Malware Analysis Report

2024-09-23 11:15

Sample ID 240614-257b2stenp
Target abed41b3b60eb1d9348e9bf66da294df_JaffaCakes118
SHA256 c0ac94a4b322299f8c66705b3960d00861ee8d6463c456078674b5212fbca6e0
Tags
bootkit discovery persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

c0ac94a4b322299f8c66705b3960d00861ee8d6463c456078674b5212fbca6e0

Threat Level: Shows suspicious behavior

The file abed41b3b60eb1d9348e9bf66da294df_JaffaCakes118 was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit discovery persistence

Modifies file permissions

Enumerates connected drives

Writes to the Master Boot Record (MBR)

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Enumerates physical storage devices

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-14 23:10

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 23:10

Reported

2024-06-14 23:13

Platform

win7-20240508-en

Max time kernel

147s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\abed41b3b60eb1d9348e9bf66da294df_JaffaCakes118.exe"

Signatures

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\abed41b3b60eb1d9348e9bf66da294df_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\abed41b3b60eb1d9348e9bf66da294df_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\abed41b3b60eb1d9348e9bf66da294df_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\abed41b3b60eb1d9348e9bf66da294df_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\abed41b3b60eb1d9348e9bf66da294df_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\abed41b3b60eb1d9348e9bf66da294df_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\abed41b3b60eb1d9348e9bf66da294df_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\abed41b3b60eb1d9348e9bf66da294df_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\abed41b3b60eb1d9348e9bf66da294df_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\abed41b3b60eb1d9348e9bf66da294df_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\abed41b3b60eb1d9348e9bf66da294df_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\abed41b3b60eb1d9348e9bf66da294df_JaffaCakes118.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\abed41b3b60eb1d9348e9bf66da294df_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\abed41b3b60eb1d9348e9bf66da294df_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\abed41b3b60eb1d9348e9bf66da294df_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\abed41b3b60eb1d9348e9bf66da294df_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\abed41b3b60eb1d9348e9bf66da294df_JaffaCakes118.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\abed41b3b60eb1d9348e9bf66da294df_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\abed41b3b60eb1d9348e9bf66da294df_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\abed41b3b60eb1d9348e9bf66da294df_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\abed41b3b60eb1d9348e9bf66da294df_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\abed41b3b60eb1d9348e9bf66da294df_JaffaCakes118.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\abed41b3b60eb1d9348e9bf66da294df_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\TxGameAssistant\GameDownload\TenioDL.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\metnsd\clsid C:\Users\Admin\AppData\Roaming\Tencent\TxGameAssistant\GameDownload\TenioDL.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\metnsd C:\Users\Admin\AppData\Roaming\Tencent\TxGameAssistant\GameDownload\TenioDL.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\metnsd\clsid\SequenceID = 5c3700261c1fed42bde462a9e64e4bf3 C:\Users\Admin\AppData\Roaming\Tencent\TxGameAssistant\GameDownload\TenioDL.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\abed41b3b60eb1d9348e9bf66da294df_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Roaming\Tencent\TxGameAssistant\GameDownload\TenioDL.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\abed41b3b60eb1d9348e9bf66da294df_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\abed41b3b60eb1d9348e9bf66da294df_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\Tencent\TxGameAssistant\GameDownload\TenioDL.exe

C:\Users\Admin\AppData\Roaming\Tencent\TxGameAssistant\GameDownload\TenioDL.exe

C:\Windows\SysWOW64\icacls.exe

"C:\Windows\System32\icacls.exe" C:\Users\Admin\AppData\Roaming\Tencent\Config\ /t /setintegritylevel low

Network

Country Destination Domain Proto
US 8.8.8.8:53 masterconn.qq.com udp
US 8.8.8.8:53 p2pupgrade.gamedl.qq.com udp
US 8.8.8.8:53 master.etl.desktop.qq.com udp
US 8.8.8.8:53 config.gamedl.qq.com udp
US 8.8.8.8:53 stat.gamedl.qq.com udp
US 8.8.8.8:53 stun.qqlive.qq.com udp
US 8.8.8.8:53 ps2.gamedl.qq.com udp
US 8.8.8.8:53 p2pupdate.gamedl.qq.com udp
CN 113.105.95.120:443 tcp
US 8.8.8.8:53 stun.qqlive.qq.com udp
US 8.8.8.8:53 config.gamedl.qq.com udp
US 8.8.8.8:53 bk.ps2.gamedl.qq.com udp
US 8.8.8.8:53 config.gamedl.qq.com udp
US 8.8.8.8:53 ps2.gamedl.qq.com udp
CN 125.39.120.82:443 tcp
US 8.8.8.8:53 bk.ps2.gamedl.qq.com udp
US 8.8.8.8:53 ps2.gamedl.qq.com udp
US 8.8.8.8:53 bk.ps2.gamedl.qq.com udp
CN 113.105.95.120:443 tcp
US 8.8.8.8:53 ps2.gamedl.qq.com udp
CN 125.39.120.82:443 tcp
US 8.8.8.8:53 bk.ps2.gamedl.qq.com udp
US 8.8.8.8:53 ps2.gamedl.qq.com udp
US 8.8.8.8:53 bk.ps2.gamedl.qq.com udp
US 8.8.8.8:53 ps2.gamedl.qq.com udp
CN 113.105.95.120:443 tcp

Files

\Users\Admin\AppData\Roaming\Tencent\TxGameAssistant\GameDownload\TenioDL.dll

MD5 34431eb1ae2d3ac86e3415d8c3e977a3
SHA1 b2eae82dffecdbe02ef877d5a4d28de83b84bd59
SHA256 8379e09c7a3a51bdb652418781ceed8067e324b656c7d5a307b9a77c899f0806
SHA512 32b1d12630ced494b5168037a1d0899b3576970f603b5e69bf48fd915a4dad51d877e97bc91660929719e3a1395344ec39d5cc5b761111096c4523563d3bdd5e

\Users\Admin\AppData\Roaming\Tencent\TxGameAssistant\GameDownload\TenioDL.exe

MD5 8fb4e336f4c145eb6e379701c3ac59d1
SHA1 ad53b732cabd515035784f187aeaab4d8a6b67c7
SHA256 d7a59b5ba3f0fb3906ebaa7a67c76088995a1f37652a2ae9893977c19754d9bf
SHA512 c83b726e867f47c9fdabaf3151ae74c07e2b74be47f8ec41685fee744eba41c81614faaf473fcd28cabc044545eddcad5cbbaf67e90109d916e109c1b5d6a770

memory/1600-23-0x0000000000510000-0x0000000000521000-memory.dmp

\Users\Admin\AppData\Roaming\Tencent\TxGameAssistant\GameDownload\dr.dll

MD5 2814acbd607ba47bdbcdf6ac3076ee95
SHA1 50ab892071bed2bb2365ca1d4bf5594e71c6b13b
SHA256 5904a7e4d97eeac939662c3638a0e145f64ff3dd0198f895c4bf0337595c6a67
SHA512 34c73014ffc8d38d6dd29f4f84c8f4f9ea971bc131f665f65b277f453504d5efc2d483a792cdea610c5e0544bf3997b132dcdbe37224912c5234c15cdb89d498

C:\Users\Admin\AppData\Roaming\Tencent\TxGameAssistant\GameDownload\TenioDL_core.dll

MD5 11d65a68132e918bd80e7e0a09029730
SHA1 c1978c02176e1e370c66d1597e964eab908847dc
SHA256 36c18dedac0429375c583fcf9420cdc9ace8a38bbac9f33378b5b4d6739da511
SHA512 34278a85cfdad1b2086b9368368b6eada08829c3237d02d0afbfced4f32df38e95a5ca0a600fc8d8c98c33d6cc8d4ac82c3279ccdba36cb0ed4738c1c0648315

memory/1600-27-0x00000000004F0000-0x00000000004F1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Tencent\TxGameAssistant\GameDownload\p2papp.dll

MD5 b1b101d86c417286e60f471fc8b79bb1
SHA1 b602bee2a25ed63a1f9cda72c83bdadd44dcd07c
SHA256 91cfa1769be449dfdfbf6bcc8049ce5c9218df6deaa66a0879528526b204a51a
SHA512 0a1d03364e1a52c08d6992a52b31b29f54c3781c009562427c560338db5428b74b55fab41f9c48c7018ddce41ab6a7f8593fbf12a75ae472c11590a36b42682b

memory/2616-32-0x00000000022B0000-0x000000000259F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 23:10

Reported

2024-06-14 23:13

Platform

win10v2004-20240508-en

Max time kernel

148s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\abed41b3b60eb1d9348e9bf66da294df_JaffaCakes118.exe"

Signatures

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\icacls.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\abed41b3b60eb1d9348e9bf66da294df_JaffaCakes118.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\abed41b3b60eb1d9348e9bf66da294df_JaffaCakes118.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\abed41b3b60eb1d9348e9bf66da294df_JaffaCakes118.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\abed41b3b60eb1d9348e9bf66da294df_JaffaCakes118.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\abed41b3b60eb1d9348e9bf66da294df_JaffaCakes118.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\abed41b3b60eb1d9348e9bf66da294df_JaffaCakes118.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\abed41b3b60eb1d9348e9bf66da294df_JaffaCakes118.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\abed41b3b60eb1d9348e9bf66da294df_JaffaCakes118.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\abed41b3b60eb1d9348e9bf66da294df_JaffaCakes118.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\abed41b3b60eb1d9348e9bf66da294df_JaffaCakes118.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\abed41b3b60eb1d9348e9bf66da294df_JaffaCakes118.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\abed41b3b60eb1d9348e9bf66da294df_JaffaCakes118.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\abed41b3b60eb1d9348e9bf66da294df_JaffaCakes118.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\abed41b3b60eb1d9348e9bf66da294df_JaffaCakes118.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\abed41b3b60eb1d9348e9bf66da294df_JaffaCakes118.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\abed41b3b60eb1d9348e9bf66da294df_JaffaCakes118.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\abed41b3b60eb1d9348e9bf66da294df_JaffaCakes118.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\abed41b3b60eb1d9348e9bf66da294df_JaffaCakes118.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\abed41b3b60eb1d9348e9bf66da294df_JaffaCakes118.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\abed41b3b60eb1d9348e9bf66da294df_JaffaCakes118.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\abed41b3b60eb1d9348e9bf66da294df_JaffaCakes118.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\abed41b3b60eb1d9348e9bf66da294df_JaffaCakes118.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\abed41b3b60eb1d9348e9bf66da294df_JaffaCakes118.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Tencent\TxGameAssistant\GameDownload\TenioDL.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Tencent\TxGameAssistant\GameDownload\TenioDL.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\metnsd\clsid C:\Users\Admin\AppData\Roaming\Tencent\TxGameAssistant\GameDownload\TenioDL.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\metnsd C:\Users\Admin\AppData\Roaming\Tencent\TxGameAssistant\GameDownload\TenioDL.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\metnsd\clsid\SequenceID = d8eb4477d054554daf930a4ba2e6a658 C:\Users\Admin\AppData\Roaming\Tencent\TxGameAssistant\GameDownload\TenioDL.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Roaming\Tencent\TxGameAssistant\GameDownload\TenioDL.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\abed41b3b60eb1d9348e9bf66da294df_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\abed41b3b60eb1d9348e9bf66da294df_JaffaCakes118.exe"

C:\Users\Admin\AppData\Roaming\Tencent\TxGameAssistant\GameDownload\TenioDL.exe

C:\Users\Admin\AppData\Roaming\Tencent\TxGameAssistant\GameDownload\TenioDL.exe

C:\Windows\SysWOW64\icacls.exe

"C:\Windows\System32\icacls.exe" C:\Users\Admin\AppData\Roaming\Tencent\Config\ /t /setintegritylevel low

Network

Country Destination Domain Proto
US 8.8.8.8:53 masterconn.qq.com udp
US 8.8.8.8:53 p2pupgrade.gamedl.qq.com udp
US 8.8.8.8:53 master.etl.desktop.qq.com udp
US 8.8.8.8:53 stat.gamedl.qq.com udp
US 8.8.8.8:53 config.gamedl.qq.com udp
US 8.8.8.8:53 ps2.gamedl.qq.com udp
US 8.8.8.8:53 stun.qqlive.qq.com udp
US 8.8.8.8:53 p2pupdate.gamedl.qq.com udp
CN 113.105.95.120:443 tcp
US 8.8.8.8:53 stun.qqlive.qq.com udp
US 8.8.8.8:53 config.gamedl.qq.com udp
US 8.8.8.8:53 bk.ps2.gamedl.qq.com udp
US 8.8.8.8:53 config.gamedl.qq.com udp
US 8.8.8.8:53 bk.ps2.gamedl.qq.com udp
CN 125.39.120.82:443 tcp
US 8.8.8.8:53 ps2.gamedl.qq.com udp
US 8.8.8.8:53 bk.ps2.gamedl.qq.com udp
CN 113.105.95.120:443 tcp
US 8.8.8.8:53 ps2.gamedl.qq.com udp
US 8.8.8.8:53 bk.ps2.gamedl.qq.com udp
CN 125.39.120.82:443 tcp
US 8.8.8.8:53 ps2.gamedl.qq.com udp
US 8.8.8.8:53 bk.ps2.gamedl.qq.com udp
US 8.8.8.8:53 ps2.gamedl.qq.com udp
US 8.8.8.8:53 bk.ps2.gamedl.qq.com udp
US 8.8.8.8:53 ps2.gamedl.qq.com udp
CN 113.105.95.120:443 tcp
US 8.8.8.8:53 bk.ps2.gamedl.qq.com udp

Files

C:\test.tmp

MD5 49096510e26480fac1840f024230c101
SHA1 1c744e5bf038e2da4d7757a1af7ad5de7d714610
SHA256 e59f4a3c577c5f68bb26cb1931bebb4767d2017d3862b5a5cae271eb0b9c0a8d
SHA512 1cd8e019509f19f5c291d242958f1be9f322b4831ab90df2cb70257bebff6a9000b7046fac16f0932bc6b04cdce2e773fc17c67c75ef20c0c17929d76c221847

C:\Users\Admin\AppData\Roaming\Tencent\TxGameAssistant\GameDownload\TenioDL.dll

MD5 34431eb1ae2d3ac86e3415d8c3e977a3
SHA1 b2eae82dffecdbe02ef877d5a4d28de83b84bd59
SHA256 8379e09c7a3a51bdb652418781ceed8067e324b656c7d5a307b9a77c899f0806
SHA512 32b1d12630ced494b5168037a1d0899b3576970f603b5e69bf48fd915a4dad51d877e97bc91660929719e3a1395344ec39d5cc5b761111096c4523563d3bdd5e

C:\Users\Admin\AppData\Roaming\Tencent\TxGameAssistant\GameDownload\TenioDL.exe

MD5 8fb4e336f4c145eb6e379701c3ac59d1
SHA1 ad53b732cabd515035784f187aeaab4d8a6b67c7
SHA256 d7a59b5ba3f0fb3906ebaa7a67c76088995a1f37652a2ae9893977c19754d9bf
SHA512 c83b726e867f47c9fdabaf3151ae74c07e2b74be47f8ec41685fee744eba41c81614faaf473fcd28cabc044545eddcad5cbbaf67e90109d916e109c1b5d6a770

C:\Users\Admin\AppData\Roaming\Tencent\TxGameAssistant\GameDownload\TenioDL_core.dll

MD5 11d65a68132e918bd80e7e0a09029730
SHA1 c1978c02176e1e370c66d1597e964eab908847dc
SHA256 36c18dedac0429375c583fcf9420cdc9ace8a38bbac9f33378b5b4d6739da511
SHA512 34278a85cfdad1b2086b9368368b6eada08829c3237d02d0afbfced4f32df38e95a5ca0a600fc8d8c98c33d6cc8d4ac82c3279ccdba36cb0ed4738c1c0648315

memory/3576-27-0x00000000034A0000-0x00000000034B1000-memory.dmp

C:\Users\Admin\AppData\Roaming\Tencent\TxGameAssistant\GameDownload\dr.dll

MD5 2814acbd607ba47bdbcdf6ac3076ee95
SHA1 50ab892071bed2bb2365ca1d4bf5594e71c6b13b
SHA256 5904a7e4d97eeac939662c3638a0e145f64ff3dd0198f895c4bf0337595c6a67
SHA512 34c73014ffc8d38d6dd29f4f84c8f4f9ea971bc131f665f65b277f453504d5efc2d483a792cdea610c5e0544bf3997b132dcdbe37224912c5234c15cdb89d498

C:\Users\Admin\AppData\Roaming\Tencent\TxGameAssistant\GameDownload\p2papp.dll

MD5 b1b101d86c417286e60f471fc8b79bb1
SHA1 b602bee2a25ed63a1f9cda72c83bdadd44dcd07c
SHA256 91cfa1769be449dfdfbf6bcc8049ce5c9218df6deaa66a0879528526b204a51a
SHA512 0a1d03364e1a52c08d6992a52b31b29f54c3781c009562427c560338db5428b74b55fab41f9c48c7018ddce41ab6a7f8593fbf12a75ae472c11590a36b42682b

memory/1388-35-0x0000000002550000-0x000000000283F000-memory.dmp