Analysis Overview
SHA256
a259e50b3a0ab5abd711455cbcec62c0bfbcbda112a7cad719466dc494e285f5
Threat Level: Known bad
The file 0008d6d7ea0571daf5b451985095b9ca_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
MetaSploit
Modifies security service
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Unsigned PE
Suspicious use of WriteProcessMemory
Runs .reg file with regedit
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-19 18:50
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-19 18:50
Reported
2024-06-19 18:52
Platform
win7-20240508-en
Max time kernel
137s
Max time network
121s
Command Line
Signatures
MetaSploit
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msxdll.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msxdll.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msxdll.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msxdll.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msxdll.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msxdll.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msxdll.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msxdll.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msxdll.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msxdll.exe | N/A |
Loads dropped DLL
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\msxdll.exe | C:\Windows\SysWOW64\msxdll.exe | N/A |
| File created | C:\Windows\SysWOW64\msxdll.exe | C:\Windows\SysWOW64\msxdll.exe | N/A |
| File created | C:\Windows\SysWOW64\msxdll.exe | C:\Windows\SysWOW64\msxdll.exe | N/A |
| File created | C:\Windows\SysWOW64\msxdll.exe | C:\Windows\SysWOW64\msxdll.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msxdll.exe | C:\Windows\SysWOW64\msxdll.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msxdll.exe | C:\Windows\SysWOW64\msxdll.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msxdll.exe | C:\Users\Admin\AppData\Local\Temp\0008d6d7ea0571daf5b451985095b9ca_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\msxdll.exe | C:\Windows\SysWOW64\msxdll.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msxdll.exe | C:\Windows\SysWOW64\msxdll.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msxdll.exe | C:\Windows\SysWOW64\msxdll.exe | N/A |
| File created | C:\Windows\SysWOW64\msxdll.exe | C:\Windows\SysWOW64\msxdll.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msxdll.exe | C:\Windows\SysWOW64\msxdll.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msxdll.exe | C:\Windows\SysWOW64\msxdll.exe | N/A |
| File created | C:\Windows\SysWOW64\msxdll.exe | C:\Users\Admin\AppData\Local\Temp\0008d6d7ea0571daf5b451985095b9ca_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msxdll.exe | C:\Windows\SysWOW64\msxdll.exe | N/A |
| File created | C:\Windows\SysWOW64\msxdll.exe | C:\Windows\SysWOW64\msxdll.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msxdll.exe | C:\Windows\SysWOW64\msxdll.exe | N/A |
| File created | C:\Windows\SysWOW64\msxdll.exe | C:\Windows\SysWOW64\msxdll.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msxdll.exe | C:\Windows\SysWOW64\msxdll.exe | N/A |
| File created | C:\Windows\SysWOW64\msxdll.exe | C:\Windows\SysWOW64\msxdll.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msxdll.exe | C:\Windows\SysWOW64\msxdll.exe | N/A |
| File created | C:\Windows\SysWOW64\msxdll.exe | C:\Windows\SysWOW64\msxdll.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0008d6d7ea0571daf5b451985095b9ca_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0008d6d7ea0571daf5b451985095b9ca_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\msxdll.exe
C:\Windows\system32\msxdll.exe 504 "C:\Users\Admin\AppData\Local\Temp\0008d6d7ea0571daf5b451985095b9ca_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\a.bat
C:\Windows\SysWOW64\msxdll.exe
C:\Windows\system32\msxdll.exe 536 "C:\Windows\SysWOW64\msxdll.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\msxdll.exe
C:\Windows\system32\msxdll.exe 540 "C:\Windows\SysWOW64\msxdll.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\msxdll.exe
C:\Windows\system32\msxdll.exe 544 "C:\Windows\SysWOW64\msxdll.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\msxdll.exe
C:\Windows\system32\msxdll.exe 548 "C:\Windows\SysWOW64\msxdll.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\msxdll.exe
C:\Windows\system32\msxdll.exe 552 "C:\Windows\SysWOW64\msxdll.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\msxdll.exe
C:\Windows\system32\msxdll.exe 528 "C:\Windows\SysWOW64\msxdll.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\msxdll.exe
C:\Windows\system32\msxdll.exe 560 "C:\Windows\SysWOW64\msxdll.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\msxdll.exe
C:\Windows\system32\msxdll.exe 564 "C:\Windows\SysWOW64\msxdll.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\msxdll.exe
C:\Windows\system32\msxdll.exe 568 "C:\Windows\SysWOW64\msxdll.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
Network
Files
C:\a.bat
| MD5 | 0019a0451cc6b9659762c3e274bc04fb |
| SHA1 | 5259e256cc0908f2846e532161b989f1295f479b |
| SHA256 | ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876 |
| SHA512 | 314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904 |
memory/2140-7-0x0000000000400000-0x000000000053D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 1b2949b211ab497b739b1daf37cd4101 |
| SHA1 | 12cad1063d28129ddd89e80acc2940f8dfbbaab3 |
| SHA256 | 3e906a8373d1dfa40782f56710768abd4365933ad60f2ca9e974743c25b4cb6c |
| SHA512 | a9e6555d435fe3e7a63059f20cd4c59531319421efcd90ca1d14498c28d9882ab0b7cd1af63dd50fa693b3b5a714db572d61867c56b86618423c7feaf043f2ef |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 9e5db93bd3302c217b15561d8f1e299d |
| SHA1 | 95a5579b336d16213909beda75589fd0a2091f30 |
| SHA256 | f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e |
| SHA512 | b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a |
\Windows\SysWOW64\msxdll.exe
| MD5 | 0008d6d7ea0571daf5b451985095b9ca |
| SHA1 | e6049ce2a34a0197e3eb60317db4c89ad8d6d40e |
| SHA256 | a259e50b3a0ab5abd711455cbcec62c0bfbcbda112a7cad719466dc494e285f5 |
| SHA512 | af0611cc26796c11466f9d67d9e269c247532fbbf708922708bf1eb8e1628bd33b85af702796031f4d64844888b3a2f9239d3e932813239c2aea482ddff4a21d |
memory/2140-119-0x00000000027D0000-0x000000000290D000-memory.dmp
memory/2716-128-0x0000000000400000-0x000000000053D000-memory.dmp
memory/2140-126-0x00000000027D0000-0x000000000290D000-memory.dmp
memory/2140-129-0x0000000000400000-0x000000000053D000-memory.dmp
memory/1396-135-0x0000000000400000-0x000000000053D000-memory.dmp
memory/2716-134-0x00000000028F0000-0x0000000002A2D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 6dd7ad95427e77ae09861afd77104775 |
| SHA1 | 81c2ffe8c63e71f013a07e5794473b60f50c0716 |
| SHA256 | 8eb7ba2c4ca558bb764f1db1ea0da16c08791a79e995704e5c1b9f3e855008c2 |
| SHA512 | 171d8a96006ea9ff2655af49bd3bfc4702ba8573b3e6f93237ee52e0be68dd09e123495f9fbda9ff69d03fe843d9306798cae6c156202d48b8d021722eedc7cb |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | f82bc8865c1f6bf7125563479421f95c |
| SHA1 | 65c25d7af3ab1f29ef2ef1fdc67378ac9c82098d |
| SHA256 | f9799dc2afb8128d1925b69fdef1d641f312ed41254dd5f4ac543cf50648a2f6 |
| SHA512 | 00a9b7798a630779dc30296c3d0fed2589e7e86d6941f4502ea301c5bce2e80a5d8a4916e36183c7064f968b539ae6dac49094b1de3643a1a2fedc83cf558825 |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 47985593a44ee38c64665b04cbd4b84c |
| SHA1 | 84900c2b2e116a7b744730733f63f2a38b4eb76e |
| SHA256 | 4a62e43cadba3b8fa2ebead61f9509107d8453a6d66917aad5efab391a8f8e70 |
| SHA512 | abdd7f2f701a5572fd6b8b73ff4a013c1f9b157b20f4e193f9d1ed2b3ac4911fa36ffc84ca62d2ceea752a65af34ec77e3766e97e396a8470031990faff1a269 |
memory/2716-251-0x0000000000400000-0x000000000053D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 09e45f09a25fed7995c8430f4a370ade |
| SHA1 | fc49fec86e600a7c4e1b6bfa274f883635d65687 |
| SHA256 | f827e79f717d490ba61a9ec5f8198ebc3066e22fd25871f06ce15f04162f57b9 |
| SHA512 | 1a6ed68eced45f30fff3f281ceb082d6ae9e13bc71f6f7da5b4ba064e9876ef7efd76eaffe1325f6e3dfa3a5429200302ea84915245f26ac393105fd1ec365ad |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | d8be0d42e512d922804552250f01eb90 |
| SHA1 | cda2fd8fc9c4cdf15d5e2f07a4c633e21d11c9d3 |
| SHA256 | 901619f668fe541b53d809cd550460f579985c3d2f3d899a557997e778eb1d82 |
| SHA512 | f53619e1ec3c9abc833f9fca1174529fb4a4723b64f7560059cd3147d74ea8fe945a7bd0034f6fb68c0e61b6782a26908d30a749a256e019031b5a6ac088eb97 |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 5f6aefafda312b288b7d555c1fc36dc9 |
| SHA1 | f25e2fdea9dd714d0fae68af71cace7bb49302ce |
| SHA256 | 60f6d3cbf831857bf18e46a43ff403a03e2035d9430a72d768ea9cec1947917a |
| SHA512 | 97f0250ba79b008d7632a2f32a7b851d9ca87f116b2854d5343c120511cfd55551a1f3eb3e0959602656b39b3f86003a0f9d04243ceb8b73d28eb9bb9449a6de |
memory/1396-370-0x0000000000400000-0x000000000053D000-memory.dmp
memory/2456-381-0x0000000000400000-0x000000000053D000-memory.dmp
memory/296-489-0x0000000000400000-0x000000000053D000-memory.dmp
memory/2208-494-0x0000000000400000-0x000000000053D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 1a00c84e2e8a76c3caa6c0b89f9f0d6d |
| SHA1 | 2650e962d49c5800edb569ee1b989edc8868d9b9 |
| SHA256 | f477217e9368c8114de7621c41a01818957dae31140ffd7df2b39705c72543e6 |
| SHA512 | a5f2f271184ff3bad04dd2135e7d32ca32c2ad24400832ec8a143dcbc20449ede4e06b48479ba93609cb1caf0b41a9143698eafb07b032ebdd609e399d62288c |
memory/2456-610-0x0000000000400000-0x000000000053D000-memory.dmp
memory/1672-622-0x0000000000400000-0x000000000053D000-memory.dmp
memory/2208-615-0x00000000029D0000-0x0000000002B0D000-memory.dmp
memory/2208-730-0x0000000000400000-0x000000000053D000-memory.dmp
memory/2760-742-0x0000000000400000-0x000000000053D000-memory.dmp
memory/1672-791-0x0000000000400000-0x000000000053D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | e2d37af73d5fe4a504db3f8c0d560e3d |
| SHA1 | 88c6bf5b485dd9c79283ccb5d2546ffbb95e563d |
| SHA256 | e615959931f345e611ac44be7534d697c1495c641d13e50ae919a7807c8ff008 |
| SHA512 | 8cb17131326361071a3ae2997cdfaa316ce10c481f48af23fa526380daffa39b2538251cbaa4cf3bd9a9c0014a9184be5a13a44cf45fb93591ba3180670ddb89 |
memory/2756-856-0x0000000000400000-0x000000000053D000-memory.dmp
memory/2760-855-0x00000000028A0000-0x00000000029DD000-memory.dmp
memory/2756-975-0x0000000002940000-0x0000000002A7D000-memory.dmp
memory/2684-976-0x0000000000400000-0x000000000053D000-memory.dmp
memory/2756-984-0x0000000000400000-0x000000000053D000-memory.dmp
memory/2476-990-0x0000000000400000-0x000000000053D000-memory.dmp
memory/2684-1105-0x0000000000400000-0x000000000053D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-19 18:50
Reported
2024-06-19 18:52
Platform
win10v2004-20240226-en
Max time kernel
153s
Max time network
160s
Command Line
Signatures
MetaSploit
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wuauserv\Start = "4" | C:\Windows\SysWOW64\regedit.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\msxdll.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msxdll.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msxdll.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msxdll.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msxdll.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msxdll.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msxdll.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msxdll.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msxdll.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msxdll.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\msxdll.exe | C:\Windows\SysWOW64\msxdll.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msxdll.exe | C:\Windows\SysWOW64\msxdll.exe | N/A |
| File created | C:\Windows\SysWOW64\msxdll.exe | C:\Windows\SysWOW64\msxdll.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msxdll.exe | C:\Windows\SysWOW64\msxdll.exe | N/A |
| File created | C:\Windows\SysWOW64\msxdll.exe | C:\Windows\SysWOW64\msxdll.exe | N/A |
| File created | C:\Windows\SysWOW64\msxdll.exe | C:\Windows\SysWOW64\msxdll.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msxdll.exe | C:\Windows\SysWOW64\msxdll.exe | N/A |
| File created | C:\Windows\SysWOW64\msxdll.exe | C:\Windows\SysWOW64\msxdll.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msxdll.exe | C:\Users\Admin\AppData\Local\Temp\0008d6d7ea0571daf5b451985095b9ca_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msxdll.exe | C:\Windows\SysWOW64\msxdll.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msxdll.exe | C:\Windows\SysWOW64\msxdll.exe | N/A |
| File created | C:\Windows\SysWOW64\msxdll.exe | C:\Windows\SysWOW64\msxdll.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msxdll.exe | C:\Windows\SysWOW64\msxdll.exe | N/A |
| File created | C:\Windows\SysWOW64\msxdll.exe | C:\Windows\SysWOW64\msxdll.exe | N/A |
| File created | C:\Windows\SysWOW64\msxdll.exe | C:\Windows\SysWOW64\msxdll.exe | N/A |
| File created | C:\Windows\SysWOW64\msxdll.exe | C:\Users\Admin\AppData\Local\Temp\0008d6d7ea0571daf5b451985095b9ca_JaffaCakes118.exe | N/A |
| File created | C:\Windows\SysWOW64\msxdll.exe | C:\Windows\SysWOW64\msxdll.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msxdll.exe | C:\Windows\SysWOW64\msxdll.exe | N/A |
| File created | C:\Windows\SysWOW64\msxdll.exe | C:\Windows\SysWOW64\msxdll.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msxdll.exe | C:\Windows\SysWOW64\msxdll.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msxdll.exe | C:\Windows\SysWOW64\msxdll.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\msxdll.exe | C:\Windows\SysWOW64\msxdll.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\regedit.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\0008d6d7ea0571daf5b451985095b9ca_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0008d6d7ea0571daf5b451985095b9ca_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\msxdll.exe
C:\Windows\system32\msxdll.exe 1164 "C:\Users\Admin\AppData\Local\Temp\0008d6d7ea0571daf5b451985095b9ca_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\msxdll.exe
C:\Windows\system32\msxdll.exe 1168 "C:\Windows\SysWOW64\msxdll.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\msxdll.exe
C:\Windows\system32\msxdll.exe 1140 "C:\Windows\SysWOW64\msxdll.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3968 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8
C:\Windows\SysWOW64\msxdll.exe
C:\Windows\system32\msxdll.exe 1136 "C:\Windows\SysWOW64\msxdll.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\msxdll.exe
C:\Windows\system32\msxdll.exe 1148 "C:\Windows\SysWOW64\msxdll.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\msxdll.exe
C:\Windows\system32\msxdll.exe 1144 "C:\Windows\SysWOW64\msxdll.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\msxdll.exe
C:\Windows\system32\msxdll.exe 1156 "C:\Windows\SysWOW64\msxdll.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\msxdll.exe
C:\Windows\system32\msxdll.exe 1160 "C:\Windows\SysWOW64\msxdll.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\msxdll.exe
C:\Windows\system32\msxdll.exe 1152 "C:\Windows\SysWOW64\msxdll.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\msxdll.exe
C:\Windows\system32\msxdll.exe 1172 "C:\Windows\SysWOW64\msxdll.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c c:\a.bat
C:\Windows\SysWOW64\regedit.exe
REGEDIT /S C:\Users\Admin\AppData\Local\Temp\1.reg
Network
| Country | Destination | Domain | Proto |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.234.34.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.77.117.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 216.58.204.74:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 74.204.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 105.246.116.51.in-addr.arpa | udp |
Files
memory/4436-0-0x0000000000400000-0x000000000053D000-memory.dmp
\??\c:\a.bat
| MD5 | 0019a0451cc6b9659762c3e274bc04fb |
| SHA1 | 5259e256cc0908f2846e532161b989f1295f479b |
| SHA256 | ce4674afd978d1401596d22a0961f90c8fb53c5bd55649684e1a999c8cf77876 |
| SHA512 | 314c23ec37cb0cd4443213c019c4541df968447353b422ef6fff1e7ddf6c983c80778787408b7ca9b81e580a6a7f1589ca7f43c022e6fc16182973580ed4d904 |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 558ce6da965ba1758d112b22e15aa5a2 |
| SHA1 | a365542609e4d1dc46be62928b08612fcabe2ede |
| SHA256 | c11beaac10a5e00391ef4b41be8c240f59c5a2dc930aead6d7db237fcd2641fb |
| SHA512 | 37f7f10c3d201b11cc5224ae69c5990eb33b4430c601d3c21f6bec9323621120442e0cfa49e1f4eda459ea4ac750277e446dca78b9e44c1445bd891e4e460b5c |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | bf7ee07851e04b2a0dbe554db62dc3aa |
| SHA1 | cad155b66053cd7ce2b969a0eb20a8f4812b1f46 |
| SHA256 | 13dc8dc70b7bb240f6f4cf6be5ff0ec55c606267a328bb9c9e34e5fa70cce0d9 |
| SHA512 | 9ed79305c81287cf01d0138d87c6ec981b5bdd9195c56f8def4c74fdbc9b4816661d084fc1314f99b40102945b61d05121f4eaadec6403d4295a80847b797bc4 |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 9e5db93bd3302c217b15561d8f1e299d |
| SHA1 | 95a5579b336d16213909beda75589fd0a2091f30 |
| SHA256 | f360fb5740172b6b4dd59c1ac30b480511665ae991196f833167e275d91f943e |
| SHA512 | b5547e5047a3c43397ee846ff9d5979cba45ba44671db5c5df5536d9dc26262e27a8645a08e0cf35960a3601dc0f6f5fe8d47ae232c9ca44d6899e97d36fb25a |
C:\Windows\SysWOW64\msxdll.exe
| MD5 | 0008d6d7ea0571daf5b451985095b9ca |
| SHA1 | e6049ce2a34a0197e3eb60317db4c89ad8d6d40e |
| SHA256 | a259e50b3a0ab5abd711455cbcec62c0bfbcbda112a7cad719466dc494e285f5 |
| SHA512 | af0611cc26796c11466f9d67d9e269c247532fbbf708922708bf1eb8e1628bd33b85af702796031f4d64844888b3a2f9239d3e932813239c2aea482ddff4a21d |
memory/4436-127-0x0000000000400000-0x000000000053D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 3bd23392c6fcc866c4561388c1dc72ac |
| SHA1 | c4b1462473f1d97fed434014532ea344b8fc05c1 |
| SHA256 | 696a382790ee24d6256b3618b1431eaf14c510a12ff2585edfeae430024c7a43 |
| SHA512 | 15b3a33bb5d5d6e6b149773ff47ade4f22271264f058ad8439403df71d6ecfaa2729ef48487f43d68b517b15efed587b368bc6c5df549983de410ec23b55adb1 |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 501effddf60a974e98b67dc8921aa7e8 |
| SHA1 | 734dfe4b508dbc1527ec92e91821a1251aec5b2e |
| SHA256 | 672e3c47827c2fc929fc92cd7d2a61d9ba41e847f876a1e5486e2701cbc3cb06 |
| SHA512 | 28081046c5b0eb6a5578134e19af2a447d38afda338bd3ae4c2fc0054460580d47f9ab6d8c9001ff605e76df462e7bbcab80be15deaf3ca6264e20717dfb9c1c |
memory/4852-267-0x0000000000400000-0x000000000053D000-memory.dmp
memory/4840-368-0x0000000000400000-0x000000000053D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 5b77620cb52220f4a82e3551ee0a53a6 |
| SHA1 | 07d122b8e70ec5887bad4ef8f4d6209df18912d0 |
| SHA256 | 93ee7aaab4bb8bb1a11aede226bdb7c2ad85197ef5054eb58531c4df35599579 |
| SHA512 | 9dc2b10a03c87d294903ff3514ca38ce1e85dec66213a7042d31f70fb20d36fed645150c5a6cb6f08c31bdc9f61e7dee2f1737c98aab263c289b09ffa663371c |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 0d1e5715cf04d212bcd7c9dea5f7ab72 |
| SHA1 | a8add44bf542e4d22260a13de6a35704fb7f3bfb |
| SHA256 | 5d1fc763bce7a43e9e47a75ddb116b7e5d077cc5541c55bc06f2951105b88473 |
| SHA512 | 89da5156b2021e4279d7fb8e3bf0196495f84d9aa04c921533d609f02b1b3edd29de80d5930483b914fe82f5fc319993f7fcd925ca22351fccd56c82652f2117 |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 4cee92ad10b11dbf325a40c64ff7d745 |
| SHA1 | b395313d0e979fede2261f8cc558fcebfefcae33 |
| SHA256 | eaeac48f16abac608c9bb5b8d0d363b2ca27708b262c1de41ab0f163c39a2fb1 |
| SHA512 | 3f11992b0c8f7c6f0180f984392f86ea8eb1859be236e2bbfbc863226d3cac67b06700561f27fb673e2955c6ebc5b168dd28ca704de57c4f6c07bdbf14f75ec9 |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | c2d6056624c1d37b1baf4445d8705378 |
| SHA1 | 90c0b48eca9016a7d07248ecdb7b93bf3e2f1a83 |
| SHA256 | 3c20257f9e5c689af57f1dbfb8106351bf4cdfbbb922cf0beff34a2ca14f5a96 |
| SHA512 | d199ce15627b85d75c9c3ec5c91fa15b2f799975034e0bd0526c096f41afea4ff6d191a106f626044fbfae264e2b0f3776fde326fc0c2d0dc8d83de66adc7c29 |
memory/3904-515-0x0000000000400000-0x000000000053D000-memory.dmp
memory/3280-566-0x0000000000400000-0x000000000053D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 5da7efcc8d0fcdf2bad7890c3f8a27ca |
| SHA1 | 681788d5a3044eee8426d431bd786375cd32bf13 |
| SHA256 | 7f142c13b7039582d0f10df0271f0e1feea35760a92bf0c5034f444066c92df8 |
| SHA512 | 6e3281f2350c524f9c24ab4455d4c5a109875ead35a35aba3c085d90f99cbc64c6645dfcb805d7a5e670869e67feb481a655305236be8d716347a7c4696a358b |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 159bb1d34a927f58fc851798c7c09b58 |
| SHA1 | c3a26565004531f3a93e29eabb0f9a196b4c1ba2 |
| SHA256 | 53b81439ff38712958d57d158f1402a299c3a131d521c3a7a4a30c56542db7bd |
| SHA512 | b6f9a3d1cb628b79ca97a65645618190b20bfbddee0ceecea710c802d3d92cee3d1e3e675b5fb9ac994a0abb3f0681ed28abbab2fe61f4b54a0fb5d7a7f0034b |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 8d6eb64e58d3f14686110fcaf1363269 |
| SHA1 | d85c0b208716b400894ba4cb569a5af4aa178a2f |
| SHA256 | c2a1a92cfa466fb5697626723b448c1730634ae4e0e533ad6cf11e8e8ebf2cf5 |
| SHA512 | 5022856e8efeab2cdda3d653c4c520f5b6bf5dfa841ffc224a3338acfa8a41fd16321a765077973be46dd6296c6a9bf8341a42c22fe4b0a7fc6edabbcbf16ee7 |
memory/3208-786-0x0000000000400000-0x000000000053D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 5a466127fedf6dbcd99adc917bd74581 |
| SHA1 | a2e60b101c8789b59360d95a64ec07d0723c4d38 |
| SHA256 | 8cd3b8dd28ac014cf973d9ab4b03af1c274bbc9b5ee0ee4ab8af0bdb01573b84 |
| SHA512 | 695cafc932bc8f0a514bc515860cb275297665de63ca3394b55f42c457761ebf654d29d504674681a77b34e3356a469e8c5b97ff7efc24de330d5375f025cba5 |
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 2299014e9ce921b7045e958d39d83e74 |
| SHA1 | 26ed64f84417eb05d1d9d48441342ca1363084da |
| SHA256 | ee2b1a70a028c6d66757d68a847b4631fc722c1e9bfc2ce714b5202f43ec6b57 |
| SHA512 | 0a1922752065a6ab7614ca8a12d5d235dfb088d3759b831de51124894adae79637713d7dee2eb87668fa85e37f3ba00d85a727a7ba3a6301fbf1d47f80c6a08f |
memory/844-898-0x0000000000400000-0x000000000053D000-memory.dmp
memory/3368-901-0x0000000000400000-0x000000000053D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 54ca6e3ef1c12b994043e85a8c9895f0 |
| SHA1 | 5eaccfb482cbe24cf5c3203ffdc926184097427e |
| SHA256 | 0db388471ad17c9c9b4a0a40b2536b7a6f27b8cc96775812d48d7009acb418c0 |
| SHA512 | 925615f057558a00fb0ed3f9faeee2b70f3dd5469376de9381a387b3666c230fc0bb5b83fd3acf0169872e3c5f747cbdaff473d7fa389a5848f3828916680626 |
memory/2276-1011-0x0000000000400000-0x000000000053D000-memory.dmp
memory/3368-1123-0x0000000000400000-0x000000000053D000-memory.dmp
memory/1256-1127-0x0000000000400000-0x000000000053D000-memory.dmp