Malware Analysis Report

2024-08-06 18:55

Sample ID 240620-j6jchaxeph
Target 044bf3b1471af9d566e2d16e1d00439f_JaffaCakes118
SHA256 646eb9be1126e03369f16af5e3d4870cb3ff7a88f453ba738fa946edadebdd69
Tags
darkcomet ebp persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

646eb9be1126e03369f16af5e3d4870cb3ff7a88f453ba738fa946edadebdd69

Threat Level: Known bad

The file 044bf3b1471af9d566e2d16e1d00439f_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

darkcomet ebp persistence rat trojan

Modifies WinLogon for persistence

Darkcomet

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Program crash

Unsigned PE

Enumerates physical storage devices

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Winlogon Helper DLL
T1547.004
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Winlogon Helper DLL
T1547.004
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-20 08:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 08:16

Reported

2024-06-20 08:19

Platform

win10v2004-20240226-en

Max time kernel

143s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\044bf3b1471af9d566e2d16e1d00439f_JaffaCakes118.exe"

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\044bf3b1471af9d566e2d16e1d00439f_JaffaCakes118.exe

Processes

C:\Users\Admin\AppData\Local\Temp\044bf3b1471af9d566e2d16e1d00439f_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\044bf3b1471af9d566e2d16e1d00439f_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 432 -p 4764 -ip 4764

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4764 -s 268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4252 --field-trial-handle=2656,i,16940681401824032220,151921362336696246,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
GB 142.250.178.10:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 pki.goog udp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 10.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 29.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 97.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 79.239.69.13.in-addr.arpa udp

Files

memory/4764-0-0x0000000000690000-0x0000000000702000-memory.dmp

memory/4764-1-0x00000000778A2000-0x00000000778A3000-memory.dmp

memory/4764-3-0x00000000778A2000-0x00000000778A3000-memory.dmp

memory/4764-2-0x0000000000610000-0x0000000000611000-memory.dmp

memory/4764-4-0x0000000000690000-0x0000000000702000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 08:16

Reported

2024-06-20 08:19

Platform

win7-20240611-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\044bf3b1471af9d566e2d16e1d00439f_JaffaCakes118.exe"

Signatures

Darkcomet

trojan rat darkcomet

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Virtual\STUBEXE\8.0.1135\@DOCUMENTS@\EpicBotPatcher.exe.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Virtual\STUBEXE\8.0.1135\@DOCUMENTS@\EpicBotPatcher.exe.exe N/A
N/A N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Native\STUBEXE\8.0.1135\@APPDATALOCAL@\Temp\EPICBOTPATCHER.EXE N/A
N/A N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Native\STUBEXE\8.0.1135\@DOCUMENTS@\MSDCSC\msdcsc.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\044bf3b1471af9d566e2d16e1d00439f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\044bf3b1471af9d566e2d16e1d00439f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\044bf3b1471af9d566e2d16e1d00439f_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\044bf3b1471af9d566e2d16e1d00439f_JaffaCakes118.exe N/A
N/A N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Virtual\STUBEXE\8.0.1135\@DOCUMENTS@\EpicBotPatcher.exe.exe N/A
N/A N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Native\STUBEXE\8.0.1135\@APPDATALOCAL@\Temp\EPICBOTPATCHER.EXE N/A
N/A N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Native\STUBEXE\8.0.1135\@APPDATALOCAL@\Temp\EPICBOTPATCHER.EXE N/A
N/A N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Native\STUBEXE\8.0.1135\@APPDATALOCAL@\Temp\EPICBOTPATCHER.EXE N/A
N/A N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Virtual\STUBEXE\8.0.1135\@DOCUMENTS@\EpicBotPatcher.exe.exe N/A
N/A N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Virtual\STUBEXE\8.0.1135\@DOCUMENTS@\EpicBotPatcher.exe.exe N/A
N/A N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Native\STUBEXE\8.0.1135\@DOCUMENTS@\MSDCSC\msdcsc.exe N/A
N/A N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Native\STUBEXE\8.0.1135\@DOCUMENTS@\MSDCSC\msdcsc.exe N/A
N/A N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Native\STUBEXE\8.0.1135\@DOCUMENTS@\MSDCSC\msdcsc.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Virtual\STUBEXE\8.0.1135\@DOCUMENTS@\EpicBotPatcher.exe.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\044bf3b1471af9d566e2d16e1d00439f_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\044bf3b1471af9d566e2d16e1d00439f_JaffaCakes118.exe N/A
Token: SeIncreaseQuotaPrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Virtual\STUBEXE\8.0.1135\@DOCUMENTS@\EpicBotPatcher.exe.exe N/A
Token: SeSecurityPrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Virtual\STUBEXE\8.0.1135\@DOCUMENTS@\EpicBotPatcher.exe.exe N/A
Token: SeTakeOwnershipPrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Virtual\STUBEXE\8.0.1135\@DOCUMENTS@\EpicBotPatcher.exe.exe N/A
Token: SeLoadDriverPrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Virtual\STUBEXE\8.0.1135\@DOCUMENTS@\EpicBotPatcher.exe.exe N/A
Token: SeSystemProfilePrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Virtual\STUBEXE\8.0.1135\@DOCUMENTS@\EpicBotPatcher.exe.exe N/A
Token: SeSystemtimePrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Virtual\STUBEXE\8.0.1135\@DOCUMENTS@\EpicBotPatcher.exe.exe N/A
Token: SeProfSingleProcessPrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Virtual\STUBEXE\8.0.1135\@DOCUMENTS@\EpicBotPatcher.exe.exe N/A
Token: SeIncBasePriorityPrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Virtual\STUBEXE\8.0.1135\@DOCUMENTS@\EpicBotPatcher.exe.exe N/A
Token: SeCreatePagefilePrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Virtual\STUBEXE\8.0.1135\@DOCUMENTS@\EpicBotPatcher.exe.exe N/A
Token: SeBackupPrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Virtual\STUBEXE\8.0.1135\@DOCUMENTS@\EpicBotPatcher.exe.exe N/A
Token: SeRestorePrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Virtual\STUBEXE\8.0.1135\@DOCUMENTS@\EpicBotPatcher.exe.exe N/A
Token: SeShutdownPrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Virtual\STUBEXE\8.0.1135\@DOCUMENTS@\EpicBotPatcher.exe.exe N/A
Token: SeDebugPrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Virtual\STUBEXE\8.0.1135\@DOCUMENTS@\EpicBotPatcher.exe.exe N/A
Token: SeSystemEnvironmentPrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Virtual\STUBEXE\8.0.1135\@DOCUMENTS@\EpicBotPatcher.exe.exe N/A
Token: SeChangeNotifyPrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Virtual\STUBEXE\8.0.1135\@DOCUMENTS@\EpicBotPatcher.exe.exe N/A
Token: SeRemoteShutdownPrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Virtual\STUBEXE\8.0.1135\@DOCUMENTS@\EpicBotPatcher.exe.exe N/A
Token: SeUndockPrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Virtual\STUBEXE\8.0.1135\@DOCUMENTS@\EpicBotPatcher.exe.exe N/A
Token: SeManageVolumePrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Virtual\STUBEXE\8.0.1135\@DOCUMENTS@\EpicBotPatcher.exe.exe N/A
Token: SeImpersonatePrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Virtual\STUBEXE\8.0.1135\@DOCUMENTS@\EpicBotPatcher.exe.exe N/A
Token: SeCreateGlobalPrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Virtual\STUBEXE\8.0.1135\@DOCUMENTS@\EpicBotPatcher.exe.exe N/A
Token: 33 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Virtual\STUBEXE\8.0.1135\@DOCUMENTS@\EpicBotPatcher.exe.exe N/A
Token: 34 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Virtual\STUBEXE\8.0.1135\@DOCUMENTS@\EpicBotPatcher.exe.exe N/A
Token: 35 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Virtual\STUBEXE\8.0.1135\@DOCUMENTS@\EpicBotPatcher.exe.exe N/A
Token: SeIncreaseQuotaPrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Native\STUBEXE\8.0.1135\@DOCUMENTS@\MSDCSC\msdcsc.exe N/A
Token: SeSecurityPrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Native\STUBEXE\8.0.1135\@DOCUMENTS@\MSDCSC\msdcsc.exe N/A
Token: SeTakeOwnershipPrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Native\STUBEXE\8.0.1135\@DOCUMENTS@\MSDCSC\msdcsc.exe N/A
Token: SeLoadDriverPrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Native\STUBEXE\8.0.1135\@DOCUMENTS@\MSDCSC\msdcsc.exe N/A
Token: SeSystemProfilePrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Native\STUBEXE\8.0.1135\@DOCUMENTS@\MSDCSC\msdcsc.exe N/A
Token: SeSystemtimePrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Native\STUBEXE\8.0.1135\@DOCUMENTS@\MSDCSC\msdcsc.exe N/A
Token: SeProfSingleProcessPrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Native\STUBEXE\8.0.1135\@DOCUMENTS@\MSDCSC\msdcsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Native\STUBEXE\8.0.1135\@DOCUMENTS@\MSDCSC\msdcsc.exe N/A
Token: SeCreatePagefilePrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Native\STUBEXE\8.0.1135\@DOCUMENTS@\MSDCSC\msdcsc.exe N/A
Token: SeBackupPrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Native\STUBEXE\8.0.1135\@DOCUMENTS@\MSDCSC\msdcsc.exe N/A
Token: SeRestorePrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Native\STUBEXE\8.0.1135\@DOCUMENTS@\MSDCSC\msdcsc.exe N/A
Token: SeShutdownPrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Native\STUBEXE\8.0.1135\@DOCUMENTS@\MSDCSC\msdcsc.exe N/A
Token: SeDebugPrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Native\STUBEXE\8.0.1135\@DOCUMENTS@\MSDCSC\msdcsc.exe N/A
Token: SeSystemEnvironmentPrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Native\STUBEXE\8.0.1135\@DOCUMENTS@\MSDCSC\msdcsc.exe N/A
Token: SeChangeNotifyPrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Native\STUBEXE\8.0.1135\@DOCUMENTS@\MSDCSC\msdcsc.exe N/A
Token: SeRemoteShutdownPrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Native\STUBEXE\8.0.1135\@DOCUMENTS@\MSDCSC\msdcsc.exe N/A
Token: SeUndockPrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Native\STUBEXE\8.0.1135\@DOCUMENTS@\MSDCSC\msdcsc.exe N/A
Token: SeManageVolumePrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Native\STUBEXE\8.0.1135\@DOCUMENTS@\MSDCSC\msdcsc.exe N/A
Token: SeImpersonatePrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Native\STUBEXE\8.0.1135\@DOCUMENTS@\MSDCSC\msdcsc.exe N/A
Token: SeCreateGlobalPrivilege N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Native\STUBEXE\8.0.1135\@DOCUMENTS@\MSDCSC\msdcsc.exe N/A
Token: 33 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Native\STUBEXE\8.0.1135\@DOCUMENTS@\MSDCSC\msdcsc.exe N/A
Token: 34 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Native\STUBEXE\8.0.1135\@DOCUMENTS@\MSDCSC\msdcsc.exe N/A
Token: 35 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Native\STUBEXE\8.0.1135\@DOCUMENTS@\MSDCSC\msdcsc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Native\STUBEXE\8.0.1135\@DOCUMENTS@\MSDCSC\msdcsc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2264 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\044bf3b1471af9d566e2d16e1d00439f_JaffaCakes118.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Virtual\STUBEXE\8.0.1135\@DOCUMENTS@\EpicBotPatcher.exe.exe
PID 2264 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\044bf3b1471af9d566e2d16e1d00439f_JaffaCakes118.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Virtual\STUBEXE\8.0.1135\@DOCUMENTS@\EpicBotPatcher.exe.exe
PID 2264 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\044bf3b1471af9d566e2d16e1d00439f_JaffaCakes118.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Virtual\STUBEXE\8.0.1135\@DOCUMENTS@\EpicBotPatcher.exe.exe
PID 2264 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\044bf3b1471af9d566e2d16e1d00439f_JaffaCakes118.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Virtual\STUBEXE\8.0.1135\@DOCUMENTS@\EpicBotPatcher.exe.exe
PID 2264 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\044bf3b1471af9d566e2d16e1d00439f_JaffaCakes118.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Virtual\STUBEXE\8.0.1135\@DOCUMENTS@\EpicBotPatcher.exe.exe
PID 2264 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\044bf3b1471af9d566e2d16e1d00439f_JaffaCakes118.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Virtual\STUBEXE\8.0.1135\@DOCUMENTS@\EpicBotPatcher.exe.exe
PID 2264 wrote to memory of 1372 N/A C:\Users\Admin\AppData\Local\Temp\044bf3b1471af9d566e2d16e1d00439f_JaffaCakes118.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Virtual\STUBEXE\8.0.1135\@DOCUMENTS@\EpicBotPatcher.exe.exe
PID 1372 wrote to memory of 2488 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Virtual\STUBEXE\8.0.1135\@DOCUMENTS@\EpicBotPatcher.exe.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Native\STUBEXE\8.0.1135\@APPDATALOCAL@\Temp\EPICBOTPATCHER.EXE
PID 1372 wrote to memory of 2488 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Virtual\STUBEXE\8.0.1135\@DOCUMENTS@\EpicBotPatcher.exe.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Native\STUBEXE\8.0.1135\@APPDATALOCAL@\Temp\EPICBOTPATCHER.EXE
PID 1372 wrote to memory of 2488 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Virtual\STUBEXE\8.0.1135\@DOCUMENTS@\EpicBotPatcher.exe.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Native\STUBEXE\8.0.1135\@APPDATALOCAL@\Temp\EPICBOTPATCHER.EXE
PID 1372 wrote to memory of 2488 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Virtual\STUBEXE\8.0.1135\@DOCUMENTS@\EpicBotPatcher.exe.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Native\STUBEXE\8.0.1135\@APPDATALOCAL@\Temp\EPICBOTPATCHER.EXE
PID 1372 wrote to memory of 2488 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Virtual\STUBEXE\8.0.1135\@DOCUMENTS@\EpicBotPatcher.exe.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Native\STUBEXE\8.0.1135\@APPDATALOCAL@\Temp\EPICBOTPATCHER.EXE
PID 1372 wrote to memory of 2488 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Virtual\STUBEXE\8.0.1135\@DOCUMENTS@\EpicBotPatcher.exe.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Native\STUBEXE\8.0.1135\@APPDATALOCAL@\Temp\EPICBOTPATCHER.EXE
PID 1372 wrote to memory of 2488 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Virtual\STUBEXE\8.0.1135\@DOCUMENTS@\EpicBotPatcher.exe.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Native\STUBEXE\8.0.1135\@APPDATALOCAL@\Temp\EPICBOTPATCHER.EXE
PID 1372 wrote to memory of 2892 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Virtual\STUBEXE\8.0.1135\@DOCUMENTS@\EpicBotPatcher.exe.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Native\STUBEXE\8.0.1135\@DOCUMENTS@\MSDCSC\msdcsc.exe
PID 1372 wrote to memory of 2892 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Virtual\STUBEXE\8.0.1135\@DOCUMENTS@\EpicBotPatcher.exe.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Native\STUBEXE\8.0.1135\@DOCUMENTS@\MSDCSC\msdcsc.exe
PID 1372 wrote to memory of 2892 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Virtual\STUBEXE\8.0.1135\@DOCUMENTS@\EpicBotPatcher.exe.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Native\STUBEXE\8.0.1135\@DOCUMENTS@\MSDCSC\msdcsc.exe
PID 1372 wrote to memory of 2892 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Virtual\STUBEXE\8.0.1135\@DOCUMENTS@\EpicBotPatcher.exe.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Native\STUBEXE\8.0.1135\@DOCUMENTS@\MSDCSC\msdcsc.exe
PID 1372 wrote to memory of 2892 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Virtual\STUBEXE\8.0.1135\@DOCUMENTS@\EpicBotPatcher.exe.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Native\STUBEXE\8.0.1135\@DOCUMENTS@\MSDCSC\msdcsc.exe
PID 1372 wrote to memory of 2892 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Virtual\STUBEXE\8.0.1135\@DOCUMENTS@\EpicBotPatcher.exe.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Native\STUBEXE\8.0.1135\@DOCUMENTS@\MSDCSC\msdcsc.exe
PID 1372 wrote to memory of 2892 N/A \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Virtual\STUBEXE\8.0.1135\@DOCUMENTS@\EpicBotPatcher.exe.exe \DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Native\STUBEXE\8.0.1135\@DOCUMENTS@\MSDCSC\msdcsc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\044bf3b1471af9d566e2d16e1d00439f_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\044bf3b1471af9d566e2d16e1d00439f_JaffaCakes118.exe"

\DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Virtual\STUBEXE\8.0.1135\@DOCUMENTS@\EpicBotPatcher.exe.exe

"C:\Users\Admin\Documents\EpicBotPatcher.exe.exe"

\DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Native\STUBEXE\8.0.1135\@APPDATALOCAL@\Temp\EPICBOTPATCHER.EXE

"C:\Users\Admin\AppData\Local\Temp\EPICBOTPATCHER.EXE"

\DEVICE\HARDDISKVOLUME2\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Native\STUBEXE\8.0.1135\@DOCUMENTS@\MSDCSC\msdcsc.exe

"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 dcservertet.no-ip.biz udp

Files

memory/2264-1-0x0000000077E00000-0x0000000077E01000-memory.dmp

memory/2264-2-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2264-0-0x0000000000380000-0x00000000003F2000-memory.dmp

memory/2264-6-0x0000000010000000-0x0000000010037000-memory.dmp

memory/2264-5-0x0000000010000000-0x0000000010037000-memory.dmp

memory/2264-4-0x0000000010000000-0x0000000010037000-memory.dmp

memory/2264-3-0x0000000010000000-0x0000000010037000-memory.dmp

memory/2264-8-0x0000000000380000-0x00000000003F2000-memory.dmp

memory/2264-7-0x0000000010000000-0x0000000010037000-memory.dmp

\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Virtual\STUBEXE\8.0.1135\@DOCUMENTS@\EpicBotPatcher.exe.exe

MD5 5c1bd8d183bc09e617fac8a0ef0c4c28
SHA1 9dc878eb7cc4c3e3e3ee663471c2a5040f13a1f6
SHA256 971aa6db0ef9a0e7e86a39ba61e825a6b4ada79eafa321dd6673ed0c9e348c80
SHA512 f43741cbd92ed12f7e3c134564c535c582b343cf0f2b86b412faa9632a64114c0658740e3605270e5137a5706dd5bb5f748813e5eb29bb4db485a2b98dd4bf6e

memory/1372-11-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/1372-13-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/1372-23-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/1372-35-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/1372-34-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/1372-33-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/1372-32-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/1372-31-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/1372-30-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/1372-36-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/1372-29-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/1372-42-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/1372-46-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/1372-47-0x0000000000400000-0x00000000004C1000-memory.dmp

\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Virtual\MODIFIED\@DOCUMENTS@\EpicBotPatcher.exe.exe

MD5 8e45f24897782dfd4e205b82d328e6b5
SHA1 699fc852a712238be2ff1a1adfb5e719c3de4645
SHA256 b4bde29a37502ddccab1a0a330ada64a3c241f115db1daba3fb8958d2b61d73c
SHA512 aa97a4c93f9dfa87f140188016c21dbf909b859a6a2a26bfc666af2a4466bacb55b5668385aab687df8f09791c8576621a650a6301a2ca0e78c9f6b767ea8cca

memory/2264-51-0x0000000000380000-0x00000000003F2000-memory.dmp

memory/1372-52-0x0000000000830000-0x00000000008A2000-memory.dmp

memory/1372-45-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/1372-44-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/1372-43-0x0000000000400000-0x00000000004C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\EPICBOTPATCHER.EXE

MD5 d32b48eaeaef877b69751c9045ead30c
SHA1 e7374a048b87e4feeda2d109be82686a42917ab8
SHA256 c35f17e36a09b55445e04285b053aea29b4a52efec7d6a9014f9cdf2164e6f23
SHA512 cc31b9bcf13d9a37e407ed65042876a6742ab9f4bc43fb99666cf6320c2a051825ed97207979c10f8f2820c15c0cc23e84b39dc58d676fb06b25324a92ae2aa7

memory/2488-71-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2488-70-0x0000000000400000-0x0000000000414000-memory.dmp

memory/2488-69-0x0000000000400000-0x0000000000414000-memory.dmp

memory/1372-72-0x0000000000830000-0x00000000008A2000-memory.dmp

C:\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Native\STUBEXE\8.0.1135\@APPDATALOCAL@\Temp\EPICBOTPATCHER.EXE

MD5 c26241506736859b04732bdc6c379f22
SHA1 d9bb520ad8a96d2b1686e27e84c6e8a5613ecab7
SHA256 de001a73956e284932132531e164e6486a2e029ecc5fd0c59cc69dd06574ebfe
SHA512 98e44d11b481375c6936cee467295975ba6c6bc409d9eff5b3b1d881d52a5778e319d100c381b389aa1de8a9a651fb9daf420f93a251f83c3a43da4fd408c2fd

memory/1372-41-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/1372-40-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/1372-39-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/1372-38-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/1372-37-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/1372-28-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/1372-27-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/1372-26-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/1372-25-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/1372-24-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/1372-22-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/1372-20-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/1372-18-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/1372-19-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/1372-17-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/1372-16-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/1372-15-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/1372-12-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/1372-21-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/2488-73-0x0000000000330000-0x00000000003A2000-memory.dmp

\Users\Admin\AppData\Local\Xenocode\Sandbox\EpicBotPatcher\1.1.0.1\2012.03.27T15.08\Native\STUBEXE\8.0.1135\@DOCUMENTS@\MSDCSC\msdcsc.exe

MD5 f7d526c3ff55b4b5ab8338ce3421c35e
SHA1 dfae8d46cf52382c4ec71f2c5ff4d82be1cdb1df
SHA256 583a345058cad9b24938402ecb7cbbcea3ef2c5ac766d08b97f3802026cdb057
SHA512 938f95b9ba53137506a62847311b665afff874fb47dff7c726aff4bec18f6e7fbfdc0b81ed78e70ac78bb4a657a892b3c04e4b41ec0da6ad5d03c6efa69d1d18

memory/1372-87-0x0000000000830000-0x00000000008A2000-memory.dmp

memory/1372-86-0x0000000000830000-0x00000000008A2000-memory.dmp

memory/1372-89-0x0000000000400000-0x00000000004C1000-memory.dmp

memory/2264-94-0x0000000000380000-0x00000000003F2000-memory.dmp