Malware Analysis Report

2024-07-11 07:35

Sample ID 240616-mpnsfazfme
Target b313bbe17bd5ee9c00acff3bfccdb48a_JaffaCakes118
SHA256 71f7a9da99b5e3c9520bc2cc73e520598d469be6539b3c243fb435fe02e44338
Tags
plugx trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

71f7a9da99b5e3c9520bc2cc73e520598d469be6539b3c243fb435fe02e44338

Threat Level: Known bad

The file b313bbe17bd5ee9c00acff3bfccdb48a_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

plugx trojan

PlugX

Detects PlugX payload

Checks computer location settings

Executes dropped EXE

Deletes itself

Loads dropped DLL

Drops file in System32 directory

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Modifies data under HKEY_USERS

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-16 10:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-16 10:38

Reported

2024-06-16 10:41

Platform

win7-20240508-en

Max time kernel

149s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b313bbe17bd5ee9c00acff3bfccdb48a_JaffaCakes118.exe"

Signatures

Detects PlugX payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PlugX

trojan plugx

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe N/A
N/A N/A C:\ProgramData\SxS\Nv.exe N/A
N/A N/A C:\ProgramData\SxS\Nv.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\counters.dat C:\Windows\SysWOW64\svchost.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{43C94297-09D6-4250-A7D2-668F5D09A1EB} C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{43C94297-09D6-4250-A7D2-668F5D09A1EB}\WpadDecision = "0" C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-54-90-6c-76-2f\WpadDecisionTime = 20063462d9bfda01 C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-54-90-6c-76-2f\WpadDecisionReason = "1" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000002000000090000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable = "0" C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{43C94297-09D6-4250-A7D2-668F5D09A1EB}\WpadNetworkName = "Network 3" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0 C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000003000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0022000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-54-90-6c-76-2f\WpadDecisionTime = a06910a2d9bfda01 C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{43C94297-09D6-4250-A7D2-668F5D09A1EB}\WpadDecisionTime = 20063462d9bfda01 C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-54-90-6c-76-2f C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings = 4600000004000000090000000000000000000000000000000400000000000000000000000000000000000000000000000000000001000000020000000a7f0022000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix C:\Windows\SysWOW64\svchost.exe N/A
Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-54-90-6c-76-2f\WpadDetectedUrl C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{43C94297-09D6-4250-A7D2-668F5D09A1EB}\WpadDecisionReason = "1" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{43C94297-09D6-4250-A7D2-668F5D09A1EB}\aa-54-90-6c-76-2f C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\aa-54-90-6c-76-2f\WpadDecision = "0" C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad\{43C94297-09D6-4250-A7D2-668F5D09A1EB}\WpadDecisionTime = a06910a2d9bfda01 C:\Windows\SysWOW64\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\CLASSES\FAST C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 38003200330033004500340031003300350039003700330046004600360038000000 C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\SxS\Nv.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\SxS\Nv.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\SxS\Nv.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\SxS\Nv.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2580 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\b313bbe17bd5ee9c00acff3bfccdb48a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe
PID 2580 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\b313bbe17bd5ee9c00acff3bfccdb48a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe
PID 2580 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\b313bbe17bd5ee9c00acff3bfccdb48a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe
PID 2580 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\b313bbe17bd5ee9c00acff3bfccdb48a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe
PID 2580 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\b313bbe17bd5ee9c00acff3bfccdb48a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe
PID 2580 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\b313bbe17bd5ee9c00acff3bfccdb48a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe
PID 2580 wrote to memory of 2216 N/A C:\Users\Admin\AppData\Local\Temp\b313bbe17bd5ee9c00acff3bfccdb48a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe
PID 2716 wrote to memory of 2528 N/A C:\ProgramData\SxS\Nv.exe C:\Windows\SysWOW64\svchost.exe
PID 2716 wrote to memory of 2528 N/A C:\ProgramData\SxS\Nv.exe C:\Windows\SysWOW64\svchost.exe
PID 2716 wrote to memory of 2528 N/A C:\ProgramData\SxS\Nv.exe C:\Windows\SysWOW64\svchost.exe
PID 2716 wrote to memory of 2528 N/A C:\ProgramData\SxS\Nv.exe C:\Windows\SysWOW64\svchost.exe
PID 2716 wrote to memory of 2528 N/A C:\ProgramData\SxS\Nv.exe C:\Windows\SysWOW64\svchost.exe
PID 2716 wrote to memory of 2528 N/A C:\ProgramData\SxS\Nv.exe C:\Windows\SysWOW64\svchost.exe
PID 2716 wrote to memory of 2528 N/A C:\ProgramData\SxS\Nv.exe C:\Windows\SysWOW64\svchost.exe
PID 2716 wrote to memory of 2528 N/A C:\ProgramData\SxS\Nv.exe C:\Windows\SysWOW64\svchost.exe
PID 2716 wrote to memory of 2528 N/A C:\ProgramData\SxS\Nv.exe C:\Windows\SysWOW64\svchost.exe
PID 2528 wrote to memory of 2104 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2528 wrote to memory of 2104 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2528 wrote to memory of 2104 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2528 wrote to memory of 2104 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2528 wrote to memory of 2104 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2528 wrote to memory of 2104 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2528 wrote to memory of 2104 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2528 wrote to memory of 2104 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2528 wrote to memory of 2104 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2528 wrote to memory of 2104 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2528 wrote to memory of 2104 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2528 wrote to memory of 2104 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b313bbe17bd5ee9c00acff3bfccdb48a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b313bbe17bd5ee9c00acff3bfccdb48a_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe"

C:\ProgramData\SxS\Nv.exe

"C:\ProgramData\SxS\Nv.exe" 100 2216

C:\ProgramData\SxS\Nv.exe

"C:\ProgramData\SxS\Nv.exe" 200 0

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe 201 0

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\system32\msiexec.exe 209 2528

Network

Country Destination Domain Proto
N/A 10.127.255.255:53 udp
US 8.8.8.8:53 www.trendmicro-update.org udp
US 8.8.8.8:53 www.trendmicro-update.org udp
US 8.8.8.8:53 www.trendmicro-update.org udp
US 8.8.8.8:53 www.trendmicro-update.org udp
US 8.8.8.8:53 www.trendmicro-update.org udp
US 8.8.8.8:53 www.trendmicro-update.org udp
US 8.8.8.8:53 www.trendmicro-update.org udp
US 8.8.8.8:53 www.trendmicro-update.org udp
US 8.8.8.8:53 www.trendmicro-update.org udp
US 8.8.8.8:53 www.trendmicro-update.org udp

Files

\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe

MD5 09b8b54f78a10c435cd319070aa13c28
SHA1 6474d0369f97e72e01e4971128d1062f5c2b3656
SHA256 523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256
SHA512 c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmartMax.dll

MD5 0aa39c6eafc45d18d4a15f1ed6dff6a8
SHA1 daa921673a22a6b3c03e311e51d7e74ac1710fc2
SHA256 5e2ca5276edc4f5df39b40733acfd1298192432a66fa477ac32056a473a4636a
SHA512 0c107b57fd7678c169f62a085a90f5ad6eed56b431c5a67fd2c195b1960a2a38f19e9d1e2bff8b3a0cc39c7ae32608459b82f91e99a6852d059ad6567c22ec6e

C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmartMax.dll.URL

MD5 bbb5f685f91b0d0d8e272d1c23911e19
SHA1 aa2154c4549e37397588f3a38b1d0f906bc87e9a
SHA256 29641dccedf3a220524ce2fff5d1fa48576aa92de9dfc4ec3da39ca5bf5d8bdd
SHA512 86f8dd3b9a904ae5a687be5370ced5bcb677608747c4f5576435a3d421a9e49d3101056bf09fb76711800cc6f1f0dbe78da7cdcb0c0329b7866c432a2317d69c

memory/2216-26-0x0000000000400000-0x000000000040D000-memory.dmp

memory/2216-25-0x0000000000401000-0x0000000000402000-memory.dmp

memory/2216-27-0x0000000000320000-0x0000000000359000-memory.dmp

memory/3024-45-0x0000000000400000-0x000000000040D000-memory.dmp

memory/3024-46-0x0000000000450000-0x0000000000489000-memory.dmp

memory/2716-49-0x0000000000450000-0x0000000000489000-memory.dmp

memory/2528-54-0x00000000000C0000-0x00000000000C2000-memory.dmp

memory/2528-53-0x00000000000A0000-0x00000000000C0000-memory.dmp

memory/2528-50-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2528-55-0x0000000000250000-0x0000000000289000-memory.dmp

memory/2528-58-0x0000000000250000-0x0000000000289000-memory.dmp

memory/2528-71-0x0000000000250000-0x0000000000289000-memory.dmp

memory/2528-74-0x0000000000250000-0x0000000000289000-memory.dmp

memory/2528-73-0x0000000000250000-0x0000000000289000-memory.dmp

memory/2528-72-0x0000000000250000-0x0000000000289000-memory.dmp

memory/2528-69-0x0000000000250000-0x0000000000289000-memory.dmp

memory/2528-68-0x0000000000020000-0x0000000000021000-memory.dmp

memory/2528-70-0x0000000000250000-0x0000000000289000-memory.dmp

memory/2216-57-0x0000000000320000-0x0000000000359000-memory.dmp

memory/2716-56-0x0000000000450000-0x0000000000489000-memory.dmp

memory/3024-77-0x0000000000450000-0x0000000000489000-memory.dmp

memory/2104-84-0x0000000000130000-0x0000000000131000-memory.dmp

memory/2104-85-0x00000000008D0000-0x0000000000909000-memory.dmp

memory/2104-83-0x00000000008D0000-0x0000000000909000-memory.dmp

memory/2104-86-0x00000000008D0000-0x0000000000909000-memory.dmp

memory/2528-87-0x0000000000250000-0x0000000000289000-memory.dmp

memory/2528-88-0x0000000000250000-0x0000000000289000-memory.dmp

memory/2528-89-0x0000000000250000-0x0000000000289000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-16 10:38

Reported

2024-06-16 10:41

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\b313bbe17bd5ee9c00acff3bfccdb48a_JaffaCakes118.exe"

Signatures

Detects PlugX payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

PlugX

trojan plugx

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\b313bbe17bd5ee9c00acff3bfccdb48a_JaffaCakes118.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe N/A
N/A N/A C:\ProgramData\SxS\Nv.exe N/A
N/A N/A C:\ProgramData\SxS\Nv.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe N/A
N/A N/A C:\ProgramData\SxS\Nv.exe N/A
N/A N/A C:\ProgramData\SxS\Nv.exe N/A

Enumerates physical storage devices

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0 C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\User Agent\Post Platform C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" C:\Windows\SysWOW64\svchost.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent\Post Platform C:\Windows\SysWOW64\svchost.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft C:\Windows\SysWOW64\svchost.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\CLASSES\FAST C:\Windows\SysWOW64\svchost.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 41004500410044004300450038003300360046004200330042003000410046000000 C:\Windows\SysWOW64\svchost.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\svchost.exe N/A
N/A N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe N/A
Token: SeTcbPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\SxS\Nv.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\SxS\Nv.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\SxS\Nv.exe N/A
Token: SeTcbPrivilege N/A C:\ProgramData\SxS\Nv.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A
Token: SeTcbPrivilege N/A C:\Windows\SysWOW64\msiexec.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4888 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\b313bbe17bd5ee9c00acff3bfccdb48a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe
PID 4888 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\b313bbe17bd5ee9c00acff3bfccdb48a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe
PID 4888 wrote to memory of 4756 N/A C:\Users\Admin\AppData\Local\Temp\b313bbe17bd5ee9c00acff3bfccdb48a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe
PID 4156 wrote to memory of 2372 N/A C:\ProgramData\SxS\Nv.exe C:\Windows\SysWOW64\svchost.exe
PID 4156 wrote to memory of 2372 N/A C:\ProgramData\SxS\Nv.exe C:\Windows\SysWOW64\svchost.exe
PID 4156 wrote to memory of 2372 N/A C:\ProgramData\SxS\Nv.exe C:\Windows\SysWOW64\svchost.exe
PID 4156 wrote to memory of 2372 N/A C:\ProgramData\SxS\Nv.exe C:\Windows\SysWOW64\svchost.exe
PID 4156 wrote to memory of 2372 N/A C:\ProgramData\SxS\Nv.exe C:\Windows\SysWOW64\svchost.exe
PID 4156 wrote to memory of 2372 N/A C:\ProgramData\SxS\Nv.exe C:\Windows\SysWOW64\svchost.exe
PID 4156 wrote to memory of 2372 N/A C:\ProgramData\SxS\Nv.exe C:\Windows\SysWOW64\svchost.exe
PID 4156 wrote to memory of 2372 N/A C:\ProgramData\SxS\Nv.exe C:\Windows\SysWOW64\svchost.exe
PID 2372 wrote to memory of 1352 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2372 wrote to memory of 1352 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2372 wrote to memory of 1352 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2372 wrote to memory of 1352 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2372 wrote to memory of 1352 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2372 wrote to memory of 1352 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2372 wrote to memory of 1352 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe
PID 2372 wrote to memory of 1352 N/A C:\Windows\SysWOW64\svchost.exe C:\Windows\SysWOW64\msiexec.exe

Processes

C:\Users\Admin\AppData\Local\Temp\b313bbe17bd5ee9c00acff3bfccdb48a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\b313bbe17bd5ee9c00acff3bfccdb48a_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe

"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe"

C:\ProgramData\SxS\Nv.exe

"C:\ProgramData\SxS\Nv.exe" 100 4756

C:\ProgramData\SxS\Nv.exe

"C:\ProgramData\SxS\Nv.exe" 200 0

C:\Windows\SysWOW64\svchost.exe

C:\Windows\system32\svchost.exe 201 0

C:\Windows\SysWOW64\msiexec.exe

C:\Windows\system32\msiexec.exe 209 2372

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
N/A 255.255.255.255:53 www.trendmicro-update.org udp
N/A 10.127.255.255:53 udp
US 8.8.8.8:53 www.trendmicro-update.org udp
US 8.8.8.8:53 www.trendmicro-update.org udp
N/A 255.255.255.255:53 www.trendmicro-update.org udp
US 8.8.8.8:53 www.trendmicro-update.org udp
N/A 255.255.255.255:53 www.trendmicro-update.org udp
US 8.8.8.8:53 www.trendmicro-update.org udp
US 8.8.8.8:53 www.trendmicro-update.org udp
N/A 255.255.255.255:53 www.trendmicro-update.org udp
US 8.8.8.8:53 www.trendmicro-update.org udp
N/A 255.255.255.255:53 www.trendmicro-update.org udp
US 8.8.8.8:53 www.trendmicro-update.org udp
US 8.8.8.8:53 www.trendmicro-update.org udp
N/A 255.255.255.255:53 www.trendmicro-update.org udp
US 8.8.8.8:53 www.trendmicro-update.org udp
N/A 255.255.255.255:53 www.trendmicro-update.org udp

Files

C:\Users\Admin\AppData\Local\Temp\RarSFX0\Nv.exe

MD5 09b8b54f78a10c435cd319070aa13c28
SHA1 6474d0369f97e72e01e4971128d1062f5c2b3656
SHA256 523d28df917f9d265cd2c0d38df26277bc56a535145100ed82e6f5fdeaae7256
SHA512 c1f2f5c4aa5eb55d255e22db032da954a38a0204fb4d9bc76042f140f1b1e171944aa09b0eb11159323a8b9f33974c73fd32a4f76d976aaa8a16cc9c60a34ca7

C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmartMax.dll

MD5 0aa39c6eafc45d18d4a15f1ed6dff6a8
SHA1 daa921673a22a6b3c03e311e51d7e74ac1710fc2
SHA256 5e2ca5276edc4f5df39b40733acfd1298192432a66fa477ac32056a473a4636a
SHA512 0c107b57fd7678c169f62a085a90f5ad6eed56b431c5a67fd2c195b1960a2a38f19e9d1e2bff8b3a0cc39c7ae32608459b82f91e99a6852d059ad6567c22ec6e

memory/4756-19-0x0000000000401000-0x0000000000402000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RarSFX0\NvSmartMax.dll.URL

MD5 bbb5f685f91b0d0d8e272d1c23911e19
SHA1 aa2154c4549e37397588f3a38b1d0f906bc87e9a
SHA256 29641dccedf3a220524ce2fff5d1fa48576aa92de9dfc4ec3da39ca5bf5d8bdd
SHA512 86f8dd3b9a904ae5a687be5370ced5bcb677608747c4f5576435a3d421a9e49d3101056bf09fb76711800cc6f1f0dbe78da7cdcb0c0329b7866c432a2317d69c

memory/4756-20-0x0000000002190000-0x00000000021C9000-memory.dmp

memory/4756-21-0x0000000000400000-0x000000000040D000-memory.dmp

memory/396-40-0x0000000000400000-0x000000000040D000-memory.dmp

memory/396-39-0x00000000006D0000-0x0000000000709000-memory.dmp

memory/4156-43-0x0000000000E30000-0x0000000000E69000-memory.dmp

memory/4156-44-0x0000000000400000-0x000000000040D000-memory.dmp

memory/2372-45-0x0000000000970000-0x0000000000971000-memory.dmp

memory/2372-46-0x0000000001190000-0x00000000011C9000-memory.dmp

memory/4156-47-0x0000000000E30000-0x0000000000E69000-memory.dmp

memory/2372-48-0x0000000001190000-0x00000000011C9000-memory.dmp

memory/2372-58-0x0000000000970000-0x0000000000971000-memory.dmp

memory/4756-61-0x0000000002190000-0x00000000021C9000-memory.dmp

memory/2372-64-0x0000000001190000-0x00000000011C9000-memory.dmp

memory/2372-65-0x0000000001190000-0x00000000011C9000-memory.dmp

memory/2372-63-0x0000000001190000-0x00000000011C9000-memory.dmp

memory/2372-62-0x0000000001190000-0x00000000011C9000-memory.dmp

memory/2372-60-0x0000000001190000-0x00000000011C9000-memory.dmp

memory/2372-59-0x0000000001190000-0x00000000011C9000-memory.dmp

memory/396-68-0x00000000006D0000-0x0000000000709000-memory.dmp

memory/1352-69-0x0000000002540000-0x0000000002579000-memory.dmp

memory/1352-70-0x0000000000B90000-0x0000000000B91000-memory.dmp

memory/1352-72-0x0000000002540000-0x0000000002579000-memory.dmp

memory/1352-71-0x0000000002540000-0x0000000002579000-memory.dmp

memory/2372-73-0x0000000001190000-0x00000000011C9000-memory.dmp

memory/2372-74-0x0000000001190000-0x00000000011C9000-memory.dmp

memory/2372-75-0x0000000001190000-0x00000000011C9000-memory.dmp