Volume Shadow Copy service COM API

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 14:23

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

NSIS installer

installer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 14:23

Reported

2024-06-13 14:26

Platform

win7-20240508-en

Max time kernel

141s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a6001234b63e417f465d7177980369d7_JaffaCakes118.exe"

Signatures

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Uniblue\SpeedUpMyPC\is-42RRT.tmp C:\Users\Admin\AppData\Local\Temp\is-7D2M0.tmp\speedupmypc.tmp N/A
File created C:\Program Files (x86)\Uniblue\SpeedUpMyPC\is-EB0KE.tmp C:\Users\Admin\AppData\Local\Temp\is-7D2M0.tmp\speedupmypc.tmp N/A
File created C:\Program Files (x86)\Uniblue\SpeedUpMyPC\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-7D2M0.tmp\speedupmypc.tmp N/A
File created C:\Program Files (x86)\Uniblue\SpeedUpMyPC\is-LBIMG.tmp C:\Users\Admin\AppData\Local\Temp\is-7D2M0.tmp\speedupmypc.tmp N/A
File created C:\Program Files (x86)\Uniblue\SpeedUpMyPC\is-MIVF5.tmp C:\Users\Admin\AppData\Local\Temp\is-7D2M0.tmp\speedupmypc.tmp N/A
File created C:\Program Files (x86)\Uniblue\SpeedUpMyPC\is-PJ3DL.tmp C:\Users\Admin\AppData\Local\Temp\is-7D2M0.tmp\speedupmypc.tmp N/A
File created C:\Program Files (x86)\Uniblue\SpeedUpMyPC\is-K6JME.tmp C:\Users\Admin\AppData\Local\Temp\is-7D2M0.tmp\speedupmypc.tmp N/A
File created C:\Program Files (x86)\Uniblue\SpeedUpMyPC\is-3URJL.tmp C:\Users\Admin\AppData\Local\Temp\is-7D2M0.tmp\speedupmypc.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\INF\setupapi.ev3 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.ev1 C:\Windows\system32\DrvInst.exe N/A
File opened for modification C:\Windows\INF\setupapi.dev.log C:\Windows\system32\DrvInst.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs C:\Windows\system32\DrvInst.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing C:\Windows\system32\DrvInst.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs C:\Windows\system32\DrvInst.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7D2M0.tmp\speedupmypc.tmp N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\system32\DrvInst.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7D2M0.tmp\speedupmypc.tmp N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 848 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\a6001234b63e417f465d7177980369d7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nso20CB.tmp\speedupmypc.exe
PID 848 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\a6001234b63e417f465d7177980369d7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nso20CB.tmp\speedupmypc.exe
PID 848 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\a6001234b63e417f465d7177980369d7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nso20CB.tmp\speedupmypc.exe
PID 848 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\a6001234b63e417f465d7177980369d7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nso20CB.tmp\speedupmypc.exe
PID 848 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\a6001234b63e417f465d7177980369d7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nso20CB.tmp\speedupmypc.exe
PID 848 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\a6001234b63e417f465d7177980369d7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nso20CB.tmp\speedupmypc.exe
PID 848 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\a6001234b63e417f465d7177980369d7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nso20CB.tmp\speedupmypc.exe
PID 2100 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\nso20CB.tmp\speedupmypc.exe C:\Users\Admin\AppData\Local\Temp\is-7D2M0.tmp\speedupmypc.tmp
PID 2100 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\nso20CB.tmp\speedupmypc.exe C:\Users\Admin\AppData\Local\Temp\is-7D2M0.tmp\speedupmypc.tmp
PID 2100 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\nso20CB.tmp\speedupmypc.exe C:\Users\Admin\AppData\Local\Temp\is-7D2M0.tmp\speedupmypc.tmp
PID 2100 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\nso20CB.tmp\speedupmypc.exe C:\Users\Admin\AppData\Local\Temp\is-7D2M0.tmp\speedupmypc.tmp
PID 2100 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\nso20CB.tmp\speedupmypc.exe C:\Users\Admin\AppData\Local\Temp\is-7D2M0.tmp\speedupmypc.tmp
PID 2100 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\nso20CB.tmp\speedupmypc.exe C:\Users\Admin\AppData\Local\Temp\is-7D2M0.tmp\speedupmypc.tmp
PID 2100 wrote to memory of 2248 N/A C:\Users\Admin\AppData\Local\Temp\nso20CB.tmp\speedupmypc.exe C:\Users\Admin\AppData\Local\Temp\is-7D2M0.tmp\speedupmypc.tmp

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\a6001234b63e417f465d7177980369d7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a6001234b63e417f465d7177980369d7_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\nso20CB.tmp\speedupmypc.exe

"C:\Users\Admin\AppData\Local\Temp\nso20CB.tmp\speedupmypc.exe" /verysilent

C:\Users\Admin\AppData\Local\Temp\is-7D2M0.tmp\speedupmypc.tmp

"C:\Users\Admin\AppData\Local\Temp\is-7D2M0.tmp\speedupmypc.tmp" /SL5="$400EE,5610871,504832,C:\Users\Admin\AppData\Local\Temp\nso20CB.tmp\speedupmypc.exe" /verysilent

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Windows\system32\DrvInst.exe

DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005B0" "00000000000003E0"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\nso20CB.tmp\speedupmypc.exe

MD5 b644360d462de0ceb35bb619129d90b2
SHA1 18669d3f87e61b4427f7828c841e80a7da978661
SHA256 c91bfe51a62d727e60329d545bede02be8aed9f8432205aad3582268b912af55
SHA512 495f80f6d22084c39db73d995e951d42451ecea2698fce54a594902ab472f8b23fc4fd58da2e1503a03fb6e3c00dc352b037fc5cd835e98248851588ba141b4b

memory/2100-5-0x0000000000400000-0x0000000000485000-memory.dmp

memory/2100-8-0x0000000000401000-0x0000000000417000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-7D2M0.tmp\speedupmypc.tmp

MD5 2a7ae693af9b16f0f9b9bdfa9127b0c3
SHA1 e84ba5377500271ee64513d0f6f1a61ba06c8620
SHA256 98b6b86163c30e9e0265e5cebd2eaee80da86ff16c4dae0a0d4034cf98c0bc51
SHA512 f46483c3bf3dbd4906fa97c9c04904dee8c6d4983322b999289195e829de1764fd693f2a98ef21c0a870e3e133bfbec874d2471e5fe91dcec1a77bed233cbcab

memory/2248-14-0x0000000000400000-0x000000000057E000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-T0RGD.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-T0RGD.tmp\InstallerExtensions.dll

MD5 60b8c0136bb50a00c11bb4e0710c5ed0
SHA1 3a99cc662c9db9d4d62d0e962767e7d294cc1491
SHA256 4a11a6dcced5ee63044b3c5e5f8fd10a30216ebbbaf4c983190e038c9728efea
SHA512 84cc13c58bfda0ffe2285fe9279e1962e3ffbf8e0862ec25bbf7bf15db58e63432a46ec6d8794d1e3c4132c37170574a51d413caae03f74307e360b6266dea84

memory/2100-25-0x0000000000400000-0x0000000000485000-memory.dmp

memory/2248-48-0x0000000000400000-0x000000000057E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 14:23

Reported

2024-06-13 14:26

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a6001234b63e417f465d7177980369d7_JaffaCakes118.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Program Files (x86)\Uniblue\SpeedUpMyPC\Launcher.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SpeedUpMyPC = "\"C:\\Program Files (x86)\\Uniblue\\SpeedUpMyPC\\launcher.exe\" -d 20000 " C:\Program Files (x86)\Uniblue\SpeedUpMyPC\spmonitor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SpeedUpMyPC = "\"C:\\Program Files (x86)\\Uniblue\\SpeedUpMyPC\\launcher.exe\" -d 20000 " C:\Program Files (x86)\Uniblue\SpeedUpMyPC\sump.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SpeedUpMyPC = "\"C:\\Program Files (x86)\\Uniblue\\SpeedUpMyPC\\launcher.exe\" -d 20000 " C:\Program Files (x86)\Uniblue\SpeedUpMyPC\spmonitor.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SpeedUpMyPC = "C:\\Program Files (x86)\\Uniblue\\SpeedUpMyPC\\Launcher.exe" C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp N/A

Checks installed software on the system

discovery

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Uniblue\SpeedUpMyPC\is-2J6I1.tmp C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp N/A
File created C:\Program Files (x86)\Uniblue\SpeedUpMyPC\is-0FCG4.tmp C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp N/A
File created C:\Program Files (x86)\Uniblue\SpeedUpMyPC\is-Q1AC6.tmp C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp N/A
File created C:\Program Files (x86)\Uniblue\SpeedUpMyPC\locale\en\is-4FSE9.tmp C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp N/A
File created C:\Program Files (x86)\Uniblue\SpeedUpMyPC\locale\it\is-2MVAG.tmp C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp N/A
File created C:\Program Files (x86)\Uniblue\SpeedUpMyPC\locale\ru\is-PJE4P.tmp C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp N/A
File created C:\Program Files (x86)\Uniblue\SpeedUpMyPC\is-5GQI4.tmp C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp N/A
File created C:\Program Files (x86)\Uniblue\SpeedUpMyPC\locale\br\LC_MESSAGES\is-2VM56.tmp C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp N/A
File created C:\Program Files (x86)\Uniblue\SpeedUpMyPC\locale\dk\is-40ON8.tmp C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp N/A
File created C:\Program Files (x86)\Uniblue\SpeedUpMyPC\locale\en\LC_MESSAGES\is-LGARC.tmp C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp N/A
File created C:\Program Files (x86)\Uniblue\SpeedUpMyPC\unins000.msg C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp N/A
File created C:\Program Files (x86)\Uniblue\SpeedUpMyPC\is-1SUGR.tmp C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp N/A
File created C:\Program Files (x86)\Uniblue\SpeedUpMyPC\locale\ru\LC_MESSAGES\is-V6F7R.tmp C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp N/A
File created C:\Program Files (x86)\Uniblue\SpeedUpMyPC\is-OEER5.tmp C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp N/A
File created C:\Program Files (x86)\Uniblue\SpeedUpMyPC\is-24UGJ.tmp C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp N/A
File created C:\Program Files (x86)\Uniblue\SpeedUpMyPC\locale\jp\is-OF32E.tmp C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp N/A
File created C:\Program Files (x86)\Uniblue\SpeedUpMyPC\locale\no\LC_MESSAGES\is-HJHMD.tmp C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp N/A
File created C:\Program Files (x86)\Uniblue\SpeedUpMyPC\Third Party Terms\is-3CLR4.tmp C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp N/A
File created C:\Program Files (x86)\Uniblue\SpeedUpMyPC\is-7GPEU.tmp C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp N/A
File created C:\Program Files (x86)\Uniblue\SpeedUpMyPC\locale\jp\LC_MESSAGES\is-KCNVI.tmp C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp N/A
File created C:\Program Files (x86)\Uniblue\SpeedUpMyPC\Third Party Terms\is-4FJ82.tmp C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp N/A
File created C:\Program Files (x86)\Uniblue\SpeedUpMyPC\Third Party Terms\is-BKULI.tmp C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp N/A
File opened for modification C:\Program Files (x86)\Uniblue\SpeedUpMyPC\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp N/A
File created C:\Program Files (x86)\Uniblue\SpeedUpMyPC\is-671SD.tmp C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp N/A
File created C:\Program Files (x86)\Uniblue\SpeedUpMyPC\locale\de\is-JRLNI.tmp C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp N/A
File created C:\Program Files (x86)\Uniblue\SpeedUpMyPC\locale\nl\is-T9N7G.tmp C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp N/A
File created C:\Program Files (x86)\Uniblue\SpeedUpMyPC\locale\nl\LC_MESSAGES\is-D4CUF.tmp C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp N/A
File created C:\Program Files (x86)\Uniblue\SpeedUpMyPC\Third Party Terms\is-CKB6G.tmp C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp N/A
File created C:\Program Files (x86)\Uniblue\SpeedUpMyPC\Third Party Terms\is-C4TH6.tmp C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp N/A
File created C:\Program Files (x86)\Uniblue\SpeedUpMyPC\locale\no\is-9I0TJ.tmp C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp N/A
File created C:\Program Files (x86)\Uniblue\SpeedUpMyPC\is-U8GO1.tmp C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp N/A
File created C:\Program Files (x86)\Uniblue\SpeedUpMyPC\is-C94TM.tmp C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp N/A
File created C:\Program Files (x86)\Uniblue\SpeedUpMyPC\is-UKD33.tmp C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp N/A
File created C:\Program Files (x86)\Uniblue\SpeedUpMyPC\locale\es\is-OA9L0.tmp C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp N/A
File created C:\Program Files (x86)\Uniblue\SpeedUpMyPC\locale\fi\is-OH9C0.tmp C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp N/A
File created C:\Program Files (x86)\Uniblue\SpeedUpMyPC\locale\fi\LC_MESSAGES\is-RVPN0.tmp C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp N/A
File created C:\Program Files (x86)\Uniblue\SpeedUpMyPC\is-RI128.tmp C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp N/A
File created C:\Program Files (x86)\Uniblue\SpeedUpMyPC\is-C3O20.tmp C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp N/A
File created C:\Program Files (x86)\Uniblue\SpeedUpMyPC\is-0LHI9.tmp C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp N/A
File created C:\Program Files (x86)\Uniblue\SpeedUpMyPC\locale\se\LC_MESSAGES\is-DASUF.tmp C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp N/A
File created C:\Program Files (x86)\Uniblue\SpeedUpMyPC\Third Party Terms\is-02KPU.tmp C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp N/A
File created C:\Program Files (x86)\Uniblue\SpeedUpMyPC\is-NO8RU.tmp C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp N/A
File created C:\Program Files (x86)\Uniblue\SpeedUpMyPC\Third Party Terms\is-IHSNK.tmp C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp N/A
File created C:\Program Files (x86)\Uniblue\SpeedUpMyPC\Third Party Terms\is-LEJBM.tmp C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp N/A
File created C:\Program Files (x86)\Uniblue\SpeedUpMyPC\locale\se\is-HAQVD.tmp C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp N/A
File created C:\Program Files (x86)\Uniblue\SpeedUpMyPC\locale\br\is-S2T95.tmp C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp N/A
File created C:\Program Files (x86)\Uniblue\SpeedUpMyPC\locale\fr\is-98R25.tmp C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp N/A
File created C:\Program Files (x86)\Uniblue\SpeedUpMyPC\locale\dk\LC_MESSAGES\is-HU1QN.tmp C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp N/A
File created C:\Program Files (x86)\Uniblue\SpeedUpMyPC\unins000.dat C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp N/A
File created C:\Program Files (x86)\Uniblue\SpeedUpMyPC\locale\es\LC_MESSAGES\is-U2TEF.tmp C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp N/A
File created C:\Program Files (x86)\Uniblue\SpeedUpMyPC\locale\de\LC_MESSAGES\is-TIBIQ.tmp C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp N/A
File created C:\Program Files (x86)\Uniblue\SpeedUpMyPC\locale\fr\LC_MESSAGES\is-VKNV5.tmp C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp N/A
File created C:\Program Files (x86)\Uniblue\SpeedUpMyPC\locale\it\LC_MESSAGES\is-75U6E.tmp C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp N/A
File created C:\Program Files (x86)\Uniblue\SpeedUpMyPC\is-UHI40.tmp C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp N/A
File created C:\Program Files (x86)\Uniblue\SpeedUpMyPC\is-NBVU4.tmp C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp N/A
File created C:\Program Files (x86)\Uniblue\SpeedUpMyPC\is-CVNBT.tmp C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp N/A
File created C:\Program Files (x86)\Uniblue\SpeedUpMyPC\Third Party Terms\is-EJ8V9.tmp C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Tasks\SpeedUpMyPC.job C:\Program Files (x86)\Uniblue\SpeedUpMyPC\spmonitor.exe N/A
File created C:\Windows\Tasks\SpeedUpMyPC.job C:\Program Files (x86)\Uniblue\SpeedUpMyPC\spmonitor.exe N/A

Enumerates physical storage devices

Checks SCSI registry key(s)

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000072b368a908c284c40000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000072b368a90000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090072b368a9000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d72b368a9000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000072b368a900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\system32\vssvc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters C:\Windows\system32\vssvc.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Program Files (x86)\Uniblue\SpeedUpMyPC\sump.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Program Files (x86)\Uniblue\SpeedUpMyPC\sump.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Program Files (x86)\Uniblue\SpeedUpMyPC\sump.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Program Files (x86)\Uniblue\SpeedUpMyPC\sump.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\speedupmypc\ = "URL:SpeedUpMyPC Protocol" C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{314F2CE5-50A9-4e1f-AB87-2972E53DF62A}\InprocServer32 C:\Program Files (x86)\Uniblue\SpeedUpMyPC\sp_move_serial.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID C:\Program Files (x86)\Uniblue\SpeedUpMyPC\sp_move_serial.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23934143-3055-450d-903b-757a01043381} C:\Program Files (x86)\Uniblue\SpeedUpMyPC\sump.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23934143-3055-450d-903b-757a01043381}\FC = "85" C:\Program Files (x86)\Uniblue\SpeedUpMyPC\sump.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\speedupmypc\DefaultIcon\ = "sump.exe,1" C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\speedupmypc\shell\open\command\ = "\"C:\\Program Files (x86)\\Uniblue\\SpeedUpMyPC\\sump.exe\" --serial=\"%1\"" C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{23934143-b757-a010-4338-183382556278} C:\Program Files (x86)\Uniblue\SpeedUpMyPC\sp_move_serial.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\speedupmypc\shell C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\speedupmypc C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\speedupmypc\DefaultIcon C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\speedupmypc\shell\open\command C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{314F2CE5-50A9-4e1f-AB87-2972E53DF62A} C:\Program Files (x86)\Uniblue\SpeedUpMyPC\sp_move_serial.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\speedupmypc\URL Protocol C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\speedupmypc\shell\open C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node C:\Program Files (x86)\Uniblue\SpeedUpMyPC\sp_move_serial.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeBackupPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeAuditPrivilege N/A C:\Windows\system32\vssvc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\system32\srtasks.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\srtasks.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp N/A
N/A N/A C:\Program Files (x86)\Uniblue\SpeedUpMyPC\sump.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Uniblue\SpeedUpMyPC\sump.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Uniblue\SpeedUpMyPC\sump.exe N/A
N/A N/A C:\Program Files (x86)\Uniblue\SpeedUpMyPC\sump.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 996 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\a6001234b63e417f465d7177980369d7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsa53FD.tmp\speedupmypc.exe
PID 996 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\a6001234b63e417f465d7177980369d7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsa53FD.tmp\speedupmypc.exe
PID 996 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\a6001234b63e417f465d7177980369d7_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\nsa53FD.tmp\speedupmypc.exe
PID 2476 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\nsa53FD.tmp\speedupmypc.exe C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp
PID 2476 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\nsa53FD.tmp\speedupmypc.exe C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp
PID 2476 wrote to memory of 960 N/A C:\Users\Admin\AppData\Local\Temp\nsa53FD.tmp\speedupmypc.exe C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp
PID 996 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\a6001234b63e417f465d7177980369d7_JaffaCakes118.exe C:\Program Files (x86)\Uniblue\SpeedUpMyPC\Launcher.exe
PID 996 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\a6001234b63e417f465d7177980369d7_JaffaCakes118.exe C:\Program Files (x86)\Uniblue\SpeedUpMyPC\Launcher.exe
PID 996 wrote to memory of 636 N/A C:\Users\Admin\AppData\Local\Temp\a6001234b63e417f465d7177980369d7_JaffaCakes118.exe C:\Program Files (x86)\Uniblue\SpeedUpMyPC\Launcher.exe
PID 960 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp C:\Program Files (x86)\Uniblue\SpeedUpMyPC\sp_move_serial.exe
PID 960 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp C:\Program Files (x86)\Uniblue\SpeedUpMyPC\sp_move_serial.exe
PID 960 wrote to memory of 4004 N/A C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp C:\Program Files (x86)\Uniblue\SpeedUpMyPC\sp_move_serial.exe
PID 636 wrote to memory of 4000 N/A C:\Program Files (x86)\Uniblue\SpeedUpMyPC\Launcher.exe C:\Program Files (x86)\Uniblue\SpeedUpMyPC\sump.exe
PID 636 wrote to memory of 4000 N/A C:\Program Files (x86)\Uniblue\SpeedUpMyPC\Launcher.exe C:\Program Files (x86)\Uniblue\SpeedUpMyPC\sump.exe
PID 636 wrote to memory of 4000 N/A C:\Program Files (x86)\Uniblue\SpeedUpMyPC\Launcher.exe C:\Program Files (x86)\Uniblue\SpeedUpMyPC\sump.exe
PID 960 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp C:\Program Files (x86)\Uniblue\SpeedUpMyPC\sp_ubm.exe
PID 960 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp C:\Program Files (x86)\Uniblue\SpeedUpMyPC\sp_ubm.exe
PID 960 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp C:\Program Files (x86)\Uniblue\SpeedUpMyPC\sp_ubm.exe
PID 960 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp C:\Program Files (x86)\Uniblue\SpeedUpMyPC\spmonitor.exe
PID 960 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp C:\Program Files (x86)\Uniblue\SpeedUpMyPC\spmonitor.exe
PID 960 wrote to memory of 4336 N/A C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp C:\Program Files (x86)\Uniblue\SpeedUpMyPC\spmonitor.exe

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Users\Admin\AppData\Local\Temp\a6001234b63e417f465d7177980369d7_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a6001234b63e417f465d7177980369d7_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\nsa53FD.tmp\speedupmypc.exe

"C:\Users\Admin\AppData\Local\Temp\nsa53FD.tmp\speedupmypc.exe" /verysilent

C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp

"C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp" /SL5="$5011A,5610871,504832,C:\Users\Admin\AppData\Local\Temp\nsa53FD.tmp\speedupmypc.exe" /verysilent

C:\Windows\system32\vssvc.exe

C:\Windows\system32\vssvc.exe

C:\Program Files (x86)\Uniblue\SpeedUpMyPC\Launcher.exe

"C:\Program Files (x86)\Uniblue\SpeedUpMyPC\Launcher.exe"

C:\Program Files (x86)\Uniblue\SpeedUpMyPC\sp_move_serial.exe

"C:\Program Files (x86)\Uniblue\SpeedUpMyPC\sp_move_serial.exe"

C:\Program Files (x86)\Uniblue\SpeedUpMyPC\sump.exe

"C:\Program Files (x86)\Uniblue\SpeedUpMyPC\sump.exe"

C:\Program Files (x86)\Uniblue\SpeedUpMyPC\sp_ubm.exe

"C:\Program Files (x86)\Uniblue\SpeedUpMyPC\sp_ubm.exe" -i

C:\Program Files (x86)\Uniblue\SpeedUpMyPC\spmonitor.exe

"C:\Program Files (x86)\Uniblue\SpeedUpMyPC\spmonitor.exe" -i

C:\Program Files (x86)\Uniblue\SpeedUpMyPC\spmonitor.exe

"C:\Program Files (x86)\Uniblue\SpeedUpMyPC\spmonitor.exe"

C:\Windows\system32\srtasks.exe

C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 update.uniblue.com udp
N/A 127.0.0.1:10437 tcp
N/A 127.0.0.1:10437 tcp
N/A 127.0.0.1:10437 tcp

Files

C:\Users\Admin\AppData\Local\Temp\nsa53FD.tmp\speedupmypc.exe

MD5 b644360d462de0ceb35bb619129d90b2
SHA1 18669d3f87e61b4427f7828c841e80a7da978661
SHA256 c91bfe51a62d727e60329d545bede02be8aed9f8432205aad3582268b912af55
SHA512 495f80f6d22084c39db73d995e951d42451ecea2698fce54a594902ab472f8b23fc4fd58da2e1503a03fb6e3c00dc352b037fc5cd835e98248851588ba141b4b

memory/2476-4-0x0000000000400000-0x0000000000485000-memory.dmp

memory/2476-6-0x0000000000401000-0x0000000000417000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-FVM14.tmp\speedupmypc.tmp

MD5 2a7ae693af9b16f0f9b9bdfa9127b0c3
SHA1 e84ba5377500271ee64513d0f6f1a61ba06c8620
SHA256 98b6b86163c30e9e0265e5cebd2eaee80da86ff16c4dae0a0d4034cf98c0bc51
SHA512 f46483c3bf3dbd4906fa97c9c04904dee8c6d4983322b999289195e829de1764fd693f2a98ef21c0a870e3e133bfbec874d2471e5fe91dcec1a77bed233cbcab

memory/960-11-0x0000000000400000-0x000000000057E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-VVSDV.tmp\InstallerExtensions.dll

MD5 60b8c0136bb50a00c11bb4e0710c5ed0
SHA1 3a99cc662c9db9d4d62d0e962767e7d294cc1491
SHA256 4a11a6dcced5ee63044b3c5e5f8fd10a30216ebbbaf4c983190e038c9728efea
SHA512 84cc13c58bfda0ffe2285fe9279e1962e3ffbf8e0862ec25bbf7bf15db58e63432a46ec6d8794d1e3c4132c37170574a51d413caae03f74307e360b6266dea84

memory/2476-21-0x0000000000400000-0x0000000000485000-memory.dmp

C:\Program Files (x86)\Uniblue\SpeedUpMyPC\locale\dk\LC_MESSAGES\is-HU1QN.tmp

MD5 0a6824d0790d34c7cbfc376f86af2e4e
SHA1 4948403c9e3961609267f757e526765463af814f
SHA256 529e774985715519cc93aea312d90d0c07834dbac1b314e95805a473ae1d2d82
SHA512 3795bf95f03507a733f2c4586d7a60b5ca8dd223d91ca12bb1bb453286058f58c628535ef7f698399c10785c0b7c8d628d021b23e6b8faa89a1dc4f1df6ac345

C:\Program Files (x86)\Uniblue\SpeedUpMyPC\Launcher.exe

MD5 ce4265908f9fa61bae45d9916d32a2d7
SHA1 b87451fd0fcb2ffc37b97841b7d101cd62740eb7
SHA256 e1f9f1b9491b552d2cb3002e5d42d644046210f829629f3b51c54cea1d1085ec
SHA512 6c44df5cd87d18783103e1ae20518cddb1c61f95aa8a472bd18c9a25c9420cc7ed571f9e34ed334beef192bab817b81da2ea24b5aa0ecddf67237d783c889d77

C:\Program Files (x86)\Uniblue\SpeedUpMyPC\sp_move_serial.exe

MD5 c2bebccec5aeb22434969fa4787f976b
SHA1 14cd3ea7033380e6e76269d6fe343ee76a371173
SHA256 3e452f2c28f063927ad782cb7c62a9a96881647166d38b1f321ca04aac2b52ca
SHA512 dbe3dcfaadcf2a2379ed99e0fb7905fd4ee03df677addfc90183f5a0ce2c6267382acdad3d9975027248b209ff4330eadf169af9dc19ba914af12434c508436c

memory/4004-161-0x00000000006A0000-0x00000000006AB000-memory.dmp

C:\Program Files (x86)\Uniblue\SpeedUpMyPC\library.dat

MD5 c6c30f78400e33fd7bd61d7c1f0c2e31
SHA1 ef8c23e7c6406f55ea1d7e67b38fe2107fb8c852
SHA256 299e64e02d36b7b168dae867307f4bf1e2a1d9f06a77d1756d8012c4aa577b32
SHA512 241d0cc3bec24343ef7235bb828127760995630897bf2cbd019a23d6f34c337e56de9cbd09c7aff371a8ae623c36f7d8707c6db707efc300626a01cbac59c03d

memory/4004-168-0x000000001E8C0000-0x000000001E8DC000-memory.dmp

memory/4004-164-0x000000001E7A0000-0x000000001E7BE000-memory.dmp

memory/4004-172-0x000000001D1A0000-0x000000001D1BD000-memory.dmp

memory/4004-179-0x000000001EBF0000-0x000000001EBFC000-memory.dmp

C:\Program Files (x86)\Uniblue\SpeedUpMyPC\sump.exe

MD5 7b74fb169d2dc6a5f6a9bf240a780c48
SHA1 89549c6c58d4590cc3f9d73f5332ae56e0ff4fd6
SHA256 cd9f3686dad5413e7827455b0e7e42dad7a9c9ac2aad0b51bc3c1465c7a52ec7
SHA512 1a757e777d6da6bfdcec0ec47bc4147590dc7c000684e2465a88b2ae12163fa29b9de5878a2a527df8b6f32927b1665030c33729a7f6a410ff4dc3360e81cc92

memory/4004-210-0x000000001ECB0000-0x000000001ECBD000-memory.dmp

memory/4004-206-0x00000000024A0000-0x00000000024C7000-memory.dmp

C:\Program Files (x86)\Uniblue\SpeedUpMyPC\sp_ubm.exe

MD5 f353ce08167f5bd3092e87c257c59f23
SHA1 3eadcb53dd018fef3cc8b19a59b2d6cb8f8b92c3
SHA256 a9912804711bb9ee0e5905207c9f712c01cfebe0710facabc6187a3797d53703
SHA512 46ab88c4d6e3b384beb864c566258119e34a9a05babdbcf04f039dc159d661d7b76d4335fcea8f3ac0baa048032e0fb294b70daa88f0a24179080b339ba6afff

memory/4000-218-0x000000001E000000-0x000000001E227000-memory.dmp

memory/4004-202-0x0000000002260000-0x0000000002267000-memory.dmp

memory/4004-198-0x0000000002480000-0x000000000249F000-memory.dmp

memory/4004-195-0x0000000002210000-0x000000000225A000-memory.dmp

memory/4004-191-0x00000000021E0000-0x00000000021F5000-memory.dmp

memory/4004-188-0x0000000010000000-0x0000000010008000-memory.dmp

memory/4004-183-0x000000001EA40000-0x000000001EA6B000-memory.dmp

memory/4004-175-0x000000001E9B0000-0x000000001E9B9000-memory.dmp

memory/4004-157-0x000000001E000000-0x000000001E227000-memory.dmp

C:\Program Files (x86)\Uniblue\SpeedUpMyPC\locale\en\LC_MESSAGES\messages.mo

MD5 b1c0df4c206f1531e8b107592290c374
SHA1 f4b68948561dc0c68332df37ee7996796eb25905
SHA256 ec4ce49336d9cc99d80411cb924a11b64efa9d60a09b2af2ad2fc2d2db05cc83
SHA512 c7a0951d14a4af5c18b8c9f69e7eec5b2e974d79c53b3f8dc0c192de1811ff1b85280f18a256c277f52cd394c2a662ec15f584a9dc67f7e6c3be683dc69812c2

C:\Program Files (x86)\Uniblue\SpeedUpMyPC\locale\en\en.dll

MD5 ba9c3b948e172036459eaec254106d06
SHA1 d031ab806e6a322c9087d88d4fc78e9e59ba6ddc
SHA256 e6de8f293d3fad3f8546ba9f78cd4776e6e092348b36b7d8a132a780f21deb37
SHA512 1181233dec2198bf6e61543e33db547a51fc1e0baa0c99dd0c15f3ca2bd0623584d263312e7db003d4a87520277ee1d811eaa2fe91dec1db365ebad2a3501f11

C:\Program Files (x86)\Uniblue\SpeedUpMyPC\spmonitor.exe

MD5 046fcf293e3c78a19a09ebbcf7d863f9
SHA1 888f2a9e3986daf6259be0bc9aa63b0e3919f82a
SHA256 07726e4620503ba9054561749dec6b36f004540da9574a519e8d6d7e461eecca
SHA512 f33e247a50b80b016e630f6245918fe9becd4752092cd977ebf6c140217c4f3fff297e7a8ed93619e6c1d15d9c3a3462237993ab2a4057a3a3df6e86b52f7972

memory/960-466-0x0000000000400000-0x000000000057E000-memory.dmp

C:\Users\Admin\AppData\Roaming\Uniblue\SpeedUpMyPC\monitor.log

MD5 9fa5e77594b7d98c6b665968043625e5
SHA1 8e8abfbd60edf81c5d68be3643b1e01d4489535c
SHA256 e266b814f2451260c0c5f8782b295af984aaac25aea15c70c641ca320b5b80ea
SHA512 967c546b63dce377180714477aa4a2b19f3cd6477ea3f5ea5a3a364422980435198f16f265089b84ef33a9c38ce722e55c970d38ba5d0447d353da17c695217e

C:\Users\Admin\AppData\Roaming\Uniblue\SpeedUpMyPC\settings.dat

MD5 55207ea119153342aad9b664add96bd7
SHA1 998b642bf6d457a6b85abe0fce2c5b7d0489c520
SHA256 69d087239b81e701a0c11d7cecee99c67af33feb17359d5e4aec40f7d5b44215
SHA512 11ea5ee3ff3981d79aeccab8609d18be6f62c650cc320fdbd2200a18f096324998a720067d689497eed780ce901dca081ab85fcb7591bbf816930c8bb6fe71d5

C:\Program Files (x86)\Uniblue\SpeedUpMyPC\st.dat

MD5 f1de9c699816f7095b22eea8084a6731
SHA1 d756a16e17adb672dde6d879dd680868e743765e
SHA256 5eb7b41fb48685783210d8fc9afa51431635db1993d5b4facf083bc55b4c8efc
SHA512 2d6efeb2e7e9ee163bbcac74501ccc8a8ba02c488fb859458b2de7d9fbdeaabc2a5a3f2980fc6c6f93092572d18ac174e627445057411226fd00b6a2ad5e792f

C:\Users\Admin\AppData\Local\Temp\964f847b-d319-41d9-9ce7-52400d8659de88649fa1299011ef8d0f5a63b3ea338b

MD5 1cbd5c57b240a34f7d4a16e2a136040b
SHA1 543a05a75c62285ae0412188ce1c86381a6e6c7c
SHA256 a4028636f193353a81128080380ae9a1fdd43e2fcec5e6cb9283318634bb3fda
SHA512 6bac0a53c71c4de146d56e4f224082607b8bbe72416fab044131e1efbf4699d87fcd3b1fbaf5c2e57202366b4862073ab8eec72d3a781feb360ad880d46861f5

C:\Program Files (x86)\Uniblue\SpeedUpMyPC\intermediate_views.dat

MD5 60d0f5c99114f2786318de6c5c0543d0
SHA1 d5ef9246666126dcf8510110c9945c7aa2773289
SHA256 faf967235c9c4019fd4b46d546327048209e22bda46f07fa47bec1f6266b75a3
SHA512 7579e66a53fbcf27ed507e610062210f2666803afe6d4ad713c91a9dba0651ce15a06da09d2b793aa7ab8d8be9594fe9d40c963e3d93a599dac56cd9438f5588

C:\Program Files (x86)\Uniblue\SpeedUpMyPC\views.dat

MD5 252246db8ee38f91f87f88c6d4d12457
SHA1 614bcbe1a434e93b46b6654a1f1b4d3c058aa34f
SHA256 c9aedab67b1e6b876c6f1c1c378f9b926de7478f2a4635b105e0443113017d9a
SHA512 a507c2c747f9c62c6670ee98318e0149dc3856fd66757ca7ae149e8b2c3eafd5979d4c9dbf00cad49215309533b497106ed0d2f8e722892d7e1cd745fc63a2fb

C:\Program Files (x86)\Uniblue\SpeedUpMyPC\cwebpage.dll

MD5 0ecfd7d80f8652c27894e19e124072e8
SHA1 83481722f4faf47ea5493360e348e182b4a00c16
SHA256 853c8f5eca726d14dd18b5372ce67f1108b3421c8ccd18faf3db27d28b92e4f7
SHA512 bc9df732bbcc9435697c4bf60c9aa7576dbbf30ecc9d9ea50787c61cd28dbfbeb27963afb87dd4b855a1bfe2fcd127ce0ab1b12ee70b2959aa6584c0b313665a

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-13 14:23

Reported

2024-06-13 14:26

Platform

win7-20240611-en

Max time kernel

140s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\speedupmypc.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7KKAU.tmp\speedupmypc.tmp N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-7KKAU.tmp\speedupmypc.tmp N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\speedupmypc.exe

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\speedupmypc.exe"

C:\Users\Admin\AppData\Local\Temp\is-7KKAU.tmp\speedupmypc.tmp

"C:\Users\Admin\AppData\Local\Temp\is-7KKAU.tmp\speedupmypc.tmp" /SL5="$400BE,5610871,504832,C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\speedupmypc.exe"

Network

N/A

Files

memory/2028-2-0x0000000000401000-0x0000000000417000-memory.dmp

memory/2028-0-0x0000000000400000-0x0000000000485000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-7KKAU.tmp\speedupmypc.tmp

MD5 2a7ae693af9b16f0f9b9bdfa9127b0c3
SHA1 e84ba5377500271ee64513d0f6f1a61ba06c8620
SHA256 98b6b86163c30e9e0265e5cebd2eaee80da86ff16c4dae0a0d4034cf98c0bc51
SHA512 f46483c3bf3dbd4906fa97c9c04904dee8c6d4983322b999289195e829de1764fd693f2a98ef21c0a870e3e133bfbec874d2471e5fe91dcec1a77bed233cbcab

memory/1764-8-0x0000000000400000-0x000000000057E000-memory.dmp

\Users\Admin\AppData\Local\Temp\is-I7GGS.tmp\_isetup\_shfoldr.dll

MD5 92dc6ef532fbb4a5c3201469a5b5eb63
SHA1 3e89ff837147c16b4e41c30d6c796374e0b8e62c
SHA256 9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87
SHA512 9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

\Users\Admin\AppData\Local\Temp\is-I7GGS.tmp\InstallerExtensions.dll

MD5 60b8c0136bb50a00c11bb4e0710c5ed0
SHA1 3a99cc662c9db9d4d62d0e962767e7d294cc1491
SHA256 4a11a6dcced5ee63044b3c5e5f8fd10a30216ebbbaf4c983190e038c9728efea
SHA512 84cc13c58bfda0ffe2285fe9279e1962e3ffbf8e0862ec25bbf7bf15db58e63432a46ec6d8794d1e3c4132c37170574a51d413caae03f74307e360b6266dea84

memory/2028-19-0x0000000000400000-0x0000000000485000-memory.dmp

memory/1764-26-0x0000000000400000-0x000000000057E000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-13 14:23

Reported

2024-06-13 14:26

Platform

win10v2004-20240508-en

Max time kernel

143s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\speedupmypc.exe"

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-4KQIF.tmp\speedupmypc.tmp N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\is-4KQIF.tmp\speedupmypc.tmp N/A

Processes

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\speedupmypc.exe

"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\speedupmypc.exe"

C:\Users\Admin\AppData\Local\Temp\is-4KQIF.tmp\speedupmypc.tmp

"C:\Users\Admin\AppData\Local\Temp\is-4KQIF.tmp\speedupmypc.tmp" /SL5="$80118,5610871,504832,C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\speedupmypc.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4252,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=4604 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp

Files

memory/3508-0-0x0000000000400000-0x0000000000485000-memory.dmp

memory/3508-2-0x0000000000401000-0x0000000000417000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-4KQIF.tmp\speedupmypc.tmp

MD5 2a7ae693af9b16f0f9b9bdfa9127b0c3
SHA1 e84ba5377500271ee64513d0f6f1a61ba06c8620
SHA256 98b6b86163c30e9e0265e5cebd2eaee80da86ff16c4dae0a0d4034cf98c0bc51
SHA512 f46483c3bf3dbd4906fa97c9c04904dee8c6d4983322b999289195e829de1764fd693f2a98ef21c0a870e3e133bfbec874d2471e5fe91dcec1a77bed233cbcab

memory/4084-7-0x0000000000400000-0x000000000057E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\is-25B21.tmp\InstallerExtensions.dll

MD5 60b8c0136bb50a00c11bb4e0710c5ed0
SHA1 3a99cc662c9db9d4d62d0e962767e7d294cc1491
SHA256 4a11a6dcced5ee63044b3c5e5f8fd10a30216ebbbaf4c983190e038c9728efea
SHA512 84cc13c58bfda0ffe2285fe9279e1962e3ffbf8e0862ec25bbf7bf15db58e63432a46ec6d8794d1e3c4132c37170574a51d413caae03f74307e360b6266dea84

memory/3508-17-0x0000000000400000-0x0000000000485000-memory.dmp

memory/4084-24-0x0000000000400000-0x000000000057E000-memory.dmp