Analysis Overview
SHA256
ab04624c6c23905350f2526ee1813f7a7d4519b2351158e73d9465e4b68c36c5
Threat Level: Known bad
The file 36877a5b3cc6e763976ca0ba166991cc_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Detects PlugX payload
PlugX
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Unsigned PE
Modifies registry class
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-11 19:50
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-11 19:50
Reported
2024-10-11 19:53
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
Detects PlugX payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
PlugX
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\36877a5b3cc6e763976ca0ba166991cc_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation | C:\ProgramData\svchost.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\MSIDB.exe | N/A |
| N/A | N/A | C:\ProgramData\SxS\MSIDB.exe | N/A |
| N/A | N/A | C:\ProgramData\SxS\MSIDB.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\MSIDB.exe | N/A |
| N/A | N/A | C:\ProgramData\SxS\MSIDB.exe | N/A |
| N/A | N/A | C:\ProgramData\SxS\MSIDB.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\MSIDB.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\SxS\MSIDB.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\SxS\MSIDB.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\36877a5b3cc6e763976ca0ba166991cc_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\CLASSES\FAST | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 38003200370039003100360046003700420042003400410044003200440037000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\MSIDB.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\MSIDB.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\SxS\MSIDB.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\SxS\MSIDB.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\SxS\MSIDB.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\SxS\MSIDB.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\36877a5b3cc6e763976ca0ba166991cc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\36877a5b3cc6e763976ca0ba166991cc_JaffaCakes118.exe"
C:\ProgramData\svchost.exe
"C:\ProgramData\svchost.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\MSIDB.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\MSIDB.exe"
C:\ProgramData\SxS\MSIDB.exe
"C:\ProgramData\SxS\MSIDB.exe" 100 920
C:\ProgramData\SxS\MSIDB.exe
"C:\ProgramData\SxS\MSIDB.exe" 200 0
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe 201 0
C:\Windows\SysWOW64\msiexec.exe
C:\Windows\system32\msiexec.exe 209 1812
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| N/A | 10.127.255.255:53 | udp | |
| US | 12.130.162.99:80 | tcp | |
| US | 12.130.162.99:80 | tcp | |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 12.130.162.99:80 | udp | |
| US | 8.8.8.8:53 | 99.162.130.12.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 135.72.21.2.in-addr.arpa | udp |
| US | 12.130.162.99:443 | tcp | |
| US | 12.130.162.99:443 | tcp | |
| US | 8.8.8.8:53 | 72.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
| US | 12.130.162.99:443 | udp | |
| US | 12.130.162.99:8080 | tcp | |
| US | 12.130.162.99:8080 | tcp |
Files
C:\ProgramData\svchost.exe
| MD5 | 85678dc8f03dce5e8fb4215ec10e88b0 |
| SHA1 | c0dd7b916de9a354255414837d7c89cf71e900be |
| SHA256 | b0cd7582500d4230210250e6457658f91389065618590048dd1c2f7f007518a8 |
| SHA512 | bcad69bbf88eeb01f93ca6b82592caef6186f1f4779eee93d072e83c54beec759782a5d907b7dbf5b7f838a58e5eeabec0f32e7340d70f7ae4c8b7c3cd305eed |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\MSIDB.exe
| MD5 | 211494b619971b7fa34c456116a70adb |
| SHA1 | 0da44929534dc7104f8b661280586f4021bbb896 |
| SHA256 | cdfbbfdc781d0568dc2466bfbfa8d3ae8f84f80047d1a57f14a967c5dc8be4f4 |
| SHA512 | 13f785a01ed64d7abad41aafc124ae725a7d08318a6b77a0da1dda40a3eaa7c03010b739b480789fae29b7faa8ab251d76cd0e733690d4471bdf7bcf2aa1fd0d |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msi.dll
| MD5 | 9fabffc5382fd812239790802df74637 |
| SHA1 | b640e095141495a6904e52a87312d81470753441 |
| SHA256 | a01928402f9780c04e500f50631254fece3b53066fde20146ee9d94ea8ad8865 |
| SHA512 | 20dd2e04cf2ec53d761e613a50c284f92fb891a9e59399df0949d5e7b3a076f994d99b3f97b8e3195d2209e700a453535dbf4362443b54a4d13faa9f6e5ca623 |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msi.dll.iso
| MD5 | 66b7b2035dfcefc976eccea6e5023214 |
| SHA1 | 3108f9efc7d8208e619048d70925956b2937fe20 |
| SHA256 | 1896247d690978b0346ec41c87163bc3f1e305da595a6e453f2b4e77df2110ea |
| SHA512 | 98e5a8cb53f4234eb4305de49622f27f8629a65cfa6ce845f86ef19aec952f03b27f3f2161c242f50ec36fabefcee0c5fdc74284e3ada7581de46f2f717aa872 |
memory/920-30-0x0000000002440000-0x0000000002540000-memory.dmp
memory/920-31-0x00000000022F0000-0x0000000002320000-memory.dmp
memory/2316-51-0x00000000027C0000-0x00000000027F0000-memory.dmp
memory/2136-55-0x00000000017B0000-0x00000000017E0000-memory.dmp
memory/1812-56-0x0000000000CF0000-0x0000000000D20000-memory.dmp
memory/1812-57-0x0000000000CF0000-0x0000000000D20000-memory.dmp
memory/1812-70-0x0000000000CF0000-0x0000000000D20000-memory.dmp
memory/1812-69-0x0000000000CF0000-0x0000000000D20000-memory.dmp
memory/1812-68-0x00000000009E0000-0x00000000009E1000-memory.dmp
memory/1812-74-0x0000000000CF0000-0x0000000000D20000-memory.dmp
memory/1812-75-0x0000000000CF0000-0x0000000000D20000-memory.dmp
memory/1812-71-0x0000000000CF0000-0x0000000000D20000-memory.dmp
memory/2136-79-0x00000000017B0000-0x00000000017E0000-memory.dmp
C:\ProgramData\SxS\bug.log
| MD5 | e1b9ef227c45dc83f300cc779b37fae4 |
| SHA1 | 1e673e5b953007e1487309921d2b2265da1a0c25 |
| SHA256 | 7fe1e7a2669d44fbb3d53224f0268512a66f2ddf9f795b449ee1d0a26e8ce896 |
| SHA512 | e7bea53b0c6cb1c5a764ce78acfdfc71f838076f85ebf532816db2f08c0923547bae5fb5c9b618b891cdaef217957c061ad606e3e9de04f40b58b82d4123dbc0 |
memory/920-82-0x00000000022F0000-0x0000000002320000-memory.dmp
memory/2316-83-0x00000000027C0000-0x00000000027F0000-memory.dmp
memory/3696-84-0x0000000002E50000-0x0000000002E80000-memory.dmp
memory/3696-87-0x0000000002E50000-0x0000000002E80000-memory.dmp
memory/3696-86-0x0000000002E50000-0x0000000002E80000-memory.dmp
memory/3696-85-0x0000000002E00000-0x0000000002E01000-memory.dmp
memory/1812-88-0x0000000000CF0000-0x0000000000D20000-memory.dmp
C:\ProgramData\SxS\bug.log
| MD5 | 0ec8b234688a562b77bd0cccf95e141d |
| SHA1 | f3c38c66e544d02b0206b4ee896e601e9b7ce670 |
| SHA256 | 5aaefd4922553ec959620e9a429641edaff8e5ae253ca9a372cb0c0b67eef8d5 |
| SHA512 | b950cad40a6ce040703c47545a9c9e8d636c5582aaaa5f0e520a8480b77bca769e40ef22a721e6724729aa952f4baae1d49e486d064ef62385ec2753acfc3306 |
memory/1812-91-0x0000000000CF0000-0x0000000000D20000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-11 19:50
Reported
2024-10-11 19:53
Platform
win7-20241010-en
Max time kernel
150s
Max time network
142s
Command Line
Signatures
Detects PlugX payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
PlugX
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\MSIDB.exe | N/A |
| N/A | N/A | C:\ProgramData\SxS\MSIDB.exe | N/A |
| N/A | N/A | C:\ProgramData\SxS\MSIDB.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\36877a5b3cc6e763976ca0ba166991cc_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\ProgramData\svchost.exe | N/A |
| N/A | N/A | C:\ProgramData\svchost.exe | N/A |
| N/A | N/A | C:\ProgramData\svchost.exe | N/A |
| N/A | N/A | C:\ProgramData\svchost.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\MSIDB.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\MSIDB.exe | N/A |
| N/A | N/A | C:\ProgramData\SxS\MSIDB.exe | N/A |
| N/A | N/A | C:\ProgramData\SxS\MSIDB.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\36877a5b3cc6e763976ca0ba166991cc_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\svchost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\RarSFX0\MSIDB.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\SxS\MSIDB.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\ProgramData\SxS\MSIDB.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\svchost.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Wpad | C:\Windows\SysWOW64\svchost.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\CLASSES\FAST | C:\Windows\SysWOW64\svchost.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\FAST\CLSID = 43003500370032004400310041003800430031003400360044004200370036000000 | C:\Windows\SysWOW64\svchost.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\MSIDB.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RarSFX0\MSIDB.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\SxS\MSIDB.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\SxS\MSIDB.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\ProgramData\SxS\MSIDB.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\ProgramData\SxS\MSIDB.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\svchost.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Windows\SysWOW64\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\36877a5b3cc6e763976ca0ba166991cc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\36877a5b3cc6e763976ca0ba166991cc_JaffaCakes118.exe"
C:\ProgramData\svchost.exe
"C:\ProgramData\svchost.exe"
C:\Users\Admin\AppData\Local\Temp\RarSFX0\MSIDB.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\MSIDB.exe"
C:\ProgramData\SxS\MSIDB.exe
"C:\ProgramData\SxS\MSIDB.exe" 100 2064
C:\ProgramData\SxS\MSIDB.exe
"C:\ProgramData\SxS\MSIDB.exe" 200 0
C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe 201 0
C:\Windows\SysWOW64\msiexec.exe
C:\Windows\system32\msiexec.exe 209 2852
Network
| Country | Destination | Domain | Proto |
| N/A | 10.127.255.255:53 | udp | |
| US | 12.130.162.99:80 | tcp | |
| US | 12.130.162.99:80 | tcp | |
| US | 12.130.162.99:80 | tcp | |
| US | 12.130.162.99:80 | udp | |
| US | 12.130.162.99:443 | tcp | |
| US | 12.130.162.99:443 | tcp | |
| US | 12.130.162.99:443 | tcp |
Files
\ProgramData\svchost.exe
| MD5 | 85678dc8f03dce5e8fb4215ec10e88b0 |
| SHA1 | c0dd7b916de9a354255414837d7c89cf71e900be |
| SHA256 | b0cd7582500d4230210250e6457658f91389065618590048dd1c2f7f007518a8 |
| SHA512 | bcad69bbf88eeb01f93ca6b82592caef6186f1f4779eee93d072e83c54beec759782a5d907b7dbf5b7f838a58e5eeabec0f32e7340d70f7ae4c8b7c3cd305eed |
\Users\Admin\AppData\Local\Temp\RarSFX0\MSIDB.exe
| MD5 | 211494b619971b7fa34c456116a70adb |
| SHA1 | 0da44929534dc7104f8b661280586f4021bbb896 |
| SHA256 | cdfbbfdc781d0568dc2466bfbfa8d3ae8f84f80047d1a57f14a967c5dc8be4f4 |
| SHA512 | 13f785a01ed64d7abad41aafc124ae725a7d08318a6b77a0da1dda40a3eaa7c03010b739b480789fae29b7faa8ab251d76cd0e733690d4471bdf7bcf2aa1fd0d |
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msi.dll
| MD5 | 9fabffc5382fd812239790802df74637 |
| SHA1 | b640e095141495a6904e52a87312d81470753441 |
| SHA256 | a01928402f9780c04e500f50631254fece3b53066fde20146ee9d94ea8ad8865 |
| SHA512 | 20dd2e04cf2ec53d761e613a50c284f92fb891a9e59399df0949d5e7b3a076f994d99b3f97b8e3195d2209e700a453535dbf4362443b54a4d13faa9f6e5ca623 |
memory/2064-32-0x0000000001E90000-0x0000000001F90000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\RarSFX0\msi.dll.iso
| MD5 | 66b7b2035dfcefc976eccea6e5023214 |
| SHA1 | 3108f9efc7d8208e619048d70925956b2937fe20 |
| SHA256 | 1896247d690978b0346ec41c87163bc3f1e305da595a6e453f2b4e77df2110ea |
| SHA512 | 98e5a8cb53f4234eb4305de49622f27f8629a65cfa6ce845f86ef19aec952f03b27f3f2161c242f50ec36fabefcee0c5fdc74284e3ada7581de46f2f717aa872 |
memory/2064-33-0x00000000002A0000-0x00000000002D0000-memory.dmp
memory/2984-55-0x0000000000200000-0x0000000000230000-memory.dmp
memory/2220-59-0x00000000001E0000-0x0000000000210000-memory.dmp
memory/2852-63-0x00000000000A0000-0x00000000000BD000-memory.dmp
memory/2852-64-0x00000000000C0000-0x00000000000C2000-memory.dmp
memory/2852-60-0x0000000000080000-0x0000000000081000-memory.dmp
memory/2852-65-0x0000000000100000-0x0000000000130000-memory.dmp
memory/2852-83-0x0000000000100000-0x0000000000130000-memory.dmp
memory/2852-82-0x0000000000100000-0x0000000000130000-memory.dmp
memory/2852-87-0x0000000000100000-0x0000000000130000-memory.dmp
C:\ProgramData\SxS\bug.log
| MD5 | ec852d98c76df12fcfe89b3e730a469e |
| SHA1 | 75e060a49db77b57433291ac8b35dfba0e8662eb |
| SHA256 | f6f869d39fe57b7ddd766d814c537d276ea1ee970c4449c4850818c94820c3c5 |
| SHA512 | 1b3152643feeff7f644db3a5a3d088595acd9d7c173ed4a915c9ae2751086d2fca94357738683fc6095db64c48b042c1f64a80a9201036a9ac6218a206eea465 |
memory/2852-81-0x0000000000100000-0x0000000000130000-memory.dmp
memory/2852-80-0x0000000000020000-0x0000000000021000-memory.dmp
memory/2064-77-0x00000000002A0000-0x00000000002D0000-memory.dmp
memory/2852-67-0x0000000000100000-0x0000000000130000-memory.dmp
memory/2220-66-0x00000000001E0000-0x0000000000210000-memory.dmp
memory/2852-88-0x0000000000100000-0x0000000000130000-memory.dmp
memory/2984-92-0x0000000000200000-0x0000000000230000-memory.dmp
memory/1688-98-0x0000000000250000-0x0000000000280000-memory.dmp
memory/1688-101-0x0000000000250000-0x0000000000280000-memory.dmp
memory/1688-100-0x0000000000250000-0x0000000000280000-memory.dmp
memory/1688-99-0x00000000000D0000-0x00000000000D1000-memory.dmp
memory/2852-102-0x0000000000100000-0x0000000000130000-memory.dmp
memory/2852-104-0x0000000000100000-0x0000000000130000-memory.dmp