Analysis Overview
SHA256
258445b5c086f67d1157c2998968bad83a64ca3bab88bfd9d73654819bb46463
Threat Level: Known bad
The file 179dbbdb6e22f978115168d87a70ab33_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
SectopRAT payload
SectopRAT
RedLine
RedLine payload
System Binary Proxy Execution: Regsvcs/Regasm
Executes dropped EXE
Checks computer location settings
Loads dropped DLL
Suspicious use of SetThreadContext
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-06 09:56
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-06 09:56
Reported
2024-10-06 09:58
Platform
win7-20240708-en
Max time kernel
136s
Max time network
146s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
System Binary Proxy Execution: Regsvcs/Regasm
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Temp\RegAsm.exe | C:\Users\Admin\AppData\Local\Temp\179dbbdb6e22f978115168d87a70ab33_JaffaCakes118.exe | N/A |
| Key opened | \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\RegAsm.exe | C:\Users\Admin\AppData\Local\Temp\179dbbdb6e22f978115168d87a70ab33_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RegAsm.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\179dbbdb6e22f978115168d87a70ab33_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RegAsm.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2956 set thread context of 11728 | N/A | C:\Users\Admin\AppData\Local\Temp\179dbbdb6e22f978115168d87a70ab33_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\RegAsm.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\179dbbdb6e22f978115168d87a70ab33_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RegAsm.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\179dbbdb6e22f978115168d87a70ab33_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\179dbbdb6e22f978115168d87a70ab33_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\179dbbdb6e22f978115168d87a70ab33_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\179dbbdb6e22f978115168d87a70ab33_JaffaCakes118.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 37.1.213.214:63028 | tcp | |
| US | 37.1.213.214:63028 | tcp | |
| US | 37.1.213.214:63028 | tcp | |
| US | 37.1.213.214:63028 | tcp |
Files
memory/2956-0-0x00000000747FE000-0x00000000747FF000-memory.dmp
memory/2956-1-0x00000000011B0000-0x000000000120C000-memory.dmp
memory/2956-2-0x00000000747F0000-0x0000000074EDE000-memory.dmp
memory/896-5-0x0000000002A30000-0x0000000002A70000-memory.dmp
memory/2956-6-0x00000000747F0000-0x0000000074EDE000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
| MD5 | 69512e86988e7745483bdb0ecbf8d1ca |
| SHA1 | 9b6a6e0b06c0470bbe76603a4ef4414c11915f77 |
| SHA256 | 1f6d76bfd9ca4c03640432f08b884b38f3108319bdbc66e499c7c93da0fb783f |
| SHA512 | 6bf20c63125b691de706efde1be4c65b1f320bd1638241b99f10a4879daf476b3653071c93738e16f3b9091372a78d9047528f1cb433eda3504d80ba30a33a54 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ZML68D2X6NJXQTJGKMFG.temp
| MD5 | cd9a7bfb2d8e555767196da38c0c9847 |
| SHA1 | 74c67d44d8e0ba45c07547ef501243bc2bea5e62 |
| SHA256 | 1af434d484130e8aad3d622efe4e73c8840418d6eba28e593ff0c1263b87a360 |
| SHA512 | 3d1e8340aa9db92adeb8141ee009a7cd1f6e55c50362a9cbe21477241c2d58e56a4a9c6c65141840f3eb58a74a08282feb29d88106b73ed4e7286252ce4fa164 |
memory/2956-12-0x0000000000DD0000-0x0000000000E26000-memory.dmp
memory/2956-13-0x0000000004C60000-0x0000000004CE0000-memory.dmp
memory/2956-37-0x0000000004C60000-0x0000000004CDA000-memory.dmp
memory/2956-68-0x0000000004C60000-0x0000000004CDA000-memory.dmp
memory/2956-77-0x0000000004C60000-0x0000000004CDA000-memory.dmp
memory/2956-75-0x0000000004C60000-0x0000000004CDA000-memory.dmp
memory/2956-73-0x0000000004C60000-0x0000000004CDA000-memory.dmp
memory/2956-71-0x0000000004C60000-0x0000000004CDA000-memory.dmp
memory/2956-69-0x0000000004C60000-0x0000000004CDA000-memory.dmp
memory/2956-65-0x0000000004C60000-0x0000000004CDA000-memory.dmp
memory/2956-63-0x0000000004C60000-0x0000000004CDA000-memory.dmp
memory/2956-61-0x0000000004C60000-0x0000000004CDA000-memory.dmp
memory/2956-59-0x0000000004C60000-0x0000000004CDA000-memory.dmp
memory/2956-57-0x0000000004C60000-0x0000000004CDA000-memory.dmp
memory/2956-55-0x0000000004C60000-0x0000000004CDA000-memory.dmp
memory/2956-53-0x0000000004C60000-0x0000000004CDA000-memory.dmp
memory/2956-51-0x0000000004C60000-0x0000000004CDA000-memory.dmp
memory/2956-49-0x0000000004C60000-0x0000000004CDA000-memory.dmp
memory/2956-47-0x0000000004C60000-0x0000000004CDA000-memory.dmp
memory/2956-45-0x0000000004C60000-0x0000000004CDA000-memory.dmp
memory/2956-43-0x0000000004C60000-0x0000000004CDA000-memory.dmp
memory/2956-41-0x0000000004C60000-0x0000000004CDA000-memory.dmp
memory/2956-39-0x0000000004C60000-0x0000000004CDA000-memory.dmp
memory/2956-35-0x0000000004C60000-0x0000000004CDA000-memory.dmp
memory/2956-33-0x0000000004C60000-0x0000000004CDA000-memory.dmp
memory/2956-31-0x0000000004C60000-0x0000000004CDA000-memory.dmp
memory/2956-29-0x0000000004C60000-0x0000000004CDA000-memory.dmp
memory/2956-27-0x0000000004C60000-0x0000000004CDA000-memory.dmp
memory/2956-25-0x0000000004C60000-0x0000000004CDA000-memory.dmp
memory/2956-23-0x0000000004C60000-0x0000000004CDA000-memory.dmp
memory/2956-21-0x0000000004C60000-0x0000000004CDA000-memory.dmp
memory/2956-19-0x0000000004C60000-0x0000000004CDA000-memory.dmp
memory/2956-17-0x0000000004C60000-0x0000000004CDA000-memory.dmp
memory/2956-15-0x0000000004C60000-0x0000000004CDA000-memory.dmp
memory/2956-14-0x0000000004C60000-0x0000000004CDA000-memory.dmp
\Users\Admin\AppData\Local\Temp\RegAsm.exe
| MD5 | b58b926c3574d28d5b7fdd2ca3ec30d5 |
| SHA1 | d260c4ffd603a9cfc057fcb83d678b1cecdf86f9 |
| SHA256 | 6e70b56d748c4ccab13cc8a055d3795ea0dd95fe3b70568d7d3ac0c6621140a3 |
| SHA512 | b13cb998822b716b695013bcd6dec62a2290567d0d1743b2d982ca084235cf69c6ea1fc91c9d4e62657c6f9e102c7c60e81296ab055ffe43b887c5f8ec8958ab |
memory/2956-2514-0x00000000747F0000-0x0000000074EDE000-memory.dmp
memory/11728-2516-0x0000000000400000-0x000000000041E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-06 09:56
Reported
2024-10-06 09:59
Platform
win10v2004-20240802-en
Max time kernel
141s
Max time network
152s
Command Line
Signatures
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
System Binary Proxy Execution: Regsvcs/Regasm
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Local\Temp\RegAsm.exe | C:\Users\Admin\AppData\Local\Temp\179dbbdb6e22f978115168d87a70ab33_JaffaCakes118.exe | N/A |
| Key opened | \Registry\Machine\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\RegAsm.exe | C:\Users\Admin\AppData\Local\Temp\179dbbdb6e22f978115168d87a70ab33_JaffaCakes118.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\179dbbdb6e22f978115168d87a70ab33_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RegAsm.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1700 set thread context of 1620 | N/A | C:\Users\Admin\AppData\Local\Temp\179dbbdb6e22f978115168d87a70ab33_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\RegAsm.exe |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RegAsm.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\179dbbdb6e22f978115168d87a70ab33_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\179dbbdb6e22f978115168d87a70ab33_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\179dbbdb6e22f978115168d87a70ab33_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\179dbbdb6e22f978115168d87a70ab33_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\179dbbdb6e22f978115168d87a70ab33_JaffaCakes118.exe"
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3880,i,2904906934812054273,11716976550456127484,262144 --variations-seed-version --mojo-platform-channel-handle=4300 /prefetch:8
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-Connection 8.8.8.8
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | dns.google | udp |
| US | 8.8.8.8:53 | 68.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 37.1.213.214:63028 | tcp | |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 37.1.213.214:63028 | tcp | |
| US | 8.8.8.8:53 | 75.117.19.2.in-addr.arpa | udp |
| US | 37.1.213.214:63028 | tcp | |
| US | 37.1.213.214:63028 | tcp |
Files
memory/1700-0-0x000000007524E000-0x000000007524F000-memory.dmp
memory/1700-1-0x0000000000DC0000-0x0000000000E1C000-memory.dmp
memory/1700-2-0x0000000005DD0000-0x0000000006374000-memory.dmp
memory/1700-3-0x0000000005820000-0x00000000058B2000-memory.dmp
memory/1700-4-0x00000000057E0000-0x00000000057EA000-memory.dmp
memory/1700-5-0x0000000075240000-0x00000000759F0000-memory.dmp
memory/3204-6-0x0000000002DD0000-0x0000000002E06000-memory.dmp
memory/3204-7-0x0000000075240000-0x00000000759F0000-memory.dmp
memory/3204-9-0x00000000058C0000-0x0000000005EE8000-memory.dmp
memory/3204-8-0x0000000075240000-0x00000000759F0000-memory.dmp
memory/3204-10-0x0000000005620000-0x0000000005642000-memory.dmp
memory/3204-12-0x00000000060A0000-0x0000000006106000-memory.dmp
memory/3204-13-0x0000000075240000-0x00000000759F0000-memory.dmp
memory/3204-11-0x0000000005840000-0x00000000058A6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bmfjibuq.hpw.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3204-23-0x0000000006110000-0x0000000006464000-memory.dmp
memory/3204-24-0x0000000006740000-0x000000000675E000-memory.dmp
memory/3204-25-0x0000000006950000-0x000000000699C000-memory.dmp
memory/3204-26-0x00000000076C0000-0x0000000007756000-memory.dmp
memory/3204-28-0x0000000006C30000-0x0000000006C52000-memory.dmp
memory/3204-27-0x0000000006BE0000-0x0000000006BFA000-memory.dmp
memory/3204-29-0x0000000008940000-0x0000000008FBA000-memory.dmp
memory/1700-30-0x000000007524E000-0x000000007524F000-memory.dmp
memory/1700-31-0x0000000075240000-0x00000000759F0000-memory.dmp
memory/3204-32-0x0000000075240000-0x00000000759F0000-memory.dmp
memory/3204-33-0x0000000075240000-0x00000000759F0000-memory.dmp
memory/3840-35-0x0000000075240000-0x00000000759F0000-memory.dmp
memory/3204-34-0x0000000075240000-0x00000000759F0000-memory.dmp
memory/3204-47-0x0000000075240000-0x00000000759F0000-memory.dmp
memory/3840-48-0x0000000075240000-0x00000000759F0000-memory.dmp
memory/1700-49-0x0000000006AF0000-0x0000000006B46000-memory.dmp
memory/1700-50-0x0000000006B90000-0x0000000006C10000-memory.dmp
memory/1700-61-0x0000000006B90000-0x0000000006C0A000-memory.dmp
memory/1700-68-0x0000000006B90000-0x0000000006C0A000-memory.dmp
memory/1700-114-0x0000000006B90000-0x0000000006C0A000-memory.dmp
memory/1700-112-0x0000000006B90000-0x0000000006C0A000-memory.dmp
memory/1700-110-0x0000000006B90000-0x0000000006C0A000-memory.dmp
memory/1700-108-0x0000000006B90000-0x0000000006C0A000-memory.dmp
memory/1700-106-0x0000000006B90000-0x0000000006C0A000-memory.dmp
memory/1700-104-0x0000000006B90000-0x0000000006C0A000-memory.dmp
memory/1700-102-0x0000000006B90000-0x0000000006C0A000-memory.dmp
memory/1700-98-0x0000000006B90000-0x0000000006C0A000-memory.dmp
memory/1700-96-0x0000000006B90000-0x0000000006C0A000-memory.dmp
memory/1700-94-0x0000000006B90000-0x0000000006C0A000-memory.dmp
memory/1700-92-0x0000000006B90000-0x0000000006C0A000-memory.dmp
memory/1700-90-0x0000000006B90000-0x0000000006C0A000-memory.dmp
memory/1700-88-0x0000000006B90000-0x0000000006C0A000-memory.dmp
memory/1700-87-0x0000000006B90000-0x0000000006C0A000-memory.dmp
memory/1700-84-0x0000000006B90000-0x0000000006C0A000-memory.dmp
memory/1700-80-0x0000000006B90000-0x0000000006C0A000-memory.dmp
memory/1700-78-0x0000000006B90000-0x0000000006C0A000-memory.dmp
memory/3840-442-0x0000000075240000-0x00000000759F0000-memory.dmp
memory/1700-76-0x0000000006B90000-0x0000000006C0A000-memory.dmp
memory/1700-74-0x0000000006B90000-0x0000000006C0A000-memory.dmp
memory/1700-72-0x0000000006B90000-0x0000000006C0A000-memory.dmp
memory/1700-70-0x0000000006B90000-0x0000000006C0A000-memory.dmp
memory/1700-66-0x0000000006B90000-0x0000000006C0A000-memory.dmp
memory/1700-64-0x0000000006B90000-0x0000000006C0A000-memory.dmp
memory/1700-62-0x0000000006B90000-0x0000000006C0A000-memory.dmp
memory/1700-58-0x0000000006B90000-0x0000000006C0A000-memory.dmp
memory/1700-56-0x0000000006B90000-0x0000000006C0A000-memory.dmp
memory/1700-54-0x0000000006B90000-0x0000000006C0A000-memory.dmp
memory/1700-52-0x0000000006B90000-0x0000000006C0A000-memory.dmp
memory/1700-100-0x0000000006B90000-0x0000000006C0A000-memory.dmp
memory/1700-83-0x0000000006B90000-0x0000000006C0A000-memory.dmp
memory/1700-51-0x0000000006B90000-0x0000000006C0A000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e70cda9ff89367b58c6d6ee3660eb6dc |
| SHA1 | cb5202f7c0101eff4de64bfe06a8fdafffba9e66 |
| SHA256 | dc0f0ac1c76040d620465af06a0aae421ca8b7f6c7055a732a9ee5a91010f960 |
| SHA512 | 280dac097cb30645083a80332b15df8558f2757ac265e1d5dcfeac1af925f89020a6d5d2d11dec0e8892c440a371167f89645db526e5c043a3a388cb7f74f37f |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | 0774a05ce5ee4c1af7097353c9296c62 |
| SHA1 | 658ff96b111c21c39d7ad5f510fb72f9762114bb |
| SHA256 | d9c5347ed06755feeb0615f1671f6b91e2718703da0dbc4b0bd205cbd2896dd4 |
| SHA512 | 104d69fc4f4aaa5070b78ada130228939c7e01436351166fe51fe2da8a02f9948e6d92dd676f62820da1813872b91411e2f863c9a98a760581ec34d4aa354994 |
memory/3840-2537-0x0000000075240000-0x00000000759F0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RegAsm.exe
| MD5 | 0d5df43af2916f47d00c1573797c1a13 |
| SHA1 | 230ab5559e806574d26b4c20847c368ed55483b0 |
| SHA256 | c066aee7aa3aa83f763ebc5541daa266ed6c648fbffcde0d836a13b221bb2adc |
| SHA512 | f96cf9e1890746b12daf839a6d0f16f062b72c1b8a40439f96583f242980f10f867720232a6fa0f7d4d7ac0a7a6143981a5a130d6417ea98b181447134c7cfe2 |
memory/1700-2544-0x0000000075240000-0x00000000759F0000-memory.dmp
memory/1620-2545-0x0000000000400000-0x000000000041E000-memory.dmp
memory/1620-2547-0x0000000004DE0000-0x0000000004DF2000-memory.dmp
memory/1620-2546-0x00000000053B0000-0x00000000059C8000-memory.dmp
memory/1620-2548-0x0000000004E80000-0x0000000004EBC000-memory.dmp
memory/1620-2549-0x0000000004F10000-0x0000000004F5C000-memory.dmp
memory/1620-2550-0x0000000005130000-0x000000000523A000-memory.dmp